Bug Bounty + CVE Hunting
HackerOne paid $81M in 12 months (Jul 2024-Jun 2025), +13% YoY. AI vulnerabilities grew +210% YoY; prompt injection +540%. If you have a programming background (PHP, JS, Python), bug bounty is the parallel path to OSCP that monetizes from month one and builds a publicly auditable portfolio.Reality check: ~5% of hunters monetize meaningfully. First-year
income runs from 3K for most. But building a public
portfolio (CVEs, Halls of Fame, disclosed reports) changes
your CV permanently — worth the effort even without immediate
monetization.
Bug bounty market state 2026
Top 5 platforms
Program types
- VDP — No payment, only “swag”/recognition. Practice legally and build CV.
- Public program — Anyone reports; high competition, average payout.
- Private program — Invitation based on reputation; less competition, better pay.
2025 real numbers
- 85,000 valid reports on HackerOne in 2025 (+7%).
- Top 100 hunters all-time: $31.8M cumulative.
- AI vulnerabilities +210% YoY, prompt injection +540%.
- 1,121 programs with AI in scope (+270%).
- IDOR +29%, IAC +18%, while XSS and SQLi decline.
- 70% of hunters use AI (Caido, ChatGPT, Claude) in 2025 workflow.
12-month roadmap (2026)
Months 1-2 — PortSwigger Web Security Academy
portswigger.net/web-security/learning-paths — 190+ labs, free. Pace: 7 labs/day = 1 month. Recommended order:- Server-side: SQLi → Authentication → Path traversal → Command injection → Business logic → Information disclosure.
- SSRF (heavy focus: pays very well — see §5).
- Client-side: XSS → CSRF → CORS → Clickjacking.
- Advanced: Access control / IDOR → JWT → OAuth/SAML → GraphQL → Race conditions → Prototype pollution → HTTP request smuggling.
- Run “Mystery labs” weekly to simulate real hunting.
Months 3-4 — Free VDPs (10 with exact URL)
Curated repo (200+ programs):
github.com/projectdiscovery/public-bugbounty-programs.
Months 5-6 — Small programs (500)
Patchstack (WordPress plugins), Hostinger, Spanish/European programs on Intigriti. Filter for low minimum bounty.Months 7-12 — Serious programs
Shopify, paid GitLab, Uber. Apply to private as HackerOne reputation rises (>500 reputation opens invitations).Top 10 paid vulnerabilities 2024-2025
Based on HackerOne HPSR 2025 + disclosed reports:Severity → bounty (HackerOne platform mean)
Bugcrowd uses its own VRT instead of CVSS:
Bugcrowd VRT.
Public disclosed reports (training):
github.com/reddelexc/hackerone-reports.
Modern reconnaissance 2026
ProjectDiscovery stack (de facto)
GitHub recon
Tillson Galloway “GitHub Recon Checklist 2025”:- trufflehog — verifies the secret is still live (better than gitleaks for real bug bounty). Supports S3, Docker, Slack.
- gitleaks — faster for sweeping.
- “Oops commits” — Sharon Brizinov made $25K in 2025 scanning dangling commits in GitHub Archive.
- Useful dorks:
org:target "api_key",org:target filename:.env,"target.com" password.
Historical
gau+waybackurlsfor archived URLs.unfurlto extract unique params.
JS analysis
- LinkFinder — extracts endpoints/params from JS bundles.
- JSluice (TomNomNom) — better successor: extracts secrets/URLs by usage, not just regex.
- SecretFinder — complements.
Subdomain takeover / dangling DNS
SentinelOne reported >1,250 instances in clients in 2024-2025.nuclei subdomain-takeover/ templates cover GitHub
Pages, Heroku, Vercel, S3, Shopify. Maintained list:
github.com/EdOverflow/can-i-take-over-xyz.
Your first CVE in open-source
Project selection
- Stars 100-5,000 (serious enough, not audited to death).
- Last commit <6 months (maintained).
- No strong SECURITY.md, no prior CVEs: indicates nobody has audited.
- Language you master (PHP, JS, Python all fit).
- Filter by: package with >10K downloads/week on npm/PyPI = greater reported impact.
Typical “first-CVE” bug classes 2025
Key tools:
CNA process
If the product has its own CNA you must go through them.
MITRE/GitHub reject duplicates.
Standard disclosure timeline:
- 90 days (Project Zero).
- +30 days extension if patch in preparation.
- CERT-EU/Northwave use 90+30 policy.
Supply chain pentesting
Sources: Checkmarx — repo-jacking,
Wiz — tj-actions changed-files supply chain.
Writing an accepted report
Validated HackerOne structure
- Title —
[Vuln type] in [endpoint] allows [impact]. Example: “Reflected XSS in /search?q= allows session theft”. - Summary — 2-3 sentences: what, where, what attacker achieves.
- Steps to reproduce — numbered, copy-paste cURL/Burp request, screenshots per step.
- Proof of concept — GIF/video ≤2min. Hosted on HackerOne (not external).
- Impact — concrete scenario: “Attacker can [X] resulting in [Y loss]”. Calculated CVSS.
- Suggested mitigation — optional, adds points.
Instant “Informative” / “N/A” triggers
⚠️ Instant disqualifiers
These findings are near-guaranteed rejections unless you bring
chain or demonstrated impact:
- Logout CSRF (universally rejected).
- Missing security headers without impact demo.
- Self-XSS without pivot.
- Open redirect without chain.
- Vulns in explicitly excluded scope (READ the policy).
- Pure tabnabbing without chain.
- Banner grabbing / version disclosure standalone.
- DoS without program accept-risk.
Appealing severity
Don’t argue tone — bring data. Demonstrate broader exploitation scenario, chain with another vuln, calculate CVSS with justified vector. Request reassignment citing similar cases from the program’s own policy.Disputes, fraud, horror stories 2024-2026
Bug collisions (duplicates)
- Universal policy: first-come, first-served, decided by report timestamp.
- Protection: report immediately, save screenshots with metadata, don’t share POC privately before reporting.
- If marked dup but you bring novel variant, request partial bounty with technical argument.
Personal legal protection
- Never test outside scope.
- Save all communication.
- For OS CVEs: use private GitHub Security Advisory first (90-day window), never public post before fix without agreement.
- Consider dedicated VPN and separate account for hunting work.
Persistent resources
- HackerOne Hacker101
- PortSwigger Academy
- Methodology repo (amrelsagaei 2025)
- Curated disclosed reports
- Public programs list
- GitLab vuln DB (npm/PyPI by category)
- NahamSec recon talks
- STÖK videos
Related resources
- Professional web recon — Passive, fingerprinting, type confusion.
- Tactical glossary — IDOR, SSRF, JWT, Mass Assignment.
- Cloud Pentest — Cloud vectors paying top bounties.
- LLM Security — Category +540% YoY in HackerOne 2025.