yes the hackerone warn us and there is no security issue in following those links because those are for external resources/blogs but you can use VM to avoid such problems.
Hi Guys,
Im new to this group and hope every one will support me to get success
Hello BugCrowd community,
Thanks for the invite. I’ve been studying a lot of security and hacking vulnerabilities, and I think it’s time to prove myself and continue to learn new things. Hope to make a good network with people and learn even more.
One advice that I can share with you is use a online browsing machine. Search for them on google, and paste the link on those machines to see if they really link to what it is supposed to. Another trick is to inspect the link, with your own browser for example, and look on the source code. Always be careful with external links and redirections. Hope this works for you ! 
1 Like
Hi,
I have question related what kind of issues should be reported.
some application did not follow security standard that issues could also be reported or not. It has minimal impact but as per security standard it should not follow in web application.
Please suggest.
Regards
Ragini
1 Like
Hello @Dr3amg1rl, that’s a great question! My two cents would be:
- Read other reports (HackerOne’s hacktivity section is great for this).
- Related to point 1, read other hacker’s reports. I know that may seem exactly the same, but if user: “leet_hacker” reported something you found interesting, check to see what other types of bugs they’re reporting. Many, many times I’ve done this and thought, “dang, that’s an issue? Didn’t know I could report that.”
- Keep in mind of the scope. There will be specific bugs that are considered
Out-of-Scopefor one company, but may not be for another. Perfect example, a very low-hanging fruit that I see a lot are missing SPF records. I’ve never personally reported on this because I’ve seen these get closed out asN/Aand I don’t want to take a hit on my reputation as a result.
There are companies that do accept “missing security standards” or “not following best practices” as you mentioned; however, you have to tread with caution as, like I mentioned in point 3, these can be closed very quickly as N/A and you’ll lose reputation as a result. Again, points back to their policy because they may only want to see reports on qualifying vulnerabilities (XSS, CSRF, SQLi, SSRF, RCE, etc.). Hope that helps and happy hunting, friend!
3 Likes
@samhouston Very nice post and its very supportive. It made me feel like i am in right place. 
1 Like
This is great, and I really hope to get started soon!
1 Like
Great Write-Up!
Maybe consider to add Real-World Bug Hunting (https://nostarch.com/bughunting) to the list,great book that really helped me get into the more practical side of bug hunting,
Thanks for all your efforts
1 Like
Thanks Sam for this lovely write-up. It is a good read for every starter and it is as relevant as it was when it was written till date. Perfect map to hit the target. Keep giving hope to starters.
1 Like
any more Resources not listed here?
any list of links or place to search for topic subject related articles?
Thank you
There are tons of resources but the best way is pick up one thing and master it. So pick up one thing and scrap google for it resources which will help you in many ways.
1 Like
do you know any search engine scraper?
can you tell a few Resources besides the obvious?
Thank you
Search engine scraper for what? And what type os resources you want? Elaborate a little bit so i can provide you the exact thing you’re looking for.
Search engine scraper to obtain results from multiple search engines?
any scripts for scrape and crawl that researchers use?
Thank you @samhouston bro for this info it’s very useful.
1 Like
Hi there, I am new to this, and I have found that there are too many things to learn about.Do I need to finish all of them before getting started to the Bug Bounty Program? I mean what is the basic things,and what is the advanced? How do I know that I have the ability to start hunting? Sorry for my poor English.
Hello Samhouston. Because English is not my mother tongue. So I did it through translation. I need to ask you some questions, and hope to answer them. Because I am mostly self-taught, I am vague about myself, so I want to know your skill tree. I prefer to penetrate the website and code auditing. I hope you can make suggestions
1.sql injection
2.XXE entity injection
3.SSRF
4.csrf
5. Local and Remote Inclusion Vulnerabilities
6.unserialize deserialization vulnerability
7. Override Variable Vulnerability
8.xss
9. File upload
10. Command execution
Then I also taught myself python. I am currently learning php for easy code auditing. But in the eyes of your awesome people, are these technologies considered introductory? I have just been in contact for a few months, and I am now learning before continually consolidating. of. I want to be as powerful as you guys, I don’t know how to develop, including some problems that I have encountered in self-learning PHP recently. So can I see what you can do for me to learn. Hope everyone can help me. If you see it, you can give me some suggestions, thank you very much. I love this door very much.
but this will need programming knowladge ?