Choosing the right target is as important as the testing itself.

• Wide scope – bigger company = more teams = more mistakes
• Well-known names – more surface area, more legacy code
• Plan to spend months, not days
• No right or wrong program – focus on targets with features you can explore

Before committing time, send 1-3 small reports and watch how they respond:

• Does the team communicate directly or only through the platform?
• Is the program active? When was the scope last updated?
• How do they handle low-hanging fruit chained for impact?
• What's their response time? (3+ months = move on)
• Do they pay fairly or downgrade everything to informational?

1. [ ] Scope is large enough to be worth months of investment
2. [ ] Payouts are fair and consistent
3. [ ] Team is responsive to reports
4. [ ] Test with a small simple bug first (XSS/CSRF) to gauge response
5. [ ] Only go deep if the first report is handled well
6. [ ] Max 3-6 programs at a time

• VDPs (no payout) are fine for practice
• Know your risk/reward ratio – don't give free pentests to programs that don't appreciate it
• Once comfortable, maintain 5-6 wide-scope programs and rotate between them

• Philosophy & Core Principles
• Writing Good Reports
• Methodology Index