r/BugBountyNoobs

Before learning vulnerabilities, how much web development should I actually needed to know?

Like how deep should I go into HTML/CSS/JS?

Does I only need to learn how react, next js work or I needed learn enough to make web or apps through these ?

Also if there any tips to start .

As I'm seeing many reddit posts some people saying bug bounty has money , many bugs , worth to start 2026 and some saying it's soo saturated, no money for beginners, AI can do it in seconds(not telling how and when).

Just need a proper answer.

Please seriously I needed help!!

Thankyou in advance.

I am beginning in bug bounty I am looking for someone to study along with me on bug bounty we can share our understanding. I like to concentrate more on XSS and IDOR. I have lab experience but I fail in real world scenario. Let me know if anyone is interested.

Hi everyone,

I’m researching restricted JavaScript execution contexts and I’m curious about browser behavior when several characters are filtered.

For example, these characters are blocked:
/ $ % ) { } ' <

Because of that, common patterns like fetch().then() cannot be used.

I can still make requests to external endpoints, but I’m unable to read the response data or send the retrieved data elsewhere due to the character restrictions.

In general, are there JavaScript properties, events, or browser features that can still interact with external resources or handle response data in heavily filtered environments like this?

I’m mainly trying to understand browser behavior and limitations in restricted contexts.

Thanks.

If someone got time please read below my journey. I would appreciate guidance and feedbacks.

So Last year during this time I got a notification from google password manager that My passwords was found in breach. I checked and upon searching I went to haveibeenpwned. There I got more details and found how easy It was for someone to hack me for financial or any personal gain.

Then I searched more about the databreaches and the groups like alien txt and breachforums. I saw many dumps, I went through those, was shocked. I learnt about this cycle. I learnt about the malwares, stealers, RATs, keylogger, ransomware.

I tried to reverse engineer an android application without knowing how to do it. I used burp, jadx and other tools. I went through codes of some stealers.
Finally | landed on thm and did modules for networking and currently I am doing the web pentesting modules.

Now here is the problem 1 am facing, though labs on portswigger and thm are good but Those are not fun. I feel like I am learning this attack this is basic labs are basic anyhow I will complete them cause there is a solution and a structural way to do it. But nahh I don't feel the rush. I want to do it on real systems but I know it's not legal.

So is bug bounty right for me? Should I jump in or should I just torture myself to get the labs solved first ? What's the path for me ?

I appreciate for your time. Kindly share any suggestions that you have.

[removed]

Hey everyone,

I’m currently trying to get into bug bounty hunting and I feel a bit stuck transitioning from labs to real-world targets.

Here’s my current situation:

• I understand basic vulnerabilities like XSS, SQLi, IDOR
• I’ve used tools like Burp Suite, Nmap
• I know the concept that mastering one tool is better than using many
• I’ve studied networking basics and completed labs (PortSwigger, etc.)

But my main confusion is about real-world approach:

• In labs, I know a vulnerability exists → I just have to find it
• In bug bounty, I don’t even know:
  • If the target has a bug
  • Where to start testing
  • What to test first
  • Which vulnerabilities to focus on

I feel lost when I open a real target.

Some questions I’m struggling with:

1. How do you choose a target as a beginner?
2. What is your step-by-step methodology when testing a new website?
3. How do you decide what vulnerability to look for first?
4. How do you avoid wasting time on targets with no bugs?
5. Any tips to get the first valid bug / bounty?

Also, if anyone is open to mentoring or guiding (even occasionally), I’d really appreciate it. I’m serious about learning and improving.

Thanks in advance

how do i know which ones are suitable for me ?
or how do i find those paths to choose from them ?

notes :
learnt basics in java ,python, c++ problem solving, oop, data structures, discrete structures (just the basics !)
16 ram ,intel core i5-6300HQ, 2 gb graphics cards,1.38 tb storage.

Currently interested in bugs affecting Instagram, Spotify, and TikTok.

If you already have a private vuln, just briefly tell me the type of issue and what it can do (example: XSS — not looking for that currently). No technical details needed at first, I only want to know the vuln category/capability. If it’s something I’m interested in, I’ll ask for proof.

After verification, payment will be made. Budget depends on the severity/quality of the vuln — up to $5,000 for now, potentially more for exceptional findings.

If you don’t currently have a vuln, you can send a short resume/background of your experience. If you’re good, you may be hired to look for vulnerabilities, and the same process/payment terms above will apply once something valid is found.

If anyone is interested, send me a dm, and please no bs!

So I hunt the Authorization bugs where the application contains a more complex roles permission like jira, project management, collaboration tools like this any programme where the competition is less and good bounty amount can anyone suggest my style hunting programme because I cannot find anyone could anyone please find a good programme and I stuck to choose a programme please help me.

I am a computer science student. I just got done with the Google Cybersecurity Fundamentals certificate, and I have a somewhat vague idea about bug bounty hunting, but I want to know how to actually start studying and getting ready for actual bug bounties. I know what I should do, but I don't know how or where to find the resources for it. What I know is I should

1. learn http basics and html and java script i just need a refresher
2. I don't know what Burp Suite is, but I need it
3. Then go to the PortSwigger Labs and train
4. VDPs to build confidence
5. I am a visual and practical learner. I tried reading real-life bug bounty hunting, I felt lost, so I would need some help on what are some good resources that I can start from

Looking for issues related to:
• Extension not initializing
• YouTube playback conflicts
• Volume distortion / crackling
• Random disconnects
• Performance, lag, or memory issues
• Issues on YouTube Music

Report must include:
• Steps to reproduce
• Browser + OS
• Video/screenshot preferred

Rules:
• Duplicate reports don’t count
• First valid report gets rewarded
• Critical bugs may receive $10–$20
• Tx hash will be posted after payout

I'm going to start my journey, and I need a proper direction from where to start? There is so much stuff, and I'm just lost. I do use Linux as my daily driver and a masters student in computer applications.

But let's ignore all that and start fresh.

Honestly, I'm not in a hurry to earn my first bounty or whatever, I'll just keep leaning, and eventually, I'll earn.

So yeah, please guide me, from where do I start. Thank you.

The other day while talking with a security pro, with 15+ years of expertise, told me that web/app security Isn't worth it if you aren’t a top hunter, cz these agents made it really hard finding bugs for newbies or mid-skilled hunters.

What is the Global scenario? Want to learn serious answers plz.

I have learnt basics for bug bounty like networking and web concepts.I want to get into actual bug bounty now.But there are too much information like there are different types of vulns like csrf, sqli, xss, etc. Should i learn all these before starting bug bounty?

How am i supposed to learn these like what should i learn when learning a bug.I do some stuff like changing the ids or username and get result in portswigger.How can i understand what is happening behind?.Most people on youtube understand when and where to do what stuff to get intended results. How do you get that level of thinking?

I have done port swigger labs and also solved some machine in HTB so when I approach a bug bounty target I was stuck and starring at screen for long time and am not able to do anything.

My question I need to improve give me practical steps to get better.

I do not intend to self-promote, I just want real feedback from people who would likely be interested in such a project. It is very early into production and I am just one person so understand it is in no shape in final condition.

So im a beginner. I want to start bug bounty I've learned the concepts but i dont know the methodology.. what kind of mindset i need to develop? At first what type of bugs i need to look? Please share me a step by step approach. Thanks in advance.

"I've been hitting a wall with Cloudflare's latest challenges on a private program. I managed to get through using some header tricks, but I'm curious—what’s everyone using nowadays for 403 bypasses? Are simple encodings still working for you guys or are you moving to origin-IP hunting?"