How to Start Bug Bounties (2021)

Posted3 months agoActive3 months ago

redbell

9 points

7 comments

ozguralp.medium.comTechstory

supportivepositive

Debate

20/100

Bug BountyCybersecurityVulnerability Disclosure

Key topics

Bug Bounty

Cybersecurity

Vulnerability Disclosure

The post provides a guide on how to start participating in bug bounty programs, and the discussion revolves around the legitimacy and potential earnings of such programs.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

Peak period

1-2h

Avg / period

3.5

Key moments

01Story posted
Oct 8, 2025 at 10:25 AM EDT
3 months ago
Step 01
02First comment
Oct 8, 2025 at 11:25 AM EDT
1h after posting
Step 02
03Peak activity
6 comments in 1-2h
Hottest window of the conversation
Step 03
04Latest activity
Oct 8, 2025 at 1:57 PM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (7 comments)

Showing 7 comments

elicash

3 months ago

2 replies

One thing I see mentioned on reddit is that there's a lot of AI junk recently in bug bounty reports, and that AIs currently seem to have trouble distinguishing between "this is a bug" and "this is an actual vulnerability."

whatamidoingyo

3 months ago

1 reply

I have recently started bug hunting again, and asking ChatGPT questions is really frustrating (e.g. "nmap port scan less aggressive?" -> "Sorry, I can't help you with that.") Right to Google.

It also feeds into things. I'll feel like I'm so close to a discovery, and ask ChatGPT if I found sensitive data, or a vulnerability, and it always says "yes", but 90% of the time, it's not. I end up Googling away to find out what I really have.

I would never use ChatGPT for a report, or trust it with this sort of thing. You could probably ask it if editing HTML with dev tools is a security vulnerability, and it will probably say "Yes, you should immediately report that. Would you like me to draft the report for you?"

It's good for writing some short scripts, though. Just don't let it know it's for a "bug bounty". Can't believe people are just blindly trusting it.

elevation

3 months ago

1 reply

You need an LLM trained specifically for pentesting support. TFA links to a site advertising Burp AI [0]. Looks useful for bug bounties but data policies can prevent pentesters from using it in their engagements.

[0]: https://portswigger.net/burp/ai

whatamidoingyo

3 months ago

Honestly, I didn't even think to look. I'm so far behind in the LLM space. I also tend to ignore any AI a company is offering, but perhaps Burp AI is good.

> data policies can prevent pentesters from using it in their engagements.

I recently watched a Jason Haddix talk[0] where he mentioned that companies like Cloudflare are watching what pentesters do, so that they can better train their AI against such attacks.

[0]: https://www.youtube.com/watch?v=6SNy0u6pYOc

redbellAuthor

3 months ago

1 reply

> there's a lot of AI junk recently in bug bounty reports

See: https://news.ycombinator.com/item?id=45330378

danielfalbo

3 months ago

Another example: https://github.com/obsidianmd/obsidian-importer/issues/421#i...

dlcarrier

3 months ago

Step 1: Hire a bug bounty service