Bug Bounty

Bug Bounty: A Practical Field Manual

Bug bounty rewards two things scanners cannot fake: creativity and persistence. This is the workflow we teach new hunters - how to pick targets, where the paying bugs hide, and how to write a report a triager can reproduce in sixty seconds.

UUnnbugify Security Team January 28, 2026 11 min read

Bug bounty is legalised, incentivised hacking: organisations invite researchers to find and responsibly disclose vulnerabilities in exchange for recognition and cash. Done well it is one of the fastest ways to sharpen offensive skills - and one of the most crowded, so signal beats noise every time.

The mindset

Scanners find what they are told to look for. Bounty hunters find what the developers assumed would never happen. The core question on every request is: "what did the developer trust that I control?" A hidden field, an ID in the URL, a header the backend reflects, a price sent from the client - every trusted-but-attacker-controlled value is a candidate bug.

Automation finds the obvious. Money is in the logic no scanner understands: your workflow, your permissions, your assumptions.

Scope and program choice

Read the policy before you touch a single request. It defines what is in scope, what is explicitly forbidden (automated scanning, DoS, social engineering), and what they will pay for. Then choose deliberately:

  • Wide scope (*.example.com) rewards strong recon - more assets, more forgotten corners.
  • New programs / new features have fewer hunters and fresher bugs.
  • Pick a niche - access control, SSRF, OAuth - and go deeper than the crowd.

The recon workflow

Great recon expands your attack surface before anyone else maps it:

# 1. Enumerate subdomains (passive + active)
subfinder -d example.com -all -silent | tee subs.txt

# 2. Probe for live hosts
cat subs.txt | httpx -silent -title -tech-detect -status-code

# 3. Pull historical URLs / parameters
gau example.com | tee urls.txt
cat urls.txt | grep '=' | qsreplace | tee params.txt

# 4. Screenshot everything for a fast visual triage
cat live.txt | gowitness scan file -f -

The goal is not a huge file of URLs - it is finding the one staging box, the one debug endpoint, or the one legacy API that the security team forgot existed.

Content discovery pays. Directory and parameter brute-forcing (ffuf, feroxbuster) on an unglamorous host uncovers the endpoints nobody thought were reachable. That is where the crowd is not looking.

High-signal bug classes

If you want bugs that get paid rather than closed as informational, prioritise impact:

  • Broken access control / IDOR - swap an ID, read another tenant's data. Consistently the highest-value, easiest-to-demonstrate class. See our IDOR deep dive.
  • Authentication & OAuth flaws - account takeover via password reset poisoning, JWT confusion, or redirect_uri abuse.
  • SSRF - especially in cloud, where it reaches the metadata service. See SSRF explained.
  • Injection - SQLi and XSS still land in less-tested corners.
  • Business-logic flaws - negative quantities, race conditions on coupons, skipping payment steps. Scanners never find these.

Writing the report

The report is the product. A triager may see hundreds a week; make yours trivially reproducible. Every strong report has:

  1. A one-line summary naming the vuln and the impact.
  2. Numbered reproduction steps a stranger can follow exactly.
  3. Proof - the request/response, a short video, or a screenshot.
  4. Impact in business terms: what data, whose account, how bad.
  5. A remediation suggestion. It builds trust and speeds the fix.

Never over-claim. Demonstrate impact with the minimum necessary proof. Read one record to prove an IDOR - do not dump the table. Escalation without permission ends bounties and starts lawsuits.

Ethics and staying legal

The invitation is your authorization - and it has edges. Stay strictly in scope, respect the "do not" list, never access more data than needed to prove the bug, and disclose only through the program. The difference between a researcher and a criminal is a policy and a boundary you chose not to cross.

Key takeaways

  • Hunt logic and trust boundaries, not scanner output.
  • Recon width plus one deep niche beats spraying payloads.
  • Access control, auth, and SSRF are the reliable earners.
  • The report is the deliverable - reproducible, honest, minimal proof.
Concerned about phishing and human risk?

SusPhisious runs continuous phishing simulations and security awareness training to measurably reduce employee risk across your organisation.

Learn about SusPhisious
U
Unnbugify Security Team
Offensive Security Research, Unnbugify Technologies

The Unnbugify team delivers VAPT, red teaming, and continuous security testing for organisations worldwide. We publish field notes from real engagements to help defenders stay ahead of attackers.