Wiz

What is Bug Bounty?

At its heart, hacking is about curiosity. It's about looking at a system and asking, "What if I did this instead?" Bug bounty is the modern, legal, and rewarding way to channel that curiosity into a powerful skill - one that makes the internet safer, supercharges your career, and can earn you significant payouts.

The Core Concept

A bug bounty program is a formal invitation from a company for ethical hackers to find and report security vulnerabilities in their systems. When a researcher reports a valid bug according to the program's rules, the company rewards them with a payment (a "bounty"), public recognition, or both. It's a win-win: companies get their systems tested by thousands of diverse, creative minds, and you get paid to learn and hack.

The Bug Bounty Ecosystem

Why do companies offer bug bounties?

  • Proactive Security all around the clock: A global community of bug bounty hunters provides continuous testing that an internal team alone cannot match.

  • Diverse Perspectives: Researchers from different backgrounds will try creative attack paths that internal teams or automated scanners might miss.

  • Cost-Effective: Companies only pay for valid, confirmed vulnerabilities, making it a highly efficient way to improve their security posture.

  • Builds Trust: Running a public bug bounty program signals to customers that a company takes security seriously.

Why do hackers participate?

  • Get Paid to Learn: You earn money for your skills while actively improving them on real-world targets.

  • Legal & Safe: It provides a "safe harbor," meaning you have permission to hack within the program's rules without fear of legal trouble.

  • Build a Reputation: Every valid bug you find builds your public profile, which can lead to private program invites and job offers.

Hacker Profile example from HackerOne

The Report Submission Process

Every bug bounty report follows a similar lifecycle. Here are the steps:

  • Choose a Program & Read the Rules: You start by selecting a program. The first and most important step is to read their policy page to understand the scope, what you are allowed to test and what is off-limits.

Chipotle's Public Bug Bounty Program page on BugCrowd

  • Hunt for Vulnerabilities: Using the skills and tools you'll learn in this course, you begin searching for security flaws within the defined scope.

  • Write a High-Quality Report: When you find a bug, you submit a clear, concise report with a step-by-step Proof of Concept (PoC) that allows the company's security team to reproduce your finding.

  • Triage and Validation: The program's team (the "triagers") will review your report to validate that the bug is real, reproducible, and in-scope.

  • Remediation and Reward: If validated, the report is passed to the company's internal engineering team to be fixed. Once the bug is resolved, the company issues your reward, sometimes - they do so upon validation!

Bug Bounty Reward email from Apple

Essential Terminology

  • Scope: The list of assets (websites, applications, IP addresses) you are legally allowed to test.

  • Proof of Concept (PoC): A clear demonstration showing how to reproduce a vulnerability.

  • Triage: The process of reviewing a submitted bug report to validate it.

  • Severity: The level of impact a bug has (usually rated from Low to Critical).

  • VDP (Vulnerability Disclosure Program): A program that offers recognition but typically not money.

  • BBP (Bug Bounty Program): A program that offers monetary rewards (bounties).

Your First Steps

This chapter is all about understanding the landscape. Here are some concrete steps to get you started.

  • Create Your Accounts: Go to one of the two largest platforms, HackerOne and Bugcrowd, and create your researcher account there

  • Immerse Yourself in the Community: Create a dedicated X (formerly Twitter) account for bug bounty hunting. Start following well-known hunters who share tips and write-ups (try starting with @Rhynorater or @Nahamsec). This is the best way to learn passively.

Rhynorater's Bug Bounty 0-100k in a year strategy

  • Explore Public Programs: Don't try to hack yet. Just browse the public programs on the platforms, check if your favorite brand has one! and see how they define their scope and list their bounty amounts.

  • Set a Learning Goal For the Course: Your first goal should be opportunistic; learning the process of bug bounty hunting, being proactive and finding your first valid bug within the next 30-60 days.

In the next chapter, we’ll meet the key "Personas You'll Meet on Your Bug Bounty Journey" and cover the essential rules of engagement every hunter must know.

Fun Quiz

You found a company with a security page inviting hackers to report bugs, but their policy states they offer "Safe Harbor and Swag" but no cash rewards. What type of program is this?

You found a company with a security page inviting hackers to report bugs, but their policy states they offer "Safe Harbor and Swag" but no cash rewards. What type of program is this?

Select all answers that apply

You are excited to start hunting on a new target. What is the absolute first thing you must do before sending a single request

You are excited to start hunting on a new target. What is the absolute first thing you must do before sending a single request

Select all answers that apply