====== Picking a Program ======

Choosing the right target is as important as the testing itself.

===== What to Look For =====

  * **Wide scope** -- bigger company = more teams = more mistakes
  * **Well-known names** -- more surface area, more legacy code
  * **Plan to spend months**, not days
  * No right or wrong program -- focus on targets with features you can explore

===== Program Health Check =====

Before committing time, send 1-3 small reports and watch how they respond:

  * Does the team communicate directly or only through the platform?
  * Is the program active? When was the scope last updated?
  * How do they handle low-hanging fruit chained for impact?
  * What's their response time? (3+ months = move on)
  * Do they pay fairly or downgrade everything to informational?

===== Program Selection Checklist =====

  - [ ] Scope is large enough to be worth months of investment
  - [ ] Payouts are fair and consistent
  - [ ] Team is responsive to reports
  - [ ] Test with a small simple bug first (XSS/CSRF) to gauge response
  - [ ] Only go deep if the first report is handled well
  - [ ] Max 3-6 programs at a time

===== VDPs vs Paid Programs =====

  * VDPs (no payout) are fine for practice
  * Know your risk/reward ratio -- don't give free pentests to programs that don't appreciate it
  * Once comfortable, maintain 5-6 wide-scope programs and rotate between them

===== See Also =====

  * [[zseano:philosophy|Philosophy & Core Principles]]
  * [[zseano:reporting|Writing Good Reports]]
  * [[zseano:start|Methodology Index]]