Bug Bounty Fundamentals
Choosing Your First Program
3 min read
Selecting the right program dramatically impacts your success rate. Here's a strategic approach to program selection.
VDP vs Bug Bounty Program
| Aspect | VDP (Vulnerability Disclosure) | Bug Bounty Program |
|---|---|---|
| Payment | None or swag | Cash rewards |
| Competition | Lower | Higher |
| Response time | Often slower | Usually faster |
| Best for | Beginners, reputation building | Experienced hunters |
Strategy: Start with VDPs to build skills and reputation, then move to paid programs.
Program Selection Criteria
1. Scope Size
- Wide scope (*.example.com): More attack surface, more opportunities
- Narrow scope (app.example.com only): Focused, heavily tested already
- Recommendation: Start with medium-wide scope programs
2. Asset Types
| Asset Type | Skill Required | Competition |
|---|---|---|
| Web applications | Medium | High |
| Mobile apps | Medium-High | Medium |
| APIs | Medium | Medium |
| Hardware/IoT | High | Low |
| Smart contracts | High | Medium |
3. Program Age
- New programs: Less picked over, lower hanging fruit
- Old programs: More mature, requires deeper bugs
- Sweet spot: 6-18 month old programs with recent scope expansions
4. Response Metrics (HackerOne)
- Average time to first response: < 7 days is good
- Average time to bounty: < 30 days preferred
- Bounty rate: 40%+ means they actually pay
Finding Programs
On HackerOne
- Go to Directory → Programs
- Filter by: "Offers bounties" + "Accepting submissions"
- Sort by: "Last updated" for fresh scope
On Bugcrowd
- Browse Programs
- Filter by: Bounty type, asset type
- Look for "Recently launched" badge
Red Flags to Avoid
- No safe harbor clause
- Very low bounties relative to scope
- Poor response statistics (> 30 days to first response)
- Frequent "Won't Fix" resolutions
- No clear scope definition
Beginner-Friendly Program Characteristics
- Clear documentation: Rules, scope, and examples provided
- Wide scope: Multiple domains/apps to test
- Active: Recent updates and bounty payments
- Educational: Some programs specifically welcome beginners
Your First 30 Days Strategy
| Week | Focus |
|---|---|
| 1 | Pick 2-3 VDPs, learn their applications |
| 2 | Reconnaissance on all targets, map attack surface |
| 3 | Focus on one target deeply, test systematically |
| 4 | Submit findings, learn from responses, iterate |
Pro Tip: Don't chase the highest bounties initially. A $500 finding you actually discover beats a theoretical $50,000 bug you never find.
Building Program Expertise
Successful hunters often specialize:
- Become the expert on 3-5 programs
- Understand their tech stack deeply
- Monitor for new features (fresh attack surface)
- Build relationships with their security team
Next module: We dive into reconnaissance—the foundation of every successful bug bounty hunt. :::