Ch 1: Picking a Bug Bounty Program

Source: Bug Bounty Bootcamp by Vickie Li (No Starch Press, 2021)

Bug bounty programs define scope by listing assets – the systems you are authorized to test.

• Social targets – Twitter/Facebook/LinkedIn pages. Usually out-of-scope because you can't control what users post.
• General web applications – websites and APIs. Most common target type.
• Mobile applications – iOS and Android apps. Require emulators or real devices; different attack surface than web.
• APIs – REST, SOAP, GraphQL endpoints. May have separate scope from the main web app.
• Source code – programs that give you the source and ask you to review it. High-skill, high-reward.
• Hardware/IoT – physical devices. Requires hardware and firmware expertise; rare but lucrative.

• HackerOne – largest platform; public and private programs; good for beginners
• Bugcrowd – second largest; well-known programs; managed triage
• Intigriti – European-focused; growing program list
• Synack – invite-only, vetted researchers; pays well; structured environment
• Cobalt – pentest-as-a-service hybrid; invite-only; fixed-term engagements

Many companies run private programs that are invite-only. You earn invites by performing well on public programs. Private programs have less competition and often better payouts.

Before testing, read the scope section carefully:

• Note which subdomains/domains are in scope vs. out of scope
• Note excluded vulnerability classes (e.g., “self-XSS is not a valid finding”)
• Note safe harbor language – does the program promise not to sue you?
• Check response times – how fast does triage respond? (listed on most platforms)
• Check average bounty amounts – some programs list historical payouts

Typical ranges (vary widely by program):

• Low/Informational: $0-100
• Medium: $100-1,000
• High: $1,000-5,000
• Critical: $5,000-50,000+

Some programs (Google, Apple, Microsoft) pay $100,000+ for critical findings.

Vickie Li's advice for beginners:

1. Start with programs that have large scopes (wildcards like *.example.com) – more attack surface = more bugs
2. Choose programs with fast response times – you want feedback to learn
3. Avoid programs with a history of disputes or low triage quality
4. Pick targets in domains you already understand (e.g., if you know e-commerce, target retail sites)
5. Private programs are better once you can get invites; less competition

1. [ ] Read full scope before testing anything
2. [ ] Verify your target is actually in scope
3. [ ] Note exclusions (self-XSS, rate limiting, etc.)
4. [ ] Check safe harbor clause
5. [ ] Confirm you understand payout structure