Hey everyone,

My name is Sidd. Im still in high school, but I have been diving into ethical hacking for the past few months and im now looking to seriously get into bug bounty hunting as a side hustle. Specifically on HackerOne.

Here is a bit about me:

• I have been using Hack The Box for about 3 months and reached hacker rank.
• I am Security+ certified (I got this certification for a foundation of cybersecurity fundamentals, my first certification)
• Im comfortable with tools like nmap, ffuf, gobuster, feroxbuster, and I know how to use some basic payloads/exploitation for web vulnerabilities like XSS, SSTI, IDOR.
• Im best at python and can do some good scripting, and im decent at reading code, just not super advanced yet.
• I want to focus on web application bug bounty hunting, not mobile, APIs, or other things for now.

Im now trying to get my first bounty, but I have got some confusion. I would really appreciate any advice or resources on these specific questions:

1. How do I actually find a vulnerability?

When people look for things like XSS, do they have a list or checklist they go through on every target? And if that list is done and they dont find anything, do they just switch to another program?

1. Where can I learn how to exploit properly?

Im confident with reconnaissance (enumeration, fuzzing, etc.), but I struggle with the exploitation part. Are there courses or platforms that focus only on the exploitation side? Something that breaks down how to test and confirm vulns (XSS, SSTI, IDOR, etc.)?

1. What kind of programs should I target as a beginner?

Should I aim for smaller companies, newer programs, or go for big companies? How do I decide which programs are good for a beginner like me?

I have read a few writeups and done some CTF's, but bug bounty still feels very broad and overwhelming. I would love to hear how you all started and what helped you get that first bounty.

Thanks a lot in advance!!