How to Start Bug Bounty Hunting: A Practical, Step-by-Step Roadmap
To start bug bounty hunting, build core web security skills first, then join HackerOne or Bugcrowd, begin with beginner-friendly VDPs, and report vulnerabilities responsibly. Most hunters who follow a structured 6-12 month plan find their first valid bug within that window.
Key Takeaways
- Prerequisites matter: You don’t need a degree, but you do need solid HTTP, networking, and web app fundamentals before hunting on live programs.
- Start on practice platforms: Hack The Box, TryHackMe, and PortSwigger Web Security Academy are the best places to build skills before touching real targets.
- India is a top market: India ranks #2 on HackerOne by number of registered hackers, making it one of the most active bug bounty communities globally (HackerOne Hacker-Powered Security Report, 2024).
- Earnings scale with skill: Beginner hunters earn Rs 0-3 LPA part-time; full-time professionals reach Rs 5-20 LPA; elite hunters clear $100K-$500K+ annually.
- Your bug bounty roadmap should be sequential: Learn, practice, hunt, report, repeat. Skipping steps leads to duplicate reports and wasted time.
- Certifications accelerate credibility: Burp Suite Certified Practitioner, eWPT, and OSWE are the most respected credentials in this field.
What You Actually Need Before You Start Bug Bounty Hunting
Most beginners who want to start bug bounty hunting jump straight onto HackerOne, find a program, and then stare blankly at a login page wondering what to do next. That’s the wrong order. You need a foundation first, and it’s not as daunting as it sounds.
The core technical prerequisites are: a working understanding of how HTTP requests and responses work, basic knowledge of HTML, JavaScript, and how browsers render pages, familiarity with at least one scripting language (Python is fine), and hands-on comfort with Burp Suite Community Edition. That’s genuinely it for starters. You don’t need to know how to write exploits from scratch.
The Non-Technical Skills People Underestimate
Writing matters enormously in bug bounty hunting for beginners and experienced hunters alike. A well-documented report with clear reproduction steps, impact analysis, and a suggested fix gets triaged faster and paid more reliably than a vague “I found XSS on your site” submission. Programs like Google’s Vulnerability Reward Program explicitly state that report quality affects their response priority.
Patience is the other one. Reconnaissance takes hours. Triage takes days. Payment takes weeks. If you’re expecting fast money, bug bounty will disappoint you early. If you treat it like a craft you’re building over months, it pays off significantly.
Tools You’ll Use from Day One
Burp Suite is non-negotiable for anyone getting started in bug bounty. The Community Edition is free and covers most of what beginners need: intercepting proxy, repeater, intruder (with limitations), and decoder. The Professional Edition costs around $449/year and is worth it once you’re earning consistently. OWASP’s testing guide is your methodology bible, and it’s free.
Beyond Burp Suite, you’ll use tools like Amass and Subfinder for subdomain enumeration, ffuf or dirsearch for directory brute-forcing, Nuclei for automated vulnerability scanning against in-scope targets, and httpx for probing live hosts. These aren’t optional extras. They’re standard reconnaissance tools every serious hunter uses in web application security testing.
| Tool | Category | Cost | Best For |
|---|---|---|---|
| Burp Suite Pro | Web Proxy / Scanner | $449/year | Manual web app testing, intercepting traffic |
| Amass / Subfinder | Recon / Enumeration | Free | Subdomain discovery on large programs |
| Nuclei | Automated Scanning | Free | Template-based vulnerability detection |
| ffuf | Fuzzing | Free | Directory and parameter brute-forcing |
| httpx | Recon | Free | Probing live hosts at scale |
| Caido | Web Proxy | Free / Paid tiers | Burp alternative with modern UI |
Your Bug Bounty Roadmap: A Realistic 12-Month Plan
A bug bounty roadmap for beginners isn’t a list of topics to skim. It’s a sequenced skill-building plan where each phase prepares you for the next. Skipping phase one and going straight to live programs is the single most common mistake beginners make, and it shows in their zero-finding rate.
Phase 1: Months 1-3, Building Core Skills
Spend the first three months entirely on structured learning. PortSwigger Web Security Academy is the best free resource available, covering SQL injection, XSS, CSRF, SSRF, authentication flaws, business logic vulnerabilities, and more, all with interactive labs. Complete every lab in the apprentice and practitioner tiers. Don’t rush this.
Run TryHackMe or Hack The Box alongside PortSwigger for practical Linux and networking exposure. You need to be comfortable in a terminal, reading HTTP traffic, and modifying requests manually before you touch a real program. This phase is unsexy but it’s where your edge gets built.
Phase 2: Months 4-6, Private Labs and CTFs
Start participating in Capture The Flag competitions. PicoCTF, CTFtime.org, and HackTheBox Seasonal competitions are good starting points. CTFs teach you to think laterally and find non-obvious vulnerabilities, which is exactly the mindset live bug bounty hunting requires.
Set up a local lab using DVWA (Damn Vulnerable Web Application), Juice Shop (OWASP’s intentionally vulnerable Node.js app), and WebGoat. Practise every OWASP Top 10 vulnerability type in a safe environment. Document your findings in writing, exactly as you would a real bug report. This builds your reporting muscle before it counts.
Phase 3: Months 7-9, First Live Programs
Now you’re ready to start bug bounty hunting on real programs. Start with VDPs (Vulnerability Disclosure Programs) rather than paid bug bounty programs. VDPs don’t pay cash, but they also don’t penalise duplicate reports as harshly, and they’re excellent for building confidence and a track record.
On HackerOne and Bugcrowd, filter for programs marked “beginner friendly” or with wide scope and low competition. Smaller SaaS companies, open-source projects, and government VDPs (India’s CERT-In runs disclosure programs) are good starting targets. Avoid Google, Apple, and Meta until you have 20+ valid reports under your belt.
Reconnaissance is where you’ll spend most of your time. Map the full attack surface: subdomains, API endpoints, JavaScript files, mobile app traffic, third-party integrations. The bugs that pay well are usually found in corners that automated scanners miss. That means reading JavaScript source files manually, testing API endpoints that aren’t documented, and checking for misconfigurations in cloud storage buckets. Understanding the role of bug bounty in cybersecurity helps you approach programs with the right professional mindset.
Phase 4: Months 10-12, Specialise and Scale
By month ten, you should have a handful of valid reports and a clearer sense of where your skills are strongest. Specialisation is what separates consistent earners from occasional finders. Pick a vertical: API security testing, mobile application security, OAuth and authentication flaws, or cloud misconfigurations.
API testing is particularly lucrative right now. HackerOne’s 2024 Hacker-Powered Security Report noted that API-related vulnerabilities have increased year-on-year as companies expose more functionality through REST and GraphQL endpoints (HackerOne Hacker-Powered Security Report, 2024). Hunters who understand IDOR in APIs, broken object-level authorisation, and mass assignment flaws consistently find high-severity bugs that pay $1,000-$10,000 per report.
Platforms, Programs, and Payouts: What the Numbers Actually Look Like
HackerOne has paid out over $300 million in bounties to date (HackerOne Hacker-Powered Security Report, 2024). That’s a real market, not a side-hustle myth. The top 50 hackers on the platform each earn more than $100,000 annually, and the platform’s data shows that the top earner in 2023 cleared over $2.5 million in cumulative earnings.
Average payouts by severity vary significantly across platforms and programs. A critical vulnerability, think remote code execution or full account takeover, typically pays $3,000-$15,000 on mid-tier programs and $15,000-$100,000+ on programs like Google, Apple, or Microsoft. High-severity bugs like stored XSS with significant impact pay $500-$3,000. Low and informational findings often pay nothing or a nominal amount.
| Severity | CVSS Range | Typical Payout (HackerOne/Bugcrowd) | Examples |
|---|---|---|---|
| Critical | 9.0-10.0 | $3,000 – $100,000+ | RCE, SQLi with data exfil, Auth bypass |
| High | 7.0-8.9 | $1,000 – $5,000 | Stored XSS, IDOR, SSRF |
| Medium | 4.0-6.9 | $200 – $1,000 | Reflected XSS, CSRF, Open Redirect |
| Low | 0.1-3.9 | $0 – $200 | Information disclosure, minor misconfig |
India’s bug bounty community is one of the most active in the world. India ranks #2 on HackerOne by registered hackers (HackerOne Hacker-Powered Security Report, 2024), behind only the United States. Indian hunters have earned millions through platforms like HackerOne, Bugcrowd, and Intigriti. Programmes run by Indian enterprises including Flipkart, Paytm, and several fintech startups are growing rapidly, creating local opportunities alongside global ones. You can explore active bug bounty programs to find programs that match your current skill level.
Responsible Disclosure: The Line You Cannot Cross
Responsible disclosure isn’t just ethical, it’s legally essential. Testing outside the defined scope of a program, accessing data beyond what’s needed to prove a vulnerability, or publicly disclosing a bug before the company has patched it can expose you to legal liability under India’s IT Act and international equivalents.
Always read the program’s policy before testing. Respect scope limits. Report immediately when you find something significant. Never exploit a vulnerability beyond confirming it exists. These aren’t suggestions from a cautious lawyer; they’re the professional standards that keep the bug bounty community trusted and legally protected. If you’re coming from a non-technical background, our career switch guide from non-tech to tech covers the foundational steps before you enter security specifically.
Certifications, Career Outcomes, and Earnings in India
Bug bounty hunting as a career path is legitimate and growing. Indian cybersecurity professionals with bug bounty track records are getting hired into application security engineer roles, red team positions, and security consultant jobs at salaries ranging from Rs 8-25 LPA at the mid-level. The skill set transfers directly.
Certifications that carry real weight in this space include the Burp Suite Certified Practitioner (BSCP) from PortSwigger, which tests practical web application testing skills in a time-limited exam. eWPT (eLearnSecurity Web Application Penetration Tester) is respected for methodology-driven web testing. OSWE (Offensive Security Web Expert) is the hardest and most prestigious, focusing on advanced web application exploitation. CEH and OSCP are valuable for broader penetration testing roles and are frequently listed in Indian job descriptions. For a deeper look at how penetration testing and bug bounty overlap, the penetration testing complete guide covers the technical fundamentals in detail.
The career trajectory for anyone who wants to start bug bounty hunting looks like this: start part-time while studying or working, build a public HackerOne or Bugcrowd profile with valid reports, use that track record to apply for security roles or grow a freelance client base, then decide whether full-time hunting or a hybrid career suits you better. Neither path is wrong.
3.0 University’s bug bounty certification program is built around this exact progression, covering web application security, API testing, reconnaissance methodology, and report writing with hands-on labs. It’s designed for people who want structured, practical training rather than scattered YouTube tutorials.
Frequently Asked Questions
How to start bug bounty in India?
Start by completing PortSwigger Web Security Academy’s free labs, then install Burp Suite Community Edition. Register on HackerOne or Bugcrowd, filter for beginner-friendly programs, and begin with VDPs before paid programs. India ranks #2 on HackerOne, so the community support is strong. Expect your first valid bug within 6-9 months of consistent practice.
Can a beginner do bug bounty?
Yes, but not without preparation. Complete beginners who jump straight onto live programs almost always get discouraged by duplicate reports and zero payouts. Spend 3-6 months on structured labs first. Once you understand the OWASP Top 10 practically, not just theoretically, you’re ready to hunt on beginner-friendly programs and have a realistic chance of valid findings.
Which platform is best for bug bounty beginners?
HackerOne is the most beginner-friendly major platform. It has a large number of VDPs, a clear severity framework, and an active community forum. Bugcrowd is a strong second option with good program diversity. Intigriti is worth joining for European programs. Start with HackerOne’s public programs and filter by “beginner friendly” to reduce early frustration.
How much can you earn from bug bounty in India?
Part-time beginners typically earn Rs 0-3 LPA in their first year, often from low and medium severity bugs. Full-time hunters with 2-3 years of experience earn Rs 5-20 LPA. Elite Indian hunters competing on global programs have broken $50,000-$100,000+ annually. HackerOne’s 2024 report confirms top earners globally clear $500,000+ per year.
What is the difference between a VDP and a paid bug bounty program?
A Vulnerability Disclosure Program (VDP) accepts vulnerability reports but doesn’t pay cash rewards. A paid bug bounty program pays cash per valid finding based on severity. VDPs are ideal for beginners building their report history and confidence. Once you have 10-15 valid VDP submissions, move to paid programs where your skill level will be evident in your track record.
Do I need a degree to start bug bounty hunting?
No degree is required. Bug bounty programs pay for results, not credentials. What matters is your ability to find and document valid vulnerabilities. Many of India’s top earners on HackerOne are self-taught. Certifications like BSCP and OSWE help with employer credibility, but for platform hunting, your report history is your resume.
How long does it take to get started in bug bounty hunting?
Most people who follow a structured learning plan are ready to hunt on beginner-friendly VDPs within 3-6 months. Finding your first valid paid bug typically takes 6-12 months of consistent effort. The timeline shortens significantly if you use structured resources like PortSwigger Web Security Academy and practise daily rather than sporadically.
Your Next Steps
If you’ve read this far, you already know more about how to start bug bounty hunting than most people who claim to be interested in it. The difference between knowing and doing is a specific first action.
This week: create a free PortSwigger account and complete the first five SQL injection labs. Download Burp Suite Community Edition. Register on HackerOne. That’s it. Three concrete steps that take under two hours and put you ahead of 80% of people who say they want to start bug bounty hunting someday.
Next month: finish the OWASP Top 10 labs on PortSwigger, join one VDP program, and submit your first report, even if it’s low severity. The habit of reporting matters more than the payout at this stage.
When you’re ready for structured, hands-on training, explore 3.0 University’s bug bounty certification courses. The curriculum covers everything from web application security fundamentals through advanced API testing and real-world program strategy, with labs designed around actual program environments. It’s the fastest way to compress that 12-month roadmap into something more focused and career-ready.
Last updated: July 2026. Reviewed by the 3University editorial team.


