Lot’s of People are interested in Bug-Bounty, How to start where to learn, how much time it will take and all other things. If you are not familiar with the Bug-Bounty then Bug bounty is like a freelancer big companies to normal companies pay hacker when they find a security issue in their system it could be an android application, server, web application and other things and all with legal way. Hacker finds a vulnerability and tell the company about the issue and get paid depending on the vulnerability. you just need to find a company which has a bug bounty programme and what is allow to test for vulnerability.
As recent news, Google is ready to pay 1.5Million if anyone is able to find a security issue in its TITAN Security Chip. so you get an idea what is BUG-Bounty.
How To Learn and Start Bug-Bounty
Most of the People who are interred in Bug Bounty think that bug bounty is all about Web application attacks but it’s wrong. Bug bounty can have soo many different options – Mobile (Android, IOS), web application, cloud, API etc, Yes most of the Bug Bounty work is on the Web application, even cloud can be under the Bug Bounty.
So there is no specif way to start you just need advance knowledge about everything you are going to encounter.
The more languages you learn it will benefit you,
Learn at least one scripting language – Python or ruby ( Python is a must)
Learn about different frameworks – Ruby on Rails, Django, laravel etc
Some other Languages for Mobile and other Tech- Java, HTML, CSS, Kotlin, C++, XML
Some Technologies – Cookies, Ajax
There are lots of different vulnerabilities you should have a very good understanding it could be related to mobile or web application etc, because that the main thing you have to do, find the vulnerability. for example XSS, SQLI, RCE etc.
once you start learning about vulnerabilities it’s good to practice them on Local systems like DVWA or other web applications ( local vulnerable system installed in your own computer for practice) or you can start CTF challenge.
Server, Database, Linux and Networking
As you might already know everything is working with the help of network and servers. you should have at least some knowledge about all these things how the database works with SQL (MYSQL, MSSQL, ORACLE etc), How networking and protocols work like IP address, DNS, HTTP protocol, SMTP etc. and have some knowledge about server-side and with Familiarity how to use Linux.
Once you have the knowledge it’s important to keep practising on both real-world or with CTF.
Where to Learn
Below I am including some links where you can learn these topics. paid and free both.
Bug bounty source
If you are learning about bug bounty then it’s good to have a Twitter account and follow some great people and read POC from other bug bounty hunters how they got a specific Bug. For bug bounty, there are 2-4 books which are recommended by everyone you must read them
Now this is something different lot’s of people right now is recommending pentesterlab, it tech you web application attacks and some android. you can check their reviews as far as now I talked with some people who are learning from pentesterlab and some bug bounty hunters and they said a pentester lab is a good option.
Its a paid programme for web-application they have black Friday offer till 2 December 2019 only a few hours lets as of writing this blog. start with 19.99$ month and $199.99 years (without an offer price) $146.52 year with current discount. they have 15 days money back options.you can check it out pentesterlab from here.
Bug bounty Guide from Stok ( must watch)
Some great Bug bounty hunters you should follow
Ben Sadeghipour ( live bug bounty on twitch and youtube)