Bug Bounty Hunting Tips #4 — Develop a Process and Follow It

Craig Hays
BugBountyHunting
Published in
5 min readMar 12, 2020

--

The easiest way to fail as a bug bounty hunter is to search at random without a methodology or process to follow. Here’s what to consider.

Photo by Mark Fletcher-Brown on Unsplash

It is really easy to jump straight in and wildly throw payloads at a system when you first approach a target. Admittedly, it can feel great for the first hour or so but after that, you can start to become bored and frustrated if you don’t find anything. And without a structured bug bounty hunting process, you probably won’t find anything new.

It is important to develop and follow your own testing process in order to test thoroughly and professionally. When you first start out your process will be weak and immature but you’ll develop and improve upon it the more bug bounty hunting you do. If you do this consciously you’ll have greater results.

Choose Your Approach

The high-level approach you’ll take to bug bounty hunting is entirely up to you. Some people have excellent success by picking out a few specific vulnerabilities and testing them against everything in scope for every company running a bug bounty program. In the video below, Mike Baker discusses his approach using automation to test thousands of servers for a handful of known vulnerabilities and making a lot of money doing it.

--

--

Craig Hays
BugBountyHunting

FinTech startup to £105 million acquisition. Now I make stuff and help people with cyber security. https://craighays.com