Bug Bounty Phase 0 - Practice and Research

Practice makes perfect, as they say. In this short blog, we discuss the resources and continual learning to help stay relevant in bug bounty hunting and penetration testing.

Bug Bounty Phase 0 - Practice and Research
Photo by Brett Jordan / Unsplash

Before you dive into Bug Bounty hunting or even when you're experienced, you should always practice your skills and keep learning new tools and tricks. If you don't you will get rusty at the types of issue you don't exploit much and so, you may fall into the trap of missing vulnerabilities.

The infosec community has a vast range of resources out there to help you and due to this, it can be very overwhelming to know where to begin. The below details our top tips, practice labs, virtual machines, tools and more to stay up-to-date:

Practice Labs

Labs are a great place to begin learning new skills and retraining old skills. Take a look below at our top resources for practicing in different technical areas:

"Give me six hours to chop down a tree, and I will spend the first four sharpening the axe"


Web Applications




Mobile (iOS/Android)

Bug Reports:

Without a doubt, one of the greatest resources for finding inspiration, staying relevant, up-to-date and learning new exploitation methods is to read bug reports from the various public program disclosures.  

"To know is to be sure and free of doubt. To be sure is to be clear about what you know and don't know. Knowledge, truly is power"

Cyber Security and Bug Bounty Blogs

Similar to bug reports, you may consider keeping an eye on various well established cyber security blogs. Here are some examples:

"Knowledge is power. Sharing knowledge is the key to unlocking that power"

Regularly Updated

Not-so Regularly Updated

Reddit is also useful for new information:

Resource Searching

As well as creating your own resources that work for you, it's a great idea to be constantly reviewing community tools, wordlists, google dorks, plugins, extensions and so fourth. If you find something new and think it could work for you, add it into your workflow. This is the best way to keep building a bug bounty pipeline that is successful. Here are some ideas of what to look out for on places like Twitter, GitHub, Reddit, Blogs, YouTube and more:

  • New vulnerabilities and exploit code
  • New Tools, Scripts and Templates (Nuclei)
  • Burp Suite Extensions
  • Browser Extensions
  • Unique Wordlists
  • Google Dorks

Cheat Sheets

Finally, cheat sheets are a good resource for quickly remembering how things work or as a reminder for techniques you may forgotten to try . Here are some examples:

See the next part of our Bug Bounty Phase blogs:

Bug Bounty Phase 1 - Platforms
You may wonder where to begin when searching for bug bounty programs. This short blog aims to help you narrow down your search for the best platforms and programs to get you finding those elusive bugs.