New to hacking or want to sharpen your skills? We’ve created this leveling-up guide to help you grow as a hacker and be on your way to earning your first bounties.
Steps
Go to Hacker101.
Get started on the Newcomers Playlist if you’re new to hacking or want a refresher on web hacking basics.
Learn about and set up Burp Suite through the Burp Suite playlist.
Watch the Hacker101 videos to be educated on various topics related to hacking so that you can have a broad range of knowledge and understanding of the different areas of hacking.
Note: Depending on how you learn, there are 2 approaches you can take in watching the Hacker101 videos:
Watch first, then implement right away. Get started on the Hacker101 Capture the Flag (CTF) (see step 6) as you concurrently learn from the videos. After watching each video lesson, you can implement the skill you learned from that lesson directly to the CTF.
Watch everything, then implement. Watch all of the videos first and then implement the skills you’ve learned in the CTF.
Start the Hacker101 CTF (Capture the Flag) game where you can hack and hunt for bugs in a safe environment. Learn how to get started with the Hacker101 CTF.
Once you have earned 26 points in the CTF, you’ll be marked as eligible to receive invitations to private programs.
Join the Hacker101 HackerOne Discord group to ask questions, connect, and learn from other hackers.
Finish the Hacker101 CTF. Even if you’ve already received an invitation to a private bug bounty program, we recommend going through all of the CTF curriculum to ensure you learn all of the concepts, so that you can better succeed at hacking.
Look for public programs in the Directory that you’re interested in hacking on. For starters, we suggest IBM, GM, DoD, and Verizon Media.
Start hacking and apply all that you’ve learned from Hacker101.
Submit a report once you’ve found a vulnerability. Submitting valid reports is important for building up your Reputation, Signal, and Impact.
Here’s a guide on what constitutes a quality report.
You can look at hacktivity and past reports to understand what security teams look for in a quality report.
Helpful tips: Keep in mind that there are a lot of differences between hacking in the CTF and hacking in an actual bug bounty program. We understand that the scope is much larger when hacking in a live program and that it’s hard figuring out where to start or look, but we encourage you to just keep practicing. Here are some recommended reads and resources that may help in your journey to hacking:
Web Hacking 101 by Peter Yaworski
The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto
The Hacker Playbook 2: Practical Guide To Penetration Testing by Peter Kim
Hacking: The Art of Exploitation by Jon Erickson
The Basics of Hacking and Penetration Testing by Patrick Engebretson
RTFM: Red Team Field Manual by Ben Clark
Frans Rosen provides some insight as to how to win over security teams and gain influence as a hacker on https://hackerone.com/fransvisitsvegas.
Once you’ve submitted your first report, the security analyst will review, assess, and validate it. They will typically respond with questions and comments. As security teams handle many reports, it may take a little while to respond to your report. We recommend giving teams at least a week before asking for updates. While you’re waiting to hear back, we encourage you to keep on hacking and to check out other programs.
Happy hacking!