do these four things and I promise you if you do these things right you're going to be off the races and you are going to be enjoying doing bug bounties and collecting these bounties even more so in this video what I'm going to do is I'm going to put the last 10 years of experience that I have gained with bug bounties and mostly this last year that I've had a huge success with bug bounties into a four-step framework that I would follow if I were to start doing bug Bounties in 2024 this first step is to actually get started to maybe create your first account on a bug Bounty platform like hackro one Buck crowd or Integrity picking a few targets that you want to hack on there going to be your two to three targets that you're going to pick and you're going to start hacking on them regardless of whether you are familiar with their products or not the main objective of this first level this first step is to just get going and actually get insight on how to look for vulnerabilities what are the different vulnerabilities that you need to test when it comes down to particular functionality for example if you see a file upload what are the different V you can test for maybe you can test for cost scripting maybe you can test for unrestricted file bypasses you can try and bypass the file types that are allowed cross Ty scripting and so on so really you just want to spend the time to figure out what rule abilities happen in what functionality and also just spend the time to get good at them and if you're not sure how to get started and you don't understand the basics well there are no shortage of resources nowadays and you just have to pick a platform like your hacking Hub hack the try hack me or pentester lab and just start spending time to learn these vul and abilities and then translate them over into your methodology with bug bounty hunting if you want to look for a more dedicated course something like a udmi course I also have my personal course that I have created it comes with a bunch of labs and challenges that teaches you and I'm also going to work on an update here pretty shortly that I will link down below and if you're watching this video obviously you haven't taken that step just yet and you're still holding yourself back and a lot of times what's holding people back is overthinking bug bounties and the approach to bug bounties you may be asking yourself questions like what bugs am I going to look for how am I going to look for these vulnerabilities what are the different vulnerability types what are the Scopes and honestly you're not going to learn any of this stuff until you start putting into the time and effort to get familiarized with bug Bounties in general and the last part of this step is to also understand what are these applications and Bug bounding programs that you actually enjoy hacking on do you want to become a hacker that's going to go after these wides scope prr programs or do you want to go after a large web application that has a ton of functionality and the two of these come with different approaches one allows you to do a lot of Automation and learning about asset Discovery content Discovery and just Recon in general and then the other one which is a large application it comes with manual testing and a lot of times you have to do more manual working and have a deep understanding of different technology stacks and also the vulnerabilities that come with them so honestly the first step to this framework is to just stop overthinking and get going the next step of this framework is to actually get good or I want to say get good enough to actually know what bugs you want to look for this is where you start to actually hack on things that you absolutely enjoy and only focus on V that abilities that you are super super comfortable with and you know how to look for this also comes with the territory of learning all the different tools that are very important when it comes out to bug bounty hunting for example if you want to become a hacker that does a lot of automation then you're probably going to learn about nuclei templates using tools like sublist aass or even going to httpx and using all these different automated tools to create leads and automatically look for vulnerabilities and in contrast if you're going to become a manual hacker or more someone that looks at web applications and breaks them apart you're probably going to use more tools like burb Suite the good plugins that come with it and also using tools like JS Ling finder or just monitoring JavaScript files that shows you new functionality so keep in in mind that the second phase is most about your methodology and really understanding what you're really good at what is the path that you want to go down and what are the tools that come with it also keep in mind that this is not the end of it all it's not that you have to just stick to one path this whole point of this second phase is to learn about yourself and really understand what is it that you enjoy so you don't have to pick one or the other you can do both you can do a little bit of one or the other but this point is just really get to know yourself as a hacker before we get to the next phase which is to get smart this is where you really want to understand what is it that you do as a bug Bounty Hunter the second phase you're still dabbling in automation maybe manual hacking you're doing a little bit of both the second phase is between your first 10 to 20 submissions but now we're getting down to the business and we're more serious about what we want to do and we learn exactly what it is that we want to do and we have made a little bit of money to reinvest in ourselves as bug Bounty Hunter and we start looking at this as a business so for example you start to invest on maybe paying for some third party services and uses your Showdown your census your treest or security Trails where you can get data and actually leverage them in your day-to-day Buck bounty hunting in order to expand what you're finding on this also goes into creating better Automation and maybe creating things like stock notifications and Discord notifications so you get notified when a vulnerability has been created maybe you create some templates that automatically reports them for you in this phase you really know what you enjoy you have all these different systems in place and maybe you're actually collaborating with a group of different hackers you have the programs that you're anchoring on and you know exactly what to look for when you hack on them and just this is the phase you get into when you are actually comfortable and you're reporting vulnerabilities very very regularly the last step of this four step framework is standing out as a hacker and a lot of times I feel like a lot of hackers get comfortable when they get to step three they don't take it to the next level which is actually starting to contribute to the community maybe you start develop tools maybe you start teaching others or even who knows maybe you start a YouTube channel but the whole point here is you start to stand out as a hacker and you start to contribute and give back to that Community if you look at it a couple of good examples of this is people like Tom n Nom he took the route of creating a bunch of tools that maybe he was using for himself but he chose to open source them for others to use as well another good example of it is someone like Justin Riner rator and Jo aka techno geek they started a podcast with invite guests into their podast and they talk about specific vulnerabilities how to get better how to become a better hacker and so on so the point of this place is that you want to start contributing you can also take the shub's approach with asset note they do a ton of different cool research and they give it back to the community and a lot of times those research that they have done is actually being used by a ton of bug bounty hunters and they are creating templates and Automation and tooling around it to create more bounties and get more rewards from it personally as a content creator one of the things that I have learned is that I have gotten way better at my craft because of the fact that I've been able to teach these very complex topics to people with no background INB bounders or hacking or web hacking and breaking them down in a way that they understand them so just having the ability to teach people do security research and contribute to the community makes you stand out but also gives you ideas and allows you to expand on your knowledge and your skills and the bugs that you look for and it pushes you a step further as a hacker and a bug Bounty Hunter so if I were to go and start bug bount this year today this would be how I would start my journey I would go down this four framework but also if you need more resources going to my YouTube channel look at last year's how to get started in bug bounty in 2023 look at my web hacking tools and my web hacking resources check them out there's a ton of good resources out there but this honestly is probably one of the better Frameworks that I've came up with I'm hoping that it helps you get started just remember all you have to do is get going get good or get good enough get smart and last one not at least you have to stand out and contribute back to the community all right that's it I will see you all in the next video [Music] peace that actually is kind of cool that it landed over