New to bug bounty and feeling completely lost — looking for methodology advice
I'm just starting out with bug bounty hunting, but it's honestly overwhelming. I pick a target, start poking around the site, and I immediately feel completely lost. I don't feel like I have any real methodology — it feels like I'm just randomly trying things.
Questions:
1.When you land on a target, what methodology/workflow do you actually follow? Do you go feature by feature (e.g., login first, then signup, then payment flow, etc.)? Or do you focus on a specific vuln class from the start (just XSS, or just account takeover, for example)? Or do you just browse the whole site and test whatever catches your eye — basically random?
2.Any articles, books, videos, or general advice you'd recommend for someone getting into bug bounty?
Background:
Web: PortSwigger Web Security Academy (100+ labs done) plus the major topics
HackTheBox web-focused modules
Other: Active Directory pentesting, privilege escalation
Thanks in advance