Learn
Guides, tools, and references for bug bounty hunters and security researchers.
Bug bounties in a nutshell
Every piece of software has bugs. Some of them are security bugs, and those can leak user data, take services offline, or hand attackers the keys to systems they shouldn't be in.
Most companies would much rather hear about a bug from you than from a breach notification, which is what a bug bounty or vulnerability disclosure program is for: a public, legal channel to report what you find. Depending on the company and the severity, you might walk away with a thank-you, some swag, a CVE, or a real paycheck.
Bug Bounties is a directory of those programs. This page is everything else: tools, hand-picked references, and writeups to help you find the bugs in the first place, then report them well enough to get paid.
Web OSINT Toolbox
Free, third-party tools for investigating any web target.
- Hudson Rock
Identify Infostealer infection data related to domains and emails - SSL Labs Test
Analyzes the SSL configuration of a server and grades it - Virus Total
Checks a URL against multiple antivirus engines - Shodan
Search engine for Internet-connected devices - Archive
View previous versions of a site via the Internet Archive - URLScan
Scans a URL and provides information about the page - Sucuri SiteCheck
Checks a URL against blacklists and known threats - Domain Tools
Run a WhoIs lookup on a domain
Learning resources
Hand-picked courses, labs, and references for learning bug bounty hunting.
- PortSwigger Web Security Academy Free, interactive labs and learning paths covering every common web vulnerability class
- Hacker101 HackerOne's free training videos and CTF challenges, aimed squarely at bug bounty hunters
- Bugcrowd University Bug hunting methodology modules and webinars from the Bugcrowd team
- Hack The Box Academy Structured offensive security courses with hands-on labs and certifications
- TryHackMe Gamified rooms and guided learning paths covering everything from beginner to advanced topics
- PentesterLab Hands-on exercises focused on real-world web vulnerabilities and CVE recreations
- pwn.college Free, university-grade binary exploitation and systems security course from ASU, with hands-on dojos
- picoCTF Carnegie Mellon's beginner CTF platform, free to play year round with a deep archive of past challenges
Researchers to follow
Widely respected security researchers whose blogs are worth keeping an eye on.
- Bruce Schneier Schneier on Security Cryptographer, author, and one of the longest-running voices in security policy and applied cryptography
- Brian Krebs Krebs on Security Investigative cybercrime journalist, consistently first to break major breach and threat actor stories
- Troy Hunt troyhunt.com Founder of Have I Been Pwned, writes prolifically on web security, breach disclosure, and password hygiene
- Matthew Green A Few Thoughts on Cryptographic Engineering Cryptography professor at Johns Hopkins, known for accessible deep dives on real-world crypto failures
- Filippo Valsorda filippo.io Cryptographer and former Go security lead, writes about applied cryptography and protocol design
- Daniel Miessler danielmiessler.com Long-running security blog and Unsupervised Learning newsletter covering offensive security and AI security
- Marcus Hutchins MalwareTech Reverse engineer best known for stopping WannaCry, writes detailed malware analysis and exploitation posts
- Tavis Ormandy lock.cmpxchg8b.com Google Project Zero researcher with a track record of finding critical bugs in widely deployed software
Guides
In-depth articles on specific bug bounty topics, from recon to reporting.
- AI and LLM Security Testing for Bug Bounties How to hunt for vulnerabilities in AI-powered features - prompt injection, training data extraction, and model abuse - as platforms add AI to their bounty scopes.
- API Security Testing for Bug Bounties: A Practical Guide How to find vulnerabilities in REST and GraphQL APIs during bounty hunting, from authentication flaws to business logic bugs that scanners miss.
- Using Automated Scanning in Bug Bounties Without Getting Banned When and how to use scanners like Nuclei and Burp Scanner in bounty programs - rate limiting, scope compliance, and finding what scanners miss.
- Bug Bounty Economics: What Hunters Actually Earn (With Real Data) Median payouts by severity and platform, time-to-bounty benchmarks, and an honest look at the economics of full-time vs. part-time bounty hunting.
- Bug Bounty Income and Taxes: What Researchers Need to Know How bug bounty earnings are taxed in the US, UK, and EU, including self-employment obligations, platform tax forms, and record-keeping requirements.
- Bug Bounty Legal Guide: CFAA, Safe Harbor, and What Actually Protects You The real legal landscape for security researchers - why the DOJ policy is weaker than you think, what safe harbor clauses actually cover, and how laws differ across jurisdictions.
- Recon Methodology for Bug Bounties: Finding Attack Surface Others Miss A structured reconnaissance workflow for bounty programs, covering subdomain enumeration, technology fingerprinting, and hidden endpoint discovery.
- Bug Bounty Toolkit: Essential Tools and How to Set Them Up The actual tools working bounty hunters use daily, with setup instructions and configuration tips - not just a list of names.
- Building Your Bug Bounty Reputation: From Unknown to Invited How platform reputation systems work, how to get private invitations, and how to build a public profile that opens doors - based on how top hunters actually did it.
- How to Choose Your First Bug Bounty Program A practical framework for picking a program that matches your skill level, with criteria that actually matter and common traps to avoid.
- Coordinated Vulnerability Disclosure: A Complete Guide for Researchers How coordinated disclosure works in practice - timelines, communication templates, escalation paths, and what to do when vendors go silent.
- The CVE Program Explained: How to Get a CVE for Your Finding How the CVE system works, how to request a CVE ID, what the 2025 funding crisis means for researchers, and when getting a CVE matters for your career.
- Finding XSS in Bug Bounties: Beyond alert(1) Practical techniques for finding cross-site scripting in modern web apps where basic payloads get filtered, including DOM XSS, mutation XSS, and bypassing WAFs.
- HackerOne vs. Bugcrowd vs. Intigriti: Platform Differences That Matter A practical comparison of the three major bounty platforms - triage processes, payout mechanics, reputation systems, and which works best for different hunting styles.
- Handling Duplicates, Rejections, and Disputes in Bug Bounties What to do when your report is marked duplicate, rejected as not applicable, or lowballed on severity - with specific strategies for each platform's mediation process.
- Hunting Authentication Vulnerabilities in Bug Bounty Programs Systematic methods for finding authentication flaws - password reset poisoning, OAuth misconfigurations, 2FA bypasses, and session management bugs.
- Hunting IDOR and Broken Access Control Bugs in Bounty Programs How to systematically find insecure direct object references and access control flaws - the most rewarded vulnerability class on major platforms.
- Mobile App Security Testing for Bug Bounties How to test iOS and Android apps in a bounty context - from setting up a proxy to finding hardcoded secrets and insecure data storage.
- OWASP Top 10 2025 for Bug Bounty Hunters: What Changed and Where to Hunt A bounty hunter's interpretation of the OWASP Top 10 2025 - what moved, what is new, and how each category translates into actual findings you can report.
- Race Conditions and Business Logic Bugs in Bug Bounties How to find race conditions, time-of-check-time-of-use flaws, and business logic vulnerabilities that automated scanners cannot detect.
- Reading Source Code to Find Vulnerabilities: A Bounty Hunter's Approach How to audit source code efficiently in a bounty context - finding security-relevant patterns without reading every line.
- Security Misconfiguration Hunting: OWASP #2 and the Easiest Wins in Bug Bounties How to find security misconfigurations that programs actually pay for - default credentials, exposed admin panels, verbose error messages, and cloud storage misconfigurations.
- security.txt: How to Use It as a Researcher (and Why 78% of Companies Still Don't Have One) How RFC 9116 security.txt works, how to find and parse it for bounty hunting, and what to do when a target does not have one.
- SSRF Hunting in Bug Bounties: Techniques and Escalation How to find and escalate server-side request forgery vulnerabilities in bounty targets, including blind SSRF detection and cloud metadata exploitation.
- Supply Chain Vulnerabilities: The New #3 on OWASP Top 10 Supply Chain Failures debuted at #3 in OWASP Top 10 2025 with the highest exploit/impact score. Here is how bounty hunters can find dependency confusion, typosquatting, and CI/CD pipeline flaws.
- CVSS Scoring for Bounty Hunters: How Severity Ratings Affect Payouts How CVSS actually works, how programs use (and misuse) it to set payouts, and how to score your findings accurately to avoid disputes.
- Writing Bug Bounty Writeups That Get Noticed How to turn disclosed findings into published writeups that build your reputation, attract private invitations, and help the community learn.
- Writing Your First Bug Bounty Report Step-by-step guide to writing a clear, effective vulnerability report that gets triaged quickly.
Cool stuff
Cheat sheets, payload repos, wordlists, and reference databases you'll use on every engagement.
- HackTricks Carlos Polop's pentesting wiki, the closest thing to a single reference for web, cloud, and AD attack technique
- PayloadsAllTheThings The de facto reference for web attack payloads, bypasses, and exploitation tricks, organized by bug class
- SecLists The standard wordlist collection for content discovery, fuzzing, brute forcing, and password attacks
- GTFOBins Curated index of Unix binaries that can be abused for privilege escalation and shell escapes
- LOLBAS The Windows equivalent of GTFOBins, mapping built-in binaries to their offensive uses
- OWASP Cheat Sheet Series Concise, scannable reference cards for both attackers and defenders, covering specific vulnerability classes
- OWASP Top 10 The canonical reference list of the most critical web application security risks, with examples and prevention notes
- CWE Top 25 MITRE's annual ranking of the most dangerous software weaknesses, useful as a lookup index