Cart
Register
Sign in

How to Get Started Learning Bug Bounty Hunting in 2024

A beginner friendly guide focused on helping anyone get started with hunting for bugs and vulnerabilities in networked software systems.

 

What is Bug Bounty Hunting?

The task of securing individuals, organizations and the information technology we use has become an essential consideration in the modern age. Software has eaten the world and many of the services people use for work, survival and entertainment are now in the form of software systems like websites and web applications. This has created a great need for organizations to employ teams to protect these same software systems. For large organizations with a substantial presence on the web like Tesla, Amazon and/or OpenAI, cybersecurity can be a task too big to tackle for any one team. In addition to employing their own cybersecurity teams internally they also attempt to crowd source security through the use of bug bounty hunting programs (also referred to as bug bounty programs).

 

The Financial & Security Value of Bug Bounty Hunting

A bug bounty program offers financial payouts to ethical hackers and good faith security researchers for discovering and reporting bugs and vulnerabilities discovered in software. Bug bounty programs are typically hosted by cybersecurity companies like Hackerone and Bugcrowd to provide companies with a centralized platform to list the requirements, scope, targets, rewards and rules of engagement. The cybersecurity companies hosting the bug bounty programs work hard to attract skilled ethical hackers to the programs that they host on their respective platforms.

 

An ethical hacker will create an account on a bug bounty platform, search for an interesting program, read the scope and rules, then attempt to hack the systems in scope. If they find a bug or vulnerability they will write and submit the report. Lets say they were hacking on OpenAI’s bug bounty program hosted on Bugcrowd. A member of OpenAI’s security team would see an alert from Bugcrowd that a report has been submitted, then they would validate that the findings in the report are in fact legitimate. Once the report and the findings are verified, the ethical hacker would then be rewarded for their findings. The financial value of findings are often based on the criticality of the vulnerability and it’s potential impact. In 2022, Google paid out a staggering $605,000 to a security researcher under the handle gzobqq for a discovery that was affecting the Android operating system, it is becoming more common to see large payouts.

 

The term “crowd sourced security” is often used to describe the value bug bounty programs provide to organizations. Companies that choose to offer bug bounty programs are theoretically able to leverage the collective wisdom and skills of a global workforce of ethical hackers, which can result in much stronger security outcomes for their applications because they have effectively authorized anyone in the world to attempt to hack it legally and provide hardening advice (within the bounds of the scope of course).

 

Most Bug Bounty Programs are focused on Web Application Security

Most bug bounty programs we will see are targeting web-based companies. Consider OpenAI’s ChatGPT for example. ChatGPT is a web application hosted in the cloud (Azure specifically), it’s designed to be accessed and used in a web browser or through a mobile app. This screenshot is from OpenAI’s bug bounty program hosted on Bugcrowd:

 

 

This is precisely where you can start your bug bounty hunting journey. Start by creating an account on sites like Hackerone and Bugcrowd. Then read through programs that pique your interest. You will notice common terminology, language and names of attacks which can also be a guiding force for what you need to learn before you actually start hacking on these programs. In addition to this, you can use the following training/learning resources to practice hacking skills in an engaging and safe way.

 

Top Training/Learning Resources to Become an Ethical Hacker & Bug Bounty Hunter

1. Hack The Box Academy’s Bug Bounty Hunter Path

 

 

Hack The Box’s Academy partnered with Hackerone to create a dedicated learning pathway for anyone to learn web application penetration testing and bug bounty hunting in an engaging, realistic, interactive and hands-on manner. The pathway is designed to give learners the skillset to start conducting web application penetration tests and to help learners pass a practical/hands-on certification exam called the Certified Bug Bounty Hunter:

 

 

2. Cyber Helmets Instructor-Led CBBH Course

 

 

Cyber Helmets is an authorized Cyber Security Training Provider that delivers instructor-led courses that are based on Hack The Box content. Due to the challenging nature of learning hacking skills, many learners prefer instructor led experiences to help give an initial “speed boost” to acquiring those initial foundational skills. Follow this link to see when the next Cyber Helmets CBBH live course will start.

 

3. Research Web Application Security & Bug Bounty Industry Trends

Cybersecurity companies that host bug bounty programs typically release free industry reports to inform researchers and companies about the latest trends. Two examples of this are:

 

Hackerone’s Hacker-Powered Security Report

 

 

Bugcrowd’s Vulnerability Trends Report

 

 

4. Follow Interesting & Informative Ethical Hacking Focused Creators

Below is a short list of great creators to get you started. Be sure to follow them on other socials as well:

 

Jason Haddix: https://www.youtube.com/c/jhaddix

Peter Yaworski: https://www.youtube.com/user/yaworsk1

NahamSec: https://www.youtube.com/@NahamSec

LiveOverflow: https://www.youtube.com/@LiveOverflow

Daniel Miessler: https://www.youtube.com/@unsupervised-learning

IppSec: https://www.youtube.com/@ippsec

0xdf: https://www.youtube.com/@0xdf

David Bombal: https://www.youtube.com/@davidbombal

 

Following these creators if you don’t already will ensure you receive content from them as well as discover others in the space that you can learn and draw inspiration from.

 

Get Started with Cyber Helmets

No matter what route you take to get started with web application security and bug bounty hunting, please know Cyber Helmets is here to support you in your journey. Be sure to regularly check for new blog posts and course start dates. We look forward to accelerating your learning process with our instructor-led approach.

 

We look forward to seeing you in class!

 

By Robert Theisen

SHARE:

Subscribe to our insights and offers today!

Individuals

Teams

Cyber Helmets

Legal

2025 © Cyber Helmets, All rights reserved

Syllabus:

Intro to GCP

  • GCP Hierarchy
  • Google Workspace
  • gcloud config
  • Basic Hacking Techniques

Exploitation of GCP Services

  • IAM
  • KMS
  • Secrets 
  • Storage
  • Compute Instances & VPC
  • Cloud Functions
  • CloudSQL
  • Pub/Sub
  • App Engine
  • Google APIs
  • Cloud Shell

Methodologies

  • White box

Security Services

  • GCP Logging & Monitoring

Syllabus:

Intro to AWS

  • AWS Organization
  • AWS Principals
  • Basic Hacking Techniques

Exploitation of AWS Services

  • IAM
  • STS
  • KMS
  • Secrets Manager
  • S3
  • EC2 & VPC
  • Lambda
  • RDS
  • SQS
  • SNS

Methologies

  • White box

Common Detection Mechanisms

  • CloudTrail

Syllabus:

Azure Basics

  • Azure Organization
  • Entra ID
  • Azure Tokens & APIs
  • Basic Enumeration Tools

 

Exploitation of Azure Services

  • Entra ID IAM
  • Azure IAM
  • Azure Applications
  • Azure Key Vault
  • Azure Virtual Machine & Networking
  • Storage Accounts
  • Azure File Share
  • Azure Table Storage
  • Azure SQL Database
  • Azure MySQL & PostgreSQL
  • Azure CosmosDB
  • Azure App Service
  • Basic Azure Research Technique
  • Azure Function Apps
  • Static Web Apps
  • Azure Container Registry
  • Azure Container
  • Instances, Apps & Jobs
  • Azure Queue
  • Azure Service Bus
  • Azure Automation Account
  • Azure Logic Apps
  • Azure Cloud Shell
  • Azure Virtual Desktop

 

Methologies

  • White box
  • Black box
  • Pivoting between Entra ID & AD

 

Common Detection Mechanisms

  • Azure & Entra ID Logging & Monitoring
  • Microsoft Sentinel
  • Microsoft Defender for Cloud & Microsoft Defender EASM

Fundamentals and Setup

  1. Overview of Android’s architecture and ecosystem dynamics.
  2. Exploration of security features native to Android using Java, Kotlin, C++, and Rust.
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on Android.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including certificate validation and pinning.
  • Cryptography in Android apps
    a) Utilization of Android’s Crypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of biometrics.
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
  • Android IPC
    a) Detailed exploration of Intents, deep links, Binders/services, and broadcast receivers.
  • Webviews
    a) Identifying and resolving common security issues in Android Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an Android app.
    b) Identifying known vulnerabilities within these components.
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including App Transport Security issues & certificate pinning.
  • Cryptography in IOS apps
    a) Utilization of iOS’s CryptoKit & CommonCrypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys and leveraging the secure enclave.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of Local Authentication (biometrics).
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
    d) Using Device Check and App Attest
  • iOS IPC
    a) Detailed exploration of URL schemes, deep (universal) links, and extensions.
  • Webviews
    a) Identifying and resolving common security issues in iOS Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an iOS app.
    b) Identifying known vulnerabilities within these components.
  • Implementing App Integrity
    a) What to look for
    b) How to implement
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Fundamentals & Setup

  1. Overview of iOS’s architecture and ecosystem dynamics.
  2. Exploration of security features native to to iOS using Objective-C, Swift, and C(++).
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in iOS code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on iOS.