About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

4 Strategies for picking the perfect bounty hunting targets- 1244

Joran Honig Posted 2 Years Ago
  • Bug bounty sounds great! How do you pick a target? Since this is code you're going to be looking at for vulnerabilities and attempting to profit off of, you better make a good decision on this.
  • First, pick something that interests you. If you're spending a spare time looking for vulnerabilities in a complicated codebase, you better enjoy looking into it.
  • Second, pick something at your skill level. Looking at something that's too complicated will lead to frustration and lack of motivation. Something too easy will make you bored while looking for bugs. So, something just barely outside of comfort zone is perfect.
  • Third, something that is feasible to look at in the time frame you have. Looking at something crazily complex for a single day will likely result in failure. Do something where the complexity fits your timeframe.
  • Fourth, the desired income. If you're trying to make a job out of this, looking at programs with higher bug bounty amounts is important. View programs that only have larger payouts.
  • Especially with companies with larger payouts, watch out for scams. Many projects will immediately downgrade critical bugs to lows or out of scope. How do we find these scammers?
    • Payout well for medium and lows. If they only payout for critical, they may downgrade to a lower severity to avoid paying out.
    • Public exposure. Many programs will have information about money paid, response time and other features. Ensure that this is done well.
    • Submit quickly. If you find a medium or low that is adequently handled, they will likely pay out properly for more impactful bugs. If they squash your bug, you should just move on to something else.
  • Now, the most important part: fewer eyes. Bug bounty rewards people who are first or with niche knowledge. So, keep an eye out for projects with new bounty programs or codebases without an audit. Additionally, things that are extremely complex or niche are likely to have people really understanding what's going on with it.
  • Overall, a good article on how to pick a good project to hack on. I particularly enjoyed the advice on figuring out if the program is a scam or not.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed