Bug Bounty: A Practical Field Manual
Bug bounty rewards two things scanners cannot fake: creativity and persistence. This is the workflow we teach new hunters - how to pick targets, where the paying bugs hide, and how to write a report a triager can reproduce in sixty seconds.
Bug bounty is legalised, incentivised hacking: organisations invite researchers to find and responsibly disclose vulnerabilities in exchange for recognition and cash. Done well it is one of the fastest ways to sharpen offensive skills - and one of the most crowded, so signal beats noise every time.
The mindset
Scanners find what they are told to look for. Bounty hunters find what the developers assumed would never happen. The core question on every request is: "what did the developer trust that I control?" A hidden field, an ID in the URL, a header the backend reflects, a price sent from the client - every trusted-but-attacker-controlled value is a candidate bug.
Automation finds the obvious. Money is in the logic no scanner understands: your workflow, your permissions, your assumptions.
Scope and program choice
Read the policy before you touch a single request. It defines what is in scope, what is explicitly forbidden (automated scanning, DoS, social engineering), and what they will pay for. Then choose deliberately:
- Wide scope (
*.example.com) rewards strong recon - more assets, more forgotten corners. - New programs / new features have fewer hunters and fresher bugs.
- Pick a niche - access control, SSRF, OAuth - and go deeper than the crowd.
The recon workflow
Great recon expands your attack surface before anyone else maps it:
# 1. Enumerate subdomains (passive + active)
subfinder -d example.com -all -silent | tee subs.txt
# 2. Probe for live hosts
cat subs.txt | httpx -silent -title -tech-detect -status-code
# 3. Pull historical URLs / parameters
gau example.com | tee urls.txt
cat urls.txt | grep '=' | qsreplace | tee params.txt
# 4. Screenshot everything for a fast visual triage
cat live.txt | gowitness scan file -f -The goal is not a huge file of URLs - it is finding the one staging box, the one debug endpoint, or the one legacy API that the security team forgot existed.
Content discovery pays. Directory and parameter brute-forcing (ffuf, feroxbuster) on an unglamorous host uncovers the endpoints nobody thought were reachable. That is where the crowd is not looking.
High-signal bug classes
If you want bugs that get paid rather than closed as informational, prioritise impact:
- Broken access control / IDOR - swap an ID, read another tenant's data. Consistently the highest-value, easiest-to-demonstrate class. See our IDOR deep dive.
- Authentication & OAuth flaws - account takeover via password reset poisoning, JWT confusion, or redirect_uri abuse.
- SSRF - especially in cloud, where it reaches the metadata service. See SSRF explained.
- Injection - SQLi and XSS still land in less-tested corners.
- Business-logic flaws - negative quantities, race conditions on coupons, skipping payment steps. Scanners never find these.
Writing the report
The report is the product. A triager may see hundreds a week; make yours trivially reproducible. Every strong report has:
- A one-line summary naming the vuln and the impact.
- Numbered reproduction steps a stranger can follow exactly.
- Proof - the request/response, a short video, or a screenshot.
- Impact in business terms: what data, whose account, how bad.
- A remediation suggestion. It builds trust and speeds the fix.
Never over-claim. Demonstrate impact with the minimum necessary proof. Read one record to prove an IDOR - do not dump the table. Escalation without permission ends bounties and starts lawsuits.
Ethics and staying legal
The invitation is your authorization - and it has edges. Stay strictly in scope, respect the "do not" list, never access more data than needed to prove the bug, and disclose only through the program. The difference between a researcher and a criminal is a policy and a boundary you chose not to cross.
Key takeaways
- Hunt logic and trust boundaries, not scanner output.
- Recon width plus one deep niche beats spraying payloads.
- Access control, auth, and SSRF are the reliable earners.
- The report is the deliverable - reproducible, honest, minimal proof.
SusPhisious runs continuous phishing simulations and security awareness training to measurably reduce employee risk across your organisation.