BugBounty.info

Welcome to the Bug Bounty Playbook

3 min read

The Bug Bounty Playbook

A living collection of TTPs, methodology, and tradecraft for bug bounty hunting. It's opinionated and incomplete. Some pages are polished, some are rough notes I jotted down between targets. A finished playbook would mean I stopped learning, so don't hold your breath.

Who this is for

Hunters who already know the basics. If you need someone to explain what Burp Suite does, start with PortSwigger's Web Security Academy and come back when you've done the practitioner-level labs. Everyone starts somewhere, this just isn't where.

If you're past that and want to know how to find bugs that actually pay, chain findings into crits, and navigate the business side of bounty hunting, you're in the right place.

How to use this

Open the graph view. That's the whole point of organising it this way. Every technique links to the recon methods that surface it, the chains that escalate it, and the reporting patterns that get it paid. Follow the connections.

Or just browse by section:

  • Methodology - How to approach a target from zero to payout
  • Recon - Discovery, enumeration, building a target map
  • Attack Surface - Techniques by what you're hitting (web, API, mobile, cloud, CI/CD)
  • Chains - Multi-vuln escalation patterns
  • Tooling - Configs, scripts, and automation that actually work
  • Reporting - Writing reports that get paid, not triaged as informational
  • Programs - Platform strategy, program selection, the meta-game
  • Business of Bounties - The stuff nobody talks about

Philosophy

PoC or GTFO. Every technique page should give you something you can run right now. If it's just theory it belongs in a textbook.

Chain thinking. A single medium is fine. Two mediums chained into a critical is a career. Every time you find something, ask yourself what it lets you reach next.

The report is the product. You don't get paid for finding bugs. You get paid for convincing a triage team that what you found matters. I've seen excellent findings get closed as informational because the report was two sentences and a screenshot.

Tags

Pages are tagged by difficulty, severity potential, attack surface, and status. #stub means I've got notes but haven't fleshed it out yet. Contributions and feedback welcome.

About

I'm a security researcher and penetration testing lead. I've held the #1 ranking in Mozilla's Web Bug Bounty Program since 2013 and have security acknowledgments from Google, Microsoft, Apple, the U.S. Department of Defense, and others. I also co-founded and run one of the first multinational bank bug bounty programs in the United States, so I've seen this from both sides.

This playbook is the methodology I actually use, not the methodology I'd put in a slide deck.

Graph View

Backlinks