1. Spend at least 30 minutes on a new target
  2. Look for “No”s
  3. Use Italics Tags in your inputs instead of XSS payloads
  4. Focus on SaaS apps that are multi-tenant
  5. Buy Burp Pro
  6. On a new target go straight to the User Management section
  7. See if inviting an existing user to your org exposes their name
  8. See if inviting an existing user removes them from their own org
  9. If the scope has a wildcard, use sub finder to find subdomains
  10. Run HTTPX on the list of subdomains to narrow down alive targets

  1. On an app you’re not familiar with, use it like a normal user first
  2. If the docs say you can’t do X, but you can do X then you have a bug
  3. Use match & replace rules to find new endpoints
  4. Budget time into your week specifically for hacking
  5. Give yourself a no-bug time limit. I do 3 hours.
  6. Go back to old dupes and see if you can still reproduce.
  7. Look for “+2” in your reputation log to find dupes that should be now.
  8. Ask for help from other hackers
  9. Make your report a conversation, not a sales pitch
  10. Accept & expect that dupes will happen

  1. File & Forget
  2. If an endpoint has api/v2/, try api/v1/
  3. If an endpoint has api/v2, try removing the v2 altogether
  4. 6 - $1000 Mediums pay more than 1 - $5,000 critical. Don’t ignore any bugs
  5. Lows are still bugs that should be filed
  6. Be kind to your triager
  7. Say “thank you” when you get a bounty
  8. If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”.
  9. If UUID IDORs exist, then look for an endpoint that exposes UUIDs
  10. Pin your success on whether your followed your plan, not if you found bugs

  1. A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit
  2. Going deep will payoff
  3. Working with new hackers will payoff in dividends
  4. Don’t be jealous
  5. Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your own sanity
  6. If you find a bug that’s OOS, still ask the customer if they care
  7. There’s no end. Enjoy the journey
  8. Have a hobby that’s not related to hacking
  9. Have friends that don’t hack
  10. Figure out what time of day you hack the best. Late nights aren’t for me.

  1. Spend that extra 2 minutes to make your report look/read nice
  2. “Subscribe” to programs that pay well and have good scope
  3. Don’t whine on Twitter about a single report. Or at all for that matter.
  4. IDORs and Privilege Escalations are a great place to start
  5. Unmet expectations lead to disappointment
  6. Teach someone else how to hack
  7. Time spent reading/learning is time-well spent
  8. Focus on programs that you actually use in your day-to-day
  9. Establish a relationship with the program
  10. Try asking the program what types of bugs they want to see

  1. Look at a programs leaderboard to see who you should collar with
  2. When collaborating, an even bounty split eliminates hassle
  3. Take a break when you stop having fun
  4. At an LHE, start hacking ahead of time
  5. Look for programs that are active in resolving reports
  6. Look for programs that haven’t awarded a lot recently
  7. Look for programs that have collaboration enabled
  8. Look for programs that don’t list out a bunch of known issues
  9. Look for programs that have a history of adding new scope
  10. Change your strategy if you’ve gone a while without a finding

  1. If you’re on a roll, keep doing what you’re doing
  2. But don’t let success keep you from evolving/growing
  3. Compare yourself against yourself from last year
  4. Maintain online presence for new opportunities
  5. Be thankful for failure
  6. Read disclosed reports
  7. Focus on one program at a time. Cycle if you get bored.
  8. Don’t spray XSS payloads everywhere
  9. If possible, work at a company that has a BBP
  10. Spend bounty money on tools that will generate more bounties

  1. Budget a specific amount of your bounties for fun. And stick to it.
  2. When hacking a store, don’t be afraid to make small purchases
  3. Look for changes in JS files to know when there may be new functionality
  4. Look for references to subdomains in a company’s GH repos
  5. Look for references to subdomains in employee’s GH repos
  6. If the app uses Intercom, try booting it with another email
  7. Look for second-degree IDORs
  8. SSRFs exist when the app makes any external request. Look for these requests.
  9. Look for actuator endpoints
  10. Find hackers that hack differently than you.

  1. Try hacking in a different room of the house
  2. Try hacking at a different location altogether
  3. If you find the same bug on different endpoints, file as different bugs
  4. Try always having some pending bugs in your pipeline
  5. Break your yearly bounty goal into monthly goals
  6. Know when a bounty isn’t worth fighting over
  7. Push back gently when a report gets downgraded
  8. Use the leaderboard as motivation, not as comparison
  9. Don’t re-invent the wheel when a tool exists
  10. Don’t be afraid to build the wheel if the tool doesn’t

  1. Try collabing in real time over video chat
  2. Always ask why something works the way it does
  3. When collabing, don’t be afraid to be the underperformer
  4. When collabing, don’t get salty about being the oqerperformer
  5. Use mediation, but use it sparingly
  6. Be generous with your earnings
  7. Hack for fun, not for a paycheck
  8. LHEs are a privilege, not an expectation
  9. Programs are your friend, not your adversary. Work with them
  10. The platform is your friend, not your adversary. Work with them