This is a resource factory for anyone looking forward to starting bug hunting and Ethical hacking would require guidance as a beginner.
Hi! I'm Ashutosh chandra shah . I am currently working as a Security Engineer . I am creating this repository for everyone to contribute as to guide the young and enthusiastic minds for starting their career in bug bounties. More content will be added regularly. Keep following. So let's get started!
NOTE: The bug bounty landscape has changed since the last few years. The issues we used to find easily an year ago would not be easy now. Automation is being used rigorously and most of the "low hanging fruits" are being duplicated if you are out of luck. If you want to start doing bug bounty, you will have to be determined to be consistent and focused, as the competition is very high.
What is a bug?
- Security bug or vulnerability is “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.
#What is Bug Bounty?
A bug bounty or bug bounty program is IT jargon for a reward or bounty program given for finding and reporting a bug in a particular software product. Many IT companies offer bug bounties to drive product improvement and get more interaction from end users or clients. Companies that operate bug bounty programs may get hundreds of bug reports, including security bugs and security vulnerabilities, and many who report those bugs stand to receive awards.
#What is the Reward? There are all types of rewards based on the severity of the issue and the cost to fix. They may range from real money (most prevalent) to premium subscriptions (Prime/Netflix), discount coupons (for e commerce of shopping sites), gift vouchers, swags (apparels, badges, customized stationery, etc.). Money may range from 50$ to 50,000$ and even more.
What to learn?
Technical
https://www.comptia.org/training/by-certification/a
https://www.youtube.com/watch?v=tIfRDPekybU
https://www.tutorialspoint.com/computer_fundamentals/index.htm
https://onlinecourses.swayam2.ac.in/cec19_cs06/preview
https://www.udemy.com/course/complete-computer-basics-course/
https://www.coursera.org/courses?query=computer%20fundamentals
https://www.youtube.com/watch?v=0AcpUwnc12E&list=PLkW9FMxqUvyZaSQNQslneeODER3bJCb2K
https://www.youtube.com/watch?v=qiQR5rTSshw -https://www.youtube.com/watch?v=L3ZzkOTDins
https://www.udacity.com/course/computer-networking--ud436
https://www.coursera.org/professional-certificates/google-it-support
https://www.udemy.com/course/introduction-to-computer-networks/
NetworkChuck: https://www.youtube.com/c/NetworkChuck
https://www.youtube.com/watch?v=z2r-p7xc7c4
https://www.youtube.com/watch?v=_tCY-c-sPZc
https://www.coursera.org/learn/os-power-user
https://www.udacity.com/course/introduction-to-operating-systems--ud923
https://www.udemy.com/course/linux-command-line-volume1/
https://www.youtube.com/watch?v=v_1zB2WNN14
Windows:
https://www.youtube.com/watch?v=TBBbQKp9cKw&list=PLRu7mEBdW7fDTarQ0F2k2tpwCJg_hKhJQ
https://www.youtube.com/watch?v=fid6nfvCz1I&list=PLRu7mEBdW7fDlf80vMmEJ4Vw9uf2Gbyc_
https://www.youtube.com/watch?v=UVUd9_k9C6A
https://www.youtube.com/watch?v=fid6nfvCz1I&list=PLRu7mEBdW7fDlf80vMmEJ4Vw9uf2Gbyc_
https://www.youtube.com/watch?v=UVUd9_k9C6A -
https://www.youtube.com/watch?v=GtovwKDemnI
https://www.youtube.com/watch?v=2PGnYjbYuUo
https://www.youtube.com/watch?v=e7BufAVwDiM&t=418s
https://www.youtube.com/watch?v=bYRfRGbqDIw&list=PLkPmSWtWNIyTQ1NX6MarpjHPkLUs3u1wG&index=4
C
https://www.youtube.com/watch?v=irqbmMNs2Bo
https://www.youtube.com/watch?v=ZSPZob_1TOk
https://www.programiz.com/c-programming
Python
https://www.youtube.com/watch?v=ZLga4doUdjY&t=30352s
https://www.youtube.com/watch?v=gfDE2a7MKjA
https://www.youtube.com/watch?v=eTyI-M50Hu4
JavaScript
https://www.youtube.com/watch?v=-lCF2t6iuUc
https://www.youtube.com/watch?v=hKB-YGF14SY&t=1486s
https://www.youtube.com/watch?v=jS4aFq5-91M
PHP
https://www.youtube.com/watch?v=1SnPKhCdlsU
https://www.youtube.com/watch?v=OK_JCtrrv-c
https://www.youtube.com/watch?v=T8SEGXzdbYg&t=1329s
Web Application Hacker's Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
Real World Bug Hunting: https://www.amazon.in/Real-World-Bug-Hunting-Field-Hacking-ebook/dp/B072SQZ2LG
Bug Bounty Hunting Essentials: https://www.amazon.in/Bug-Bounty-Hunting-Essentials-Quick-paced-ebook/dp/B079RM344H
Bug Bounty Bootcamp: https://www.amazon.in/Bug-Bounty-Bootcamp-Reporting-Vulnerabilities-ebook/dp/B08YK368Y3
Hands on Bug Hunting: https://www.amazon.in/Hands-Bug-Hunting-Penetration-Testers-ebook/dp/B07DTF2VL6
Hacker's Playbook 3: https://www.amazon.in/Hacker-Playbook-Practical-Penetration-Testing/dp/1980901759
OWASP Testing Guide: https://www.owasp.org/index.php/OWASP_Testing_Project
Web Hacking 101: https://www.pdfdrive.com/web-hacking-101-e26570613.html
OWASP Mobile Testing Guide :https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
Medium: https://medium.com/analytics-vidhya/a-beginners-guide-to-cyber-security-3d0f7891c93a
Infosec Writeups: https://infosecwriteups.com/?gi=3149891cc73d
Hackerone Hacktivity: https://hackerone.com/hacktivity
Google VRP Writeups: https://github.com/xdavidhu/awesome-google-vrp-writeups
Hacking Articles: https://www.hackingarticles.in/
Vickie Li Blogs: https://vickieli.dev/
Bugcrowd Blogs: https://www.bugcrowd.com/blog/
Intigriti Blogs: https://blog.intigriti.com/
Portswigger Blogs: https://portswigger.net/blog
Forums
Reddit: https://www.reddit.com/r/websecurity/
Reddit: https://www.reddit.com/r/netsec/
Bugcrowd Discord: https://discord.com/invite/TWr3Brs
Official Websites
OWASP: https://owasp.org/
PortSwigger: https://portswigger.net/
Cloudflare: https://www.cloudflare.com/
YouTube Channels
English
zSecurity: https://www.youtube.com/c/zSecurity
Insider PHD: https://www.youtube.com/c/InsiderPhD
Stok: https://www.youtube.com/c/STOKfredrik
Bug Bounty Reports Explained: https://www.youtube.com/c/BugBountyReportsExplained
Vickie Li: https://www.youtube.com/c/VickieLiDev
Hacking Simplified: https://www.youtube.com/c/HackingSimplifiedAS
Pwn function :https://www.youtube.com/c/PwnFunction
Farah Hawa: https://www.youtube.com/c/FarahHawa
XSSRat: https://www.youtube.com/c/TheXSSrat
Zwink: https://www.youtube.com/channel/UCDl4jpAVAezUdzsDBDDTGsQ
Live Overflow :https://www.youtube.com/c/LiveOverflow
Loi Liang Yang :https://www.youtube.com/c/LoiLiangYang
David Bombal :https://www.youtube.com/c/DavidBombal
Domain of Science : https://www.youtube.com/c/DomainofScience/videos
Hindi
Spin The Hack: https://www.youtube.com/c/SpinTheHack
Pratik Dabhi: https://www.youtube.com/c/impratikdabhi
Bitten Tech: https://www.youtube.com/c/BittenTech
THE BBH: https://www.youtube.com/c/THEBBH
Join Twitter Today!
World class security researchers and bug bounty hunters are on Twitter. Where are you? Join Twitter now and get daily updates on new issues, vulnerabilities, zero days, exploits, and join people sharing their methodologies, resources, notes and experiences in the cyber security world!
-
Ben Sadeghipour : https://twitter.com/NahamSec
-
TomNomNom : https://twitter.com/TomNomNom
-
shubs : https://twitter.com/infosec_au
-
Emad Shanab : https://twitter.com/Alra3ees
-
payloadartist : https://twitter.com/payloadartist
-
ʀᴇᴍᴏɴ : https://twitter.com/remonsec
-
Aditya Shende : https://twitter.com/ADITYASHENDE17
-
Hussein Daher : https://twitter.com/HusseiN98D
-
The XSS Rat : https://twitter.com/theXSSrat
-
zseano : https://twitter.com/zseano
-
Corben Leo : https://twitter.com/hacker_
-
Vickie Li : https://twitter.com/vickieli7
-
GodFather Orwa : https://twitter.com/GodfatherOrwa
-
Ashish Kunwar : https://twitter.com/D0rkerDevil
-
Farah_Hawaa : https://twitter.com/Farah_Hawaa
-
Jason Haddix : https://twitter.com/Jhaddix
-
@brutelogic : https://twitter.com/brutelogic
-
gregxsunday : https://twitter.com/gregxsunday
We highly appricate every researcher and bug hunter contrubuting there time and support to the community.
PRACTICE! PRACTICE! and PRACTICE!
Hacker 101: https://www.hackerone.com/hackers/hacker101
PicoCTF: https://picoctf.org/
TryHackMe: https://tryhackme.com/ (premium/free)
HackTheBox: https://www.hackthebox.com/ (premium)
VulnHub: https://www.vulnhub.com/
HackThisSite: https://hackthissite.org/
CTFChallenge: https://ctfchallenge.co.uk/
Attack-Defense: https://attackdefense.com/
Alert to win: https://alf.nu/alert1
Bancocn: https://bancocn.com/
CTF Komodo Security: https://ctf.komodosec.com/
CryptoHack: https://cryptohack.org/
CMD Challenge: https://cmdchallenge.com/http://overthewire.org/
Explotation Education: https://exploit.education/
Google CTF: https://lnkd.in/e46drbz8
HackTheBox : https://www.hackthebox.com/
Hackthis : https://www.hackthis.co.uk/
Hacksplaining : https://lnkd.in/eAB5CSTA
Hacker Security : https://lnkd.in/ex7R-C-e
Hacking-Lab : https://hacking-lab.com/
HSTRIKE : https://hstrike.com/
ImmersiveLabs : https://immersivelabs.com/
NewbieContest : https://lnkd.in/ewBk6fU5
OverTheWire : http://overthewire.org/
Practical Pentest Labs : https://lnkd.in/esq9Yuv5
Pentestlab : https://pentesterlab.com/
Hackaflag BR : https://hackaflag.com.br/
Penetration Testing Practice Labs : https://lnkd.in/e6wVANYd
PicoCTF : https://picoctf.com/
PWNABLE : https://lnkd.in/eMEwBJzn
Root-Me : https://www.root-me.org/
Root in Jail : http://rootinjail.com/
SANS Challenger : https://lnkd.in/e5TAMawK
SmashTheStack : https://lnkd.in/eVn9rP9p
The Cryptopals Crypto Challenges : https://cryptopals.com/
Try Hack Me : https://tryhackme.com/
Vulnhub : https://www.vulnhub.com/
W3Challs : https://w3challs.com/
WeChall : http://www.wechall.net/
Zenk-Security : https://lnkd.in/ewJ5rNx2
Cyberdefenders : https://lnkd.in/dVcmjEw8
LetsDefend : https://letsdefend.io/
Vulnmachines : https://vulnmachines.com/
Rangeforce : https://www.rangeforce.com/
Ctftime : https://ctftime.org/
Pwn college : https://dojo.pwn.college/
PentesterLab: https://pentesterlab.com/referral/olaL4k8btE8wqA (premium)
Free Money CTF :- https://bugbase.in/
Online Labs
PortSwigger Web Security Academy: https://portswigger.net/web-security
OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
XSSGame: https://xss-game.appspot.com/
BugBountyHunter: https://www.bugbountyhunter.com/ (premium)
W3Challs : https://w3challs.com/
Offline Labs
DVWA: https://dvwa.co.uk/
bWAPP: http://www.itsecgames.com/
Metasploitable2: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
BugBountyHunter: https://www.bugbountyhunter.com/ (premium)
W3Challs : https://w3challs.com/
Bug Bounty Platforms
Crowdsourcing
hackenproof: https://hackenproof.com/
Bugcrowd: https://www.bugcrowd.com/
Hackerone: https://www.hackerone.com/
Intigriti: https://www.intigriti.com/
YesWeHack: https://www.yeswehack.com/
OpenBugBounty: https://www.openbugbounty.org/
Bugbounty japan: https://bugbounty.jp/
safeHat: https://safehats.com/
Individual Programs
Meta: https://www.facebook.com/whitehat
Google: https://about.google/appsecurity/
All bug hunting platform - chaos.projectdiscovery: https://chaos.projectdiscovery.io/#/
Seytonic: https://www.youtube.com/c/Seytonic
Grant Collins: https://www.youtube.com/channel/UCTLUi3oc1-a7dS-2-YgEKmA/videos
Joe Grand: https://www.youtube.com/c/JoeGrand
Jeff Geerling :https://www.youtube.com/c/JeffGeerling
Computerphile: https://www.youtube.com/user/Computerphile/videos
Lennert :https://twitter.com/LennertWo
Title
The first impression is the last impression, the security engineer looks at the title first and he should be able to identify the issue. Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line. Include the Impact of the issue in the title if possible.
Description
This component provides details of the vulnerability, you can explain the vulnerability here, write about the paths, endpoints, error messages you got while testing. You can also attach HTTP requests, vulnerable source code.
Steps to Reproduce
Write the stepwise process to recreate the bug. It is important for an app owner to be able to verify what you've found and understand the scenario. You must write each step clearly in-order to demonstrate the issue. that helps security engineers to triage fast.
Proof of Concept
This component is the visual of the whole work. You can record a demonstration video or attach screenshots.
Impact
Write about the real-life impact, How an attacker can take advantage if he/she successfully exploits the vulnerability. What type of possible damages could be done? (avoid writing about the theoretical impact) Should align with the business objective of the organization
Sample Report
- KNOXSS For Cross Site Scripting :
KNOXSS is a popular tool developed by Brazilian Security Researcher @Brutelogic . The tool aims to find Cross Site Scripting Vulnerability while we browse the website. If you are new to Cross Site Scripting attack We suggest you to check this post. The tool has two versions available, Community Edition which is free to use
Link - https://addons.mozilla.org/en-US/firefox/addon/knoxss-community-edition
- Wappalyzer :
Wappalyzer is a technology profiler that identifies the CMS, JS libraries, Frameworks and other technologies that the websites use. It will help you to focus the recon process on a certain technology or framework by identifying them with the current version of them. The alternative for this add-on can be Builtwith technology Lookup
Link - https://addons.mozilla.org/en-US/firefox/addon/wappalyzer
- Hackbar Addon
The security researchers will finds Hackbar tool to be extremely beneficial. When testing a web application or web server, we frequently alter the address bar’s settings. We repeatedly refresh webpages. All of these things frequently occur to us. Hackbar add-on aids us in reducing this time and performing our task quickly. The tool consist payloads for XSS attacks, SQL Injection, WAF Bypass Payloads, LFI Payloads etc.
Link: https://addons.mozilla.org/en-US/firefox/addon/maxs-hackbar Link: https://addons.mozilla.org/en-US/firefox/addon/hackbartool
4.FoxyProxy A Firefox addon called FoxyProxy helps to automatically switch an internet connection between one or more proxy servers. FoxyProxy, to put it simply, simplifies the manual process of modifying the Connection Settings in Firefox. It is very useful during pen testing work. It helps in turning off/on proxy in a single click. FoxyProxy also does have feature of bypassing proxy (Intercept in burp suite) for specific domains using blacklist and whitelist feature.
Link: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
- DotGit An extension for checking if .git is exposed in visited websites. The addon also checks for exposed environment files (.env), security.txt and more while we browse the web. This addon helps us in finding information disclosure vulnerability. Sometimes exposing environment file and git file can have serious security impact.
Link: https://addons.mozilla.org/en-US/firefox/addon/dotgit
- User-Agent Switcher A user-agent switcher modifies your browser’s user agent. When communicating with a web server, your browser sends a string of text or a HTTP header called a “user agent” that contains information about the user’s operating system, current browser, rendering engine, and other important components. Based on the users agent the servers gives response to the user.
During penetration testing we can test for application by loading same application in different types of browser such as for a Mobile, for a PC, for a tablet etc. This is very handy for developers as well for testing responsiveness of a developed website.
Link: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
- ModHeader ModHeader addon helps in modifying HTTP request and response headers easily in a browser. By the use of this add-on we can search for vulnerabilities like Authorization Bypass, cookie modification, session data manipulation, Referrer Bypass etc. Once we set HTTP header that will be used on each website that we visit.
Link: https://addons.mozilla.org/en-US/firefox/addon/modheader-firefox/
- Beautifier & Minify You can easily minify and simplify CSS, HTML, and JavaScript code with the help of this add-on. During penetration testing we often land with large chunked JavaScript code which is difficult to read and get to understand the flow of code. In such time this addon help us in beautifully minifying code in readable format so that we can find flaws in source code.
Link: https://addons.mozilla.org/en-US/firefox/addon/beautifer-minify/
- Retire.js With retire JS we can find for vulnerable JavaScript library. It helps in finding known vulnerabilities sin js and few of the CVE affecting JS products.
Link: https://addons.mozilla.org/en-US/firefox/addon/retire-js/
- Email Extractor Automated email extraction tool that automatically saves email addresses from web pages that we visits. Main goal of this add-on is to collect possible exposed email address from source code and can aid in performing social engineering attacks, credential stuffing attack etc.
Link: https://addons.mozilla.org/en-US/firefox/addon/mailshunt-email-extractor/
- TruffleHog Chrome Extension The TruffleHog browser plugin scans visited websites for API keys and credentials and notifies you if any are found. This is helpful for conducting pentests and code reviews since it reveals keys that would otherwise be overlooked or need manual searching.
Link: https://chrome.google.com/webstore/detail/trufflehog/bafhdnhjnlcdbjcdcnafhdcphhnfnhjc
- Fake Filler This extension’s goal is to make it easier and faster for developers and testers to test fill-up forms. It helps in filling all form inputs (textboxes, text areas, radio buttons, drop downs, etc.) with fake and randomly generated data.
Link: https://addons.mozilla.org/en-US/firefox/addon/fake-filler/
- Click-jacking This addon helps in finding clickjacking vulnerability by looking for absence of X-Frame-Options header in a website.
Link: https://addons.mozilla.org/en-US/firefox/addon/click-jacking/
- Cookie Editor Cookie-Editor helps you in manipulating the cookie of a website. A user can modify, delete, add cookie values for different purpose of tests. Vulnerabilities like session theft, privilege escalation, session misconfiguration etc. can be tested using this add-on.
Link: https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/
-
Shodan-Search for devices connected to the internet. ( https://www.shodan.io/ )
-
Wigle-Database of wireless networks, with statistics. ( https://www.wigle.net/ )
-
Grep App-Search across a half million git repos. ( https://grep.app/ )
-
Binary Edge-Scans the internet for threat intelligence. ( https://www.binaryedge.io/ )
-
ONYPHE-Collects cyber-threat intelligence data. ( https://www.onyphe.io/ )
-
GreyNoise-Search for devices connected to the internet. ( https://www.greynoise.io/ )
-
Censys-Assessing attack surface for internet connected devices. ( https://search.censys.io/hosts/ )
-
Hunter-Search for email addresses belonging to a website. ( https://hunter.io/)
-
Fofa-Search for various threat intelligence.
-
ZoomEye-Gather information about targets. ( https://github.com/topics/zoomeye )
-
Leak X-Search publicly indexed information. ( https://leakix.net/ )
-
IntelligenceX-Search Tor, 12P, data leaks, domains, and emails. ( https://intelx.io/ )
-
Netlas-Search and monitor internet connected assets. ( https://netlas.io/ )
-
URL Scan-Free service to scan and analyse websites. ( https://urlscan.io/ )
-
PublicWWW-Marketing and affiliate marketing research. ( https://publicwww.com/ )
-
FullHunt-Search and discovery attack surfaces. ( https://fullhunt.io/search )
-
CRT sh-Search for certs that have been logged by CT. ( https://crt.sh/ )
-
Vulners-Search vulnerabilities in a large database. ( https://vulners.com/search )
19 Pulsedive-Search for threat intelligence. ( https://pulsedive.com/ )
-
Packet Storm Security-Browse latest vulnerabilities and exploits.
-
GrayHatWarefare-Search public S3 buckets. ( https://buckets.grayhatwarfare.com/ )
-
viz.greynoise.io - GreyNoise Visualizer
-
onyphe.io - Cyber Defense Search Engine
-
vigilante.pw - Breached Database Directory
-
dnsdumpster.com - DNS recon & research .phonebook.cz - Search for subdomains, email addresses, or URLS
Some Great Cybersecurity & Hacking Documentaries Recommendations!
-
We Are Legion – The Story Of The Hacktivists - https://lnkd.in/dEihGfAg
-
21st Century Hackers - https://lnkd.in/dvdnZkg5
-
Hackers Wanted - https://lnkd.in/du-pMY2R
-
Hackers in wonderland - https://www.youtube.com/watch?v=fe8GsPCpE7E
-
The Internet’s Own Boy: The Story Of Aaron Swartz - https://lnkd.in/d3hQVxqp
-
Def Con: The Documentary - https://lnkd.in/dPE4jVVA
-
Hackers Are People Too - https://www.youtube.com/watch?v=7jciIsuEZWM
-
Secret History Of Hacking - https://lnkd.in/dnCWU-hp
-
Risk (2016) - https://lnkd.in/dMgWT-TN
-
Zero Days (2016) - https://lnkd.in/dq_gZA8z
-
Guardians Of The New World (Hacking Documentary) | Real Stories - https://lnkd.in/dUPybtFd
-
A Origem dos Hackers - https://lnkd.in/dUJgG-6J
-
The Great Hack - https://lnkd.in/dp-MsrQJ
-
The Networks Dilemma - https://lnkd.in/dB6rC2RD
-
Web Warriors - https://lnkd.in/dip22djp
-
Cyber War - Dot of Documentary - https://lnkd.in/dhNTBbbx
-
CyberWar Threat - Inside Worlds Deadliest Cyberattack - https://lnkd.in/drmzKJDu
-
The Future of Cyberwarfare - https://lnkd.in/dE6_rD5x
-
Dark Web Fighting Cybercrime Full Hacking - https://lnkd.in/dByEzTE9
-
Cyber Defense: Military Training for Cyber Warfare - https://lnkd.in/dhA8c52h
-
Hacker Hunter: WannaCry The History Marcus Hutchin - https://lnkd.in/dnPcnvSv
-
The Life Hacker Documentary - https://lnkd.in/djAqBhbw
-
Hacker The Realm and Electron - Hacker Group -https://lnkd.in/dx_uyTuT
-
Chasing Edward Snowden - https://www.youtube.com/watch?v=8YkLS95qDjI
-
The Hacker Wars - https://www.youtube.com/watch?v=ku9edEKvGuY
-
Hackers World - https://www.youtube.com/watch?v=1A3sQO_bQ_E
-
In the Realm of the Hackers - https://www.youtube.com/watch?v=0UghlW1TsMA
-
The Pirate Bay Away From Keyboard - https://www.youtube.com/watch?v=eTOKXCEwo_8
-
Wannacry: The Marcus Hutchins Story - https://www.youtube.com/watch?v=vveLaA-z3-o
-
THE INSIDE LIFE OF A HACKER - https://www.youtube.com/watch?v=CuESlhKLhCY
-
High Tech Hackers Documentary- https://www.youtube.com/watch?v=l2fB_O5Q6ck
-
Drones, hackers and mercenaries - The future of war - https://www.youtube.com/watch?v=MZ60UDys_ZE
Some additional Tips
Don't do bug bounty as a full time in the beginning (although I suggest don't do it full time at any point). There is no guarantee to get bugs every other day, there is no stability. Always keep multiple sources of income (bug bounty not being the primary). Stay updated, learning should never stop. Join twitter, follow good people, maintain the curiosity to learn something new every day. Read writeups, blogs and keep expanding your knowledge.
Always see bug bounty as a medium to enhance your skills. Money will come only after you have the skills. Take money as a motivation only. Don't be dependent on automation. You can't expect a tool to generate money for you. Automation is everywhere. The key to success in Bug Bounty is to be unique. Build your own methodology, learn from others and apply on your own.
Always try to escalate the severity of the bug, Keep a broader mindset. An RCE always has higher impact than arbitrary file upload. It's not necessary that a vulnerability will be rewarded based on the industry defined standard impact. The asset owners rate the issue with a risk rating, often calculated as impact * likelyhood (exploitability). For example, an SQL Injection by default has a Critical impact, but if the application is accessible only inside the organization VPN and doesn't contain any user data/PII in the database, the likelyhood of the exploitation is reduced, so does the risk.
Stay connected to the community. Learn and contribute. There is always someone better than you in something. don't miss an opportunity to network. Join forums, go to conferences and hacking events, meet people, learn from their experiences.
Always be helpful. Ashutosh c. shah