Member-only story
CHAPTER FOUR
My Bug Bounty Hunting Methodology
Every bug starts with a question: ‘What if?’
INTRODUCTION
I’m a very meticulous person — I love when things are just right. But for a while now, I’ve been asking myself: is there really such a thing as the perfect bug bounty hunting methodology? I mean have you ever wondered the same?
Hey there, welcome back! I’m so glad you’re here again, especially if you read the last chapter. Your support means a lot to me. In this chapter, I’ll be sharing my personal bug bounty hunting methodology — the way I stay organized and get things done. Whether you’re just starting out or want to improve your skills, I hope you’ll find something helpful here. Let’s get into it!
Here is a Friend’s Link for Non-Members.
RECONNAISSANCE AND INFORMATION GATHERING
When I start a bug bounty hunt, I always begin with passive information gathering. This just means I try to find out what information is already out there about the target. I don’t go in without knowing anything. I like to check websites like Crunchbase, W3Tech, and MXToolbox to get an idea of what the website is about and see what info is out there.
Next, I move on to subdomain enumeration. I usually use Subfinder because it gets the job done for me.
PS: I’ve added a few extra API keys to help pull as many subdomains as possible. It’s a simple trick, but it works!
I don’t go overboard with dorking. While doing it manually is fine, I recently found a tool that automates the process. It saves me time and effort, but Google often block my IP address after a while due to too many request.
During recon, I focus on finding sensitive information. I try not to get carried away with things that don’t lead anywhere by sticking to what’s useful. If something doesn’t look interesting to me, I move on.
Recon is really important in bug bounty hunting, but it’s about finding a balance. I try not to overdo it and keep things simple. For me, recon is all about finding sensitive information.
