README.md

Bug Bounty Beginner's Roadmap

Welcome to the Bug Bounty Beginner's Roadmap repository!

Introduction

Hi! I'm !!Ali Essam!!, a Security Engineer and part-time content creator. This repository is a collaborative effort to guide aspiring bug bounty hunters in kickstarting their careers. The bug bounty landscape has evolved significantly in recent years, demanding determination, consistency, and focus due to increased competition and automation.

What is a Bug?

A security bug or vulnerability is a flaw in software or hardware that, when exploited, compromises confidentiality, integrity, or availability.

What is Bug Bounty?

Bug bounties are reward programs offered by organizations to discover and report bugs in their software products. Rewards range from cash to premium subscriptions, gift vouchers, swag, and more, depending on the severity of the issue.

What to Learn?

Technical Skills

Computer Fundamentals

• CompTIA Training
• Computer Fundamentals YouTube Course
• Computer Fundamentals Tutorial
• Swayam Computer Fundamentals Course
• Complete Computer Basics Course (Udemy)
• Computer Fundamentals Courses (Coursera)

Computer Networking

• Computer Networking YouTube Playlist
• Computer Networking Crash Course (YouTube)
• Computer Networking Course (YouTube)
• Google IT Support Professional Certificate (Coursera)
• Introduction to Computer Networks (Udemy)

Operating Systems

• Operating Systems YouTube Course
• Operating System Fundamentals (YouTube)
• Operating System Power User (Coursera)
• Introduction to Operating Systems (Udacity)
• Linux Command Line Volume 1 (Udemy)

Command Line

• Windows:
  • Windows Command Line (YouTube Playlist)
  • More Windows Command Line Tutorials (YouTube)
  • Windows Command Line Basics (YouTube)
• Linux:
  • Linux Command Line Tutorials (YouTube Playlist)
  • Linux Terminal Tutorial (YouTube)
  • More Linux Command Line Tutorials (YouTube)
  • Linux Shell Scripting Tutorial (YouTube)
  • Linux Basics (YouTube)
  • Linux Command Line for Beginners (YouTube Playlist)

Programming

• C:
  • C Programming (YouTube)
  • Learn C Programming (YouTube)
  • C Programming Tutorial (Programiz)
• Python:
  • Python Tutorial (YouTube)
  • Python Crash Course (YouTube)
  • Learn Python for Beginners (YouTube)
• JavaScript:
  • JavaScript Tutorial (YouTube)
  • JavaScript Crash Course (YouTube)
  • Learn JavaScript for Beginners (YouTube)
• PHP:
  • PHP Tutorial (YouTube)
  • PHP Programming for Beginners (YouTube)
  • Learn PHP Programming (YouTube)

Where to Learn From?

Books

• Web Application Hacker's Handbook
• Real World Bug Hunting
• Bug Bounty Hunting Essentials
• Bug Bounty Bootcamp
• [Hands on Bug Hunting](https://www.amazon.in/Hands

-Bug-Hunting-Penetration-Testers-ebook/dp/B07DTF2VL6)

• Hacker's Playbook 3
• OWASP Testing Guide
• Web Hacking 101
• OWASP Mobile Testing Guide

Writeups

• Medium Cybersecurity Guide
• Infosec Writeups
• Hackerone Hacktivity
• Google VRP Writeups

Blogs and Articles

• Hacking Articles
• Vickie Li Blogs
• Bugcrowd Blogs
• Intigriti Blogs
• Portswigger Blogs

Forums

• Reddit Web Security
• Reddit Netsec
• Bugcrowd Discord

Official Websites

• OWASP
• PortSwigger
• Cloudflare

YouTube Channels

English

• Insider PHD
• Stok
• Bug Bounty Reports Explained
• Vickie Li
• Hacking Simplified
• Pwn function
• Farah Hawa
• XSSRat
• Zwink
• Live Overflow

Hindi

• Spin The Hack
• Pratik Dabhi

Join Twitter Today!

Connect with world-class security researchers and bug bounty hunters on Twitter. Stay updated on new issues, vulnerabilities, zero days, exploits, and join discussions about methodologies, resources, and experiences in the cybersecurity world!

PRACTICE! PRACTICE! and PRACTICE!

Capture The Flag (CTF)

• Hacker 101
• PicoCTF
• TryHackMe (premium/free)
• HackTheBox (premium)
• VulnHub
• HackThisSite
• CTFChallenge
• PentesterLab (premium)

Online Labs

• PortSwigger Web Security Academy
• OWASP Juice Shop
• XSSGame
• BugBountyHunter (premium)
• W3Challs

Offline Labs

• DVWA
• bWAPP
• Metasploitable2
• BugBountyHunter (premium)
• W3Challs

Bug Bounty Platforms

Crowdsourcing

• Bugcrowd
• Hackerone
• Intigriti
• YesWeHack
• OpenBugBounty

Individual Programs

• Meta
• Google

Bug Bounty Report Format

Title

• Craft a concise title that highlights the issue's functionality or protection bypass, including the impact if possible.

Description

• Provide detailed information about the vulnerability, including paths, endpoints, and error messages encountered during testing. Attach HTTP requests and vulnerable source code if applicable.

Steps to Reproduce

• Clearly outline the step-by-step process to recreate the bug. Ensure clarity to help app owners verify and understand the issue quickly.

Proof of Concept

• Showcase your work visually through demonstration videos or screenshots.

Impact

• Describe the real-world impact of the vulnerability, including potential damages. Align your assessment with the organization's business objectives.

Additional Tips

1. Don't rely on bug bounty as a full-time income source, especially in the beginning. Maintain multiple income streams.
2. Stay updated by following cybersecurity experts on Twitter, reading writeups and blogs, and constantly expanding your knowledge.
3. Use bug bounty as a means to enhance your skills, with money as a motivating factor.
4. Avoid over-reliance on automation. Develop a unique methodology and apply your skills creatively.
5. Focus on escalating the severity of bugs and maintain a broad perspective.
6. Understand that vulnerability rewards can vary based on risk rating, not just standard impact.
7. Stay connected to the bug bounty community, network, and contribute to your peers.
8. Always be helpful and share knowledge within the community.