Skip to main content

Bug Bounty + CVE Hunting

HackerOne paid $81M in 12 months (Jul 2024-Jun 2025), +13% YoY. AI vulnerabilities grew +210% YoY; prompt injection +540%. If you have a programming background (PHP, JS, Python), bug bounty is the parallel path to OSCP that monetizes from month one and builds a publicly auditable portfolio.
Reality check: ~5% of hunters monetize meaningfully. First-year income runs from 0to0 to 3K for most. But building a public portfolio (CVEs, Halls of Fame, disclosed reports) changes your CV permanently — worth the effort even without immediate monetization.

Bug bounty market state 2026

Top 5 platforms

Program types

  • VDP — No payment, only “swag”/recognition. Practice legally and build CV.
  • Public program — Anyone reports; high competition, average payout.
  • Private program — Invitation based on reputation; less competition, better pay.

2025 real numbers

  • 85,000 valid reports on HackerOne in 2025 (+7%).
  • Top 100 hunters all-time: $31.8M cumulative.
  • AI vulnerabilities +210% YoY, prompt injection +540%.
  • 1,121 programs with AI in scope (+270%).
  • IDOR +29%, IAC +18%, while XSS and SQLi decline.
  • 70% of hunters use AI (Caido, ChatGPT, Claude) in 2025 workflow.
Sources: BleepingComputer — HackerOne $81M, HackerOne 2025 HPSR.

12-month roadmap (2026)

Months 1-2 — PortSwigger Web Security Academy

portswigger.net/web-security/learning-paths — 190+ labs, free. Pace: 7 labs/day = 1 month. Recommended order:
  1. Server-side: SQLi → Authentication → Path traversal → Command injection → Business logic → Information disclosure.
  2. SSRF (heavy focus: pays very well — see §5).
  3. Client-side: XSS → CSRF → CORS → Clickjacking.
  4. Advanced: Access control / IDOR → JWT → OAuth/SAML → GraphQL → Race conditions → Prototype pollution → HTTP request smuggling.
  5. Run “Mystery labs” weekly to simulate real hunting.

Months 3-4 — Free VDPs (10 with exact URL)

Curated repo (200+ programs): github.com/projectdiscovery/public-bugbounty-programs.

Months 5-6 — Small programs (5050-500)

Patchstack (WordPress plugins), Hostinger, Spanish/European programs on Intigriti. Filter for low minimum bounty.

Months 7-12 — Serious programs

Shopify, paid GitLab, Uber. Apply to private as HackerOne reputation rises (>500 reputation opens invitations).

Top 10 paid vulnerabilities 2024-2025

Based on HackerOne HPSR 2025 + disclosed reports:

Severity → bounty (HackerOne platform mean)

Bugcrowd uses its own VRT instead of CVSS: Bugcrowd VRT. Public disclosed reports (training): github.com/reddelexc/hackerone-reports.

Modern reconnaissance 2026

ProjectDiscovery stack (de facto)

GitHub recon

Tillson Galloway “GitHub Recon Checklist 2025”:
  • trufflehog — verifies the secret is still live (better than gitleaks for real bug bounty). Supports S3, Docker, Slack.
  • gitleaks — faster for sweeping.
  • “Oops commits” — Sharon Brizinov made $25K in 2025 scanning dangling commits in GitHub Archive.
  • Useful dorks: org:target "api_key", org:target filename:.env, "target.com" password.

Historical

  • gau + waybackurls for archived URLs.
  • unfurl to extract unique params.

JS analysis

  • LinkFinder — extracts endpoints/params from JS bundles.
  • JSluice (TomNomNom) — better successor: extracts secrets/URLs by usage, not just regex.
  • SecretFinder — complements.

Subdomain takeover / dangling DNS

SentinelOne reported >1,250 instances in clients in 2024-2025. nuclei subdomain-takeover/ templates cover GitHub Pages, Heroku, Vercel, S3, Shopify. Maintained list: github.com/EdOverflow/can-i-take-over-xyz.

Your first CVE in open-source

Project selection

  • Stars 100-5,000 (serious enough, not audited to death).
  • Last commit <6 months (maintained).
  • No strong SECURITY.md, no prior CVEs: indicates nobody has audited.
  • Language you master (PHP, JS, Python all fit).
  • Filter by: package with >10K downloads/week on npm/PyPI = greater reported impact.

Typical “first-CVE” bug classes 2025

Key tools:

CNA process

If the product has its own CNA you must go through them. MITRE/GitHub reject duplicates. Standard disclosure timeline:
  • 90 days (Project Zero).
  • +30 days extension if patch in preparation.
  • CERT-EU/Northwave use 90+30 policy.

Supply chain pentesting

Sources: Checkmarx — repo-jacking, Wiz — tj-actions changed-files supply chain.

Writing an accepted report

Validated HackerOne structure

  1. Title[Vuln type] in [endpoint] allows [impact]. Example: “Reflected XSS in /search?q= allows session theft”.
  2. Summary — 2-3 sentences: what, where, what attacker achieves.
  3. Steps to reproduce — numbered, copy-paste cURL/Burp request, screenshots per step.
  4. Proof of concept — GIF/video ≤2min. Hosted on HackerOne (not external).
  5. Impact — concrete scenario: “Attacker can [X] resulting in [Y loss]”. Calculated CVSS.
  6. Suggested mitigation — optional, adds points.

Instant “Informative” / “N/A” triggers

⚠️ Instant disqualifiers
These findings are near-guaranteed rejections unless you bring chain or demonstrated impact:
  • Logout CSRF (universally rejected).
  • Missing security headers without impact demo.
  • Self-XSS without pivot.
  • Open redirect without chain.
  • Vulns in explicitly excluded scope (READ the policy).
  • Pure tabnabbing without chain.
  • Banner grabbing / version disclosure standalone.
  • DoS without program accept-risk.

Appealing severity

Don’t argue tone — bring data. Demonstrate broader exploitation scenario, chain with another vuln, calculate CVSS with justified vector. Request reassignment citing similar cases from the program’s own policy.

Disputes, fraud, horror stories 2024-2026

Bug collisions (duplicates)

  • Universal policy: first-come, first-served, decided by report timestamp.
  • Protection: report immediately, save screenshots with metadata, don’t share POC privately before reporting.
  • If marked dup but you bring novel variant, request partial bounty with technical argument.
  • Never test outside scope.
  • Save all communication.
  • For OS CVEs: use private GitHub Security Advisory first (90-day window), never public post before fix without agreement.
  • Consider dedicated VPN and separate account for hunting work.

Persistent resources