Bug bounty hunting is (probably) the most hype topic in the hacking subworld, some people read amazing stories of how a 18 years old won 1 million dollars only doing legal hacking. Many hit a wall when they realize that after two months they only won points, thanks or cheap swag. Where's the money?, they ask. What should I learn and how? How many books should I read? How many minutes of Youtube tutorials? What if I lose some weight? [always recommended] How can I be the next bug bounty millionare?

In this workshop I will show you a path to be a bug bounty hunter, from my experience starting by chance and from scratch. I will teach you how to use the tools I use everyday to find bugs, but most importantly how to see bug bounty hunting as a complex business process .

What to know before

    Basic idea of bugs (and bounty hunting)

    Basic Linux commands (sed, awk, grep)

    Shell scripting basics

    Have some practice doing recon

What you will learn

  How bug bounty programs/platforms work

  What tools hunters use and how do they work

  How to hunt for bugs (hopefully for profit)

  Automatization of your hunting process

How technical is the class

30% theory and concepts

70% Installing, configuring and using tools to find bugs. Send some reports if we are lucky.

What tools are we going to use

Scanners/automated tools: nuclei, axiom, bbrf, dalfox, Burp.

Recon tools (subfinder, amass, assetfinder, waybackurls, httpx and more)

What to read/watch in advance

Books

The Web Application Hacker's Handbook, 2nd Edition

Hands-On Bug Hunting for Penetration Testers (Joseph E. Marshall)

Web Hacking 101 (Peter Yaworski)