Researcher Resources - How to become a Bug Bounty Hunter

Hi:] Im new. I’m looking for some new friends or a mentor.
That would be awesome.

Such a great resource. I`m at a right place to learn and share my knowledge.

Adrian Gates
Tech Consultant - CloudDesktopOnline

csrf (bug) you can google it for better understanding.

Is there any references for API Security research.

@TINU-2000 - Yep! Here are a few from our forum:

Thanks a million @samhouston for this wonderful Guideway!!!



I am a beginner here.

I have a question about viewing reports with links in them.

Do you have to open a new window to browse safely or a whole new computer to take the beatings?

i did not understand your question? you are talking about hackerone publicaly disclosed reports and links within them? if you are talking about links within them then there is no need to worry about opening those links (if you’re aware of phishing and stuff) but look out before downloading anything from those links.


Yes. I found this caution at hackerone.

If I wanted to download anything from those links, would you recommend using a virtual machine?

Hello @KJT88, for example, you’re reading a report and there is a link that is external to Hackerone? If this is the case, Hackerone warns of the redirect in case of phishing. It’s just like every other link, i.e., if you don’t trust it, don’t follow it. Many of the links are to external blogs or other resources where the hacker has written a report outside of Hackerone as well. Generally, they are safe; however, complacency kills :wink:



Yes. I would like to err on the side of caution but I guess I should do a bit more research before taking the plunge.

Only thing that stops me is possible malware or viruses.

I heard you can just open a new account in windows (I have windows :slightly_smiling_face:), and use a firefox browser.

But I guess worse case may be just corrupting data on a browser, as I’ve heard.

yes the hackerone warn us and there is no security issue in following those links because those are for external resources/blogs but you can use VM to avoid such problems.


Alright, sounds good.

Thank you for your insight.

Hi Guys,

Im new to this group and hope every one will support me to get success

Hello BugCrowd community,
Thanks for the invite. I’ve been studying a lot of security and hacking vulnerabilities, and I think it’s time to prove myself and continue to learn new things. Hope to make a good network with people and learn even more.

One advice that I can share with you is use a online browsing machine. Search for them on google, and paste the link on those machines to see if they really link to what it is supposed to. Another trick is to inspect the link, with your own browser for example, and look on the source code. Always be careful with external links and redirections. Hope this works for you ! :wink:

1 Like


I have question related what kind of issues should be reported.
some application did not follow security standard that issues could also be reported or not. It has minimal impact but as per security standard it should not follow in web application.

Please suggest.


Hello @Dr3amg1rl, that’s a great question! My two cents would be:

  1. Read other reports (HackerOne’s hacktivity section is great for this).
  2. Related to point 1, read other hacker’s reports. I know that may seem exactly the same, but if user: “leet_hacker” reported something you found interesting, check to see what other types of bugs they’re reporting. Many, many times I’ve done this and thought, “dang, that’s an issue? Didn’t know I could report that.”
  3. Keep in mind of the scope. There will be specific bugs that are considered Out-of-Scope for one company, but may not be for another. Perfect example, a very low-hanging fruit that I see a lot are missing SPF records. I’ve never personally reported on this because I’ve seen these get closed out as N/A and I don’t want to take a hit on my reputation as a result.

There are companies that do accept “missing security standards” or “not following best practices” as you mentioned; however, you have to tread with caution as, like I mentioned in point 3, these can be closed very quickly as N/A and you’ll lose reputation as a result. Again, points back to their policy because they may only want to see reports on qualifying vulnerabilities (XSS, CSRF, SQLi, SSRF, RCE, etc.). Hope that helps and happy hunting, friend!

@samhouston Very nice post and its very supportive. It made me feel like i am in right place. :innocent: