====== Ch 1: Picking a Bug Bounty Program ======

Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021)

===== Asset Types =====

Bug bounty programs define scope by listing **assets** -- the systems you are authorized to test.

  * **Social targets** -- Twitter/Facebook/LinkedIn pages. Usually out-of-scope because you can't control what users post.
  * **General web applications** -- websites and APIs. Most common target type.
  * **Mobile applications** -- iOS and Android apps. Require emulators or real devices; different attack surface than web.
  * **APIs** -- REST, SOAP, GraphQL endpoints. May have separate scope from the main web app.
  * **Source code** -- programs that give you the source and ask you to review it. High-skill, high-reward.
  * **Hardware/IoT** -- physical devices. Requires hardware and firmware expertise; rare but lucrative.

===== Platforms =====

  * **HackerOne** -- largest platform; public and private programs; good for beginners
  * **Bugcrowd** -- second largest; well-known programs; managed triage
  * **Intigriti** -- European-focused; growing program list
  * **Synack** -- invite-only, vetted researchers; pays well; structured environment
  * **Cobalt** -- pentest-as-a-service hybrid; invite-only; fixed-term engagements

Many companies run **private programs** that are invite-only. You earn invites by performing well on public programs. Private programs have less competition and often better payouts.

===== Reading the Scope =====

Before testing, read the scope section carefully:

  * Note which **subdomains/domains** are in scope vs. out of scope
  * Note **excluded vulnerability classes** (e.g., "self-XSS is not a valid finding")
  * Note **safe harbor language** -- does the program promise not to sue you?
  * Check **response times** -- how fast does triage respond? (listed on most platforms)
  * Check **average bounty amounts** -- some programs list historical payouts

===== Payouts =====

Typical ranges (vary widely by program):

  * Low/Informational: $0-100
  * Medium: $100-1,000
  * High: $1,000-5,000
  * Critical: $5,000-50,000+

Some programs (Google, Apple, Microsoft) pay $100,000+ for critical findings.

===== Choosing a Program =====

Vickie Li's advice for beginners:

  - Start with programs that have **large scopes** (wildcards like *.example.com) -- more attack surface = more bugs
  - Choose programs with **fast response times** -- you want feedback to learn
  - Avoid programs with a history of disputes or low triage quality
  - Pick targets in domains you already understand (e.g., if you know e-commerce, target retail sites)
  - Private programs are better once you can get invites; less competition

===== Quick Checklist =====

  - [ ] Read full scope before testing anything
  - [ ] Verify your target is actually in scope
  - [ ] Note exclusions (self-XSS, rate limiting, etc.)
  - [ ] Check safe harbor clause
  - [ ] Confirm you understand payout structure