How to Start Bug Bounties 101 & How to Make a Million in 4 Years

如何启动 Bug 悬赏101 & 如何在4年内赚100万

I got lots of questions and requests especially from new beginners to the area, so wanted to prepare a blog post regarding how to start at bug hunting and how to be successful.

我收到了很多问题和要求,尤其是来自新手的问题和要求,所以我想准备一个博客文章,关于如何开始寻找 bug 和如何成功。

Firstly, I want to say as there is no only true way exist to became successful in any area including this one. Every person has their own personality, characteristics, speciality and qualifications so this criteria could differ from one to another. I am only telling my story and mental methodology here, which directed me to earn $1 million through 4 years.


How (not) to start at first place?


If you are a person who is consistently asking other people about how to become successful in bug bounty sector or being mentor to them, I can surely tell you that as this is not the right way. Nobody has a simple formula to become successful in any area. So first thing to do in here could be stopping to ask people generic “how to” questions. Instead of it; you can do your homework, do some research about the area and find out your way yourself which will really help you later in terms of gaining bug hunting mindset.


When I was lecturing “Cyber Security 101” class at the Istanbul Bilgi University for 4 years, my first slide of the presentation for the first term was this one:

当我在伊斯坦布尔比尔基大学(Istanbul Bilgi University)讲授“网络安全101”(Cyber Security 101)课程4年时,我第一学期演讲的第一张幻灯片是这样的:

It was in Turkish on original content, translated for the blog

This concept could be expanded & adapted to any area. In terms of bug hunting:


  • “Learning how to use Google” is super essential. I use nearly 50-100 times per day for the last 4 years of my time. If you know how to use if efficiently, you can find what you are looking for faster and smarter. If you want to know how to use it efficiently, you can start Googling about it.
  • “学习如何使用谷歌”是非常必要的。在过去的4年里,我每天使用近50-100次。如果你知道如何有效地使用,你就能更快更聪明地找到你想要的东西。如果你想知道如何有效地使用它,你可以开始用谷歌搜索它。
  • If your native language is not English, then learning it is super essential as using Google. The most international accepted language for 2021 is English and nearly all resources can be found within it.
  • 如果你的母语不是英语,那么学习它就像使用谷歌一样非常重要。2021年最为国际接受的语言是英语,几乎所有的资源都可以在英语中找到。
  • I mentioned Turkish (as native language) on my original slide because knowing your native language is an important thing to become successful in any area. If you cannot know your native language well at first place, then you cannot use/learn/know other languages well too. In addition to that, we are using our language as a gateway to the outer world. Applying it to bug hunting: To understand what you are reading/researching, to speak with other people on same interests, to write a good report, to make a discussion with the report reviewer/triager; you need to know your native language + English good. There is a concept exist as Sapir–Whorf hypothesis regarding to the subject as: “a principle suggesting that the structure of a language affects its speakers’ worldview or cognition, and thus people’s perceptions are relative to their spoken language.”. which I highly believe as it is really effecting our perspective of lives including our approaches to any subject. So knowing your language better + an extra language might bring a new different point of view to the human being. (If you are into the topic, I also can recommend the 2016 Sci-Fi movie Arrival which had a different unique approach to this hypothesis.)
  • 我在最初的幻灯片中提到了土耳其语(作为母语) ,因为懂得母语是在任何领域取得成功的一个重要因素。如果你一开始就不能很好地掌握你的母语,那么你也就不能很好地使用/学习/了解其他语言。除此之外,我们还把自己的语言当作通往外部世界的大门。运用它来寻找错误: 要理解你正在阅读/研究的东西,要与其他有相同兴趣的人交谈,要写一份好的报告,要与报告的审阅者/试读者进行讨论,你需要了解你的母语 + 英语。关于这一主题,存在着萨丕尔-沃尔夫假说这样一个概念: “一个原则表明,语言的结构影响说话者的世界观或认知,因此人们的感知是相对于他们的口语的。”.我非常相信这一点,因为它确实影响了我们对生活的看法,包括我们处理任何问题的方法。因此,更好地了解你的语言 + 一种额外的语言可能会给人类带来一种新的不同的观点。(如果你对这个话题感兴趣,我还可以推荐2016年的科幻电影《抵达》 ,它对这个假设有着不同的独特方法。)
  • “Finding your own area/speciality” is actually important on the long run to become expertise and unique in the industry. As a real world example, Tommy tells it all the time as he made nearly all of his bug bounty payouts from a single vulnerability category, SSRF, which is a good proof to what some focused working can put into your wallet.
  • 从长远来看,“发现自己的领域/专长”实际上非常重要,这样才能成为行业中的专家和独特人物。作为一个现实世界的例子,Tommy 一直在讲述这个故事,因为他几乎所有的 bug 赏金都来自一个漏洞类别,SSRF,这是一个很好的证据,证明一些专注的工作可以放入你的钱包。
  • “Technical knowledge & experience” is all you can put into this area. Comparing to the other working concepts/practices (such as winemaking, having nearly 1000 years of history and experience), bug hunting (as well as nearly all IT topics) is still a new topic which changes everyday. So adding some value to it is easy comparing to other disciplines.
  • “技术知识和经验”是你所能投入到这个领域的全部。与其他工作概念/实践(如酿酒,有近千年的历史和经验)相比,缺陷搜寻(以及几乎所有的 IT 主题)仍然是一个每天都在变化的新课题。因此,与其他学科相比,为它增加一些价值是很容易的。
  • I am not going to talk in details about “Keeping up-to date” in here, because as it is obvious that information technologies are updated every day and without having that, your bugs could be out-of-date 🙂
  • 我不打算在这里详细讨论“保持最新”,因为很明显,信息技术每天都在更新,如果没有更新,你的 bug 可能已经过时了:)
  • In terms of bug hunting, “Expanding your network/social skills” is not too important comparing to the prior items, however having those still can bring you new opportunities. Human beings are known as social living creatures from beginning and working as a community always brings positive developments.
  • 在寻找错误方面,“拓展你的社交网络和社交技能”与之前的项目相比并不是很重要,但是拥有这些仍然可以给你带来新的机会。人类从一开始就被称为社会生物,作为一个共同体工作总是带来积极的发展。

How to become successful?


From both my experience and observations of other bug hunters’ career paths/resumes; I can say that if you have a penetration test/offensive security research experience on your back then it is easier to getting adapted on bug hunting discipline. But as I said, there is no point of generalizing and I do personally know lots of successful bug hunters even if they didn’t go into the university at all or yet. So this really depends on the person. You could become successful when you are at your 14 or could fail even after you have your PhD in Computer Sciences.

根据我的经验和对其他 bug 猎手的职业道路/简历的观察,我可以说,如果你有一个渗透测试/攻击性安全研究的经验,那么你就更容易适应 bug 猎手的训练。但是正如我所说的,没有必要一概而论,我个人认识很多成功的 bug 猎手,即使他们根本没有进入大学,或者还没有进入大学。所以这真的取决于人。当你14岁的时候,你可能会成功,甚至在你获得计算机科学博士学位之后也可能失败。

Firstly, definition of “being success” in here is really important and it also depends from person to person too. Most of the times, success is came down to the salary/payout/money; however I can say that there are more success items exist in bug bounty hunting comparing to the regular day job. From my point of view, I am choosing bug hunting over regular working due to those earnings of successes:

首先,“成功”的定义在这里是非常重要的,它也取决于人与人之间的关系。大多数情况下,成功与否取决于薪水/奖金/金钱; 但是我可以说,与正常的日常工作相比,在捕捉虫子方面存在着更多的成功因素。在我看来,由于这些成功的收益,我选择了寻找 bug 而不是定期工作:

  • Being own your boss: If you have a really good self-discipline and really do not like illogical duties coming from your superior, than this is definitely it for you. This is the uttermost thing that I love about bug hunting. You are your own boss.
  • 做自己的老板: 如果你真的有很好的自律能力,并且真的不喜欢上级不合逻辑的责任,那么这绝对是适合你的。这是我最喜欢猎杀昆虫的原因。你是你自己的老板。
  • Performance basis payouts: If you are eager of earning more money, instead of changing your job, you can work for extra bucks over the night 🙂
  • 绩效奖励: 如果你渴望赚更多的钱,你可以通宵工作赚取额外的钱,而不是换工作
  • Flexible working: Most of the new IT jobs has this as a benefit but still taking a day or month off without asking to anyone for approval is still awesome.
  • 灵活的工作: 大多数新的 IT 工作都有这样的福利,但是不需要征求任何人的同意就可以休息一天或者一个月,这仍然很棒。

So without having the same salary on a daily job, I would still prefer hunting as those advantages. Having those is a success for me rather than huge payouts 🙂 To sum up; for becoming successful, a person needs to define their own success criteria at first.


Now as a starting point, it differs within various experience levels:


  • If you are starting without any IT experience, then this is the toughest one to achieve. For becoming successful in this area, one should really know the basics of the IT such as networks, hosts, software, protocols etc. basically everything. Without knowing them, finding vulnerabilities would be really hard. I could suggest to understand those technologies at first; e.g. installing a web service, creating a DNS server, learning a programming language etc. then afterwards focusing on security field.
  • 如果你刚开始的时候没有任何 IT 经验,那么这是最难实现的一个。要想在这个领域取得成功,你必须真正了解 IT 的基本知识,比如网络、主机、软件、协议等等,基本上一切都要了解。在不了解他们的情况下,发现漏洞是非常困难的。我可以建议先了解这些技术,例如安装一个网络服务器,创建一个 DNS 服务器,学习一种编程语言等,然后再专注于安全领域。
  • If you are starting with IT experience but without a pentest experience; then this is still hard for you but not the toughest. The main thing in here is actually learning about security principles. Why do we need security? What are we trying to protect? Who are protecting from? How can we protect that? What could be entry points? What are the attack types? If you can start answering those questions on all case by case, then the basics of the offensive security could be start shaping on you.
  • 如果你刚开始有 IT 经验,但是没有经验,那么这对你来说仍然很难,但不是最难的。这里的主要内容是学习安全原则。我们为什么需要安全?我们要保护什么?谁在保护我们?我们怎样才能保护它呢?入口可能是什么?攻击类型有哪些?如果你可以开始逐个回答这些问题,那么攻击性安全的基础就可以开始塑造你。
  • If you are coming from pentest experience like me; I can say that bug hunting discipline is really different than pentest and a little bit hard to getting used to. Instead of the pentest projects (finding every vulnerability including all levels), you need to focus nearly to find exploitable vulnerabilities rather than theoretical ones. I remember as we were reporting SQLi’s on the pentest projects within having errors as ' characters or reporting <> escapes on the responses of the HTML’s without trying to actually dump an information from DB or bypassing WAF for a successful XSS attack. So this is the time that you need to focus on finding actual vulnerabilities within real world scenarios & impacts.
  • 如果你和我一样是从五角大楼来的,我可以说捕捉虫子的训练和五角大楼的训练是完全不同的,而且有点难以适应。你需要集中精力找到可利用的漏洞,而不是理论上的漏洞,而不是五角大楼的项目(找到每一个漏洞,包括所有级别)。我记得当我们报告 SQLi 的项目时,在有错误作为字符的情况下,或者在 HTML 的响应上报告 < > 转义,而没有尝试实际转储 DB 的信息,或者绕过 WAF 成功实现 XSS 攻击。因此,现在是你需要专注于在现实世界的情景和影响中发现实际漏洞的时候了。

I personally prefer and suggest to start into bug hunting after learning the security concepts + having online trainings. You can still find vulnerabilities without having extreme technical skills but most of the times they would happen within temporary lucky findings/reports which could make you struggle in the future.

我个人更倾向于并建议在学习了安全概念之后再开始寻找 bug + 进行在线培训。即使没有极端的技术技能,你仍然可以找到漏洞,但是大多数时候,这些漏洞发生在暂时的幸运发现/报告中,这可能会让你在未来遇到麻烦。

After starting actively bug hunting, this is my mental applied methodology for both short/long term:

在开始积极地寻找 bug 之后,这就是我的短期/长期思维应用方法:

  • Being consistent: Especially for the first years, consistency is really important. Some days while you are getting some valid reports, some days you will get nothing. So within consistency you will increase your chances to find valid reports per day/week.
  • 始终如一: 特别是在第一年,始终如一是非常重要的。有些日子你得到一些有效的报告,有些日子你什么也得不到。因此,在一致性的范围内,您将增加每天/每周找到有效报告的机会。
  • Goals & motivation: Demotivation is really common especially at the first days/months of hunting. I personally felt like thousands of times demotivated when cannot find any bugs during the day. What I found as a solution is focusing of the both short/long term realistic goals instead of daily wins. The important thing in here is actually what you achieve per average. Setting weekly/monthly/yearly achievable goals and actually achieving them is really good for intrinsic satisfaction.
  • 目标和动机: 挫败动机是很常见的,尤其是在打猎的最初几天或几个月。就我个人而言,当我在白天找不到任何漏洞时,我感到无数次失去了动力。我发现一个解决办法就是把注意力集中在短期/长期的现实目标上,而不是每天的成功。这里最重要的是你平均取得了什么成绩。设定每周/每月/每年可以实现的目标,并真正实现它们,这对内在的满足感确实有好处。
  • Variety in bugs: If you are focused only on XSS bugs, then you can only report XSS bugs. 🙂 especially for the beginners, having different set of categories testing is really important. For my first year on hunting; I can say that I looked and reported for all kind of bugs. Within this, you will start to have more valid reports comparing to the lesser diversified testing which will reduce the stress both in terms of payouts & fear of not finding anything.
  • Bug 的多样性: 如果你只关注 XSS bug,那么你只能报告 XSS bug。特别是对于初学者,进行不同类别的测试是非常重要的。在我狩猎的第一年,我可以说我找过并报告过各种各样的虫子。在这个范围内,你将开始有更多有效的报告比较较少的多样化的测试,这将减少压力,无论是在支付和担心找不到任何东西。
  • Focusing on some categories: As the prior Tommy & SSRF example, especially after some time; focusing on some categories and increasing the technical knowledge about them & being expertise on them will really create difference in the industry. Especially after my 2nd year at the hunting, I started focusing on some of the categories that I love such as Authorization/Authentication. Read everything about them. Apply everything you learn about them in the real world. Manually analyze every request and response. In some step, you will catch those special ones unique to you!
  • 专注于某些类别: 就像之前的 Tommy & SSRF 的例子,尤其是在一段时间之后; 专注于某些类别,增加关于它们的技术知识和专业知识,将真正创造行业的差异。特别是在狩猎的第二年之后,我开始关注一些我喜欢的类别,比如授权/认证。阅读关于他们的一切。在现实世界中应用你所学到的关于他们的一切。手动分析每个请求和响应。在一些步骤中,你会抓住那些特别的你独特的!
  • Learn platforms/mentality: Every bug bounty platform, target, program, triager etc. has a huge difference of approaches comparing to others. For last 4.5 years (All of my bug hunting journey), I mostly worked (80–85%) on a single platform which bringed me succeed. While I was testing mostly new systems/targets per week on my first years; especially for the last 2 years, I started testing my old targets again per 6 months which I earned most of my payouts. On this period, I found out that application owners creates lots of different vulnerabilities while patching the reported ones which are overlooked most of the times. Also testing/getting used to same technologies will collect more deep/technical information regarding those which makes it possible to report more complex and unhidden bugs. So while testing different applications/targets extends & diversifies your knowledge, testing the same ones from time to time provides new discoveries that goes unnoticed.
  • 学习平台/心态: 每个 bug 赏金平台、目标、程序、试用程序等与其他方法相比都有巨大的差异。在过去的4.5年(我所有的虫子搜寻之旅)中,我大部分时间(80-85%)都是在一个单一的平台上工作,这个平台让我成功。在我的第一年里,我每周测试的大部分是新的系统/目标; 特别是在过去的两年里,我开始每6个月再次测试我的旧目标,这样我就赚到了我的大部分收入。在此期间,我发现应用程序所有者在修补报告的大多数时候被忽视的漏洞时会创建许多不同的漏洞。另外,测试/习惯相同的技术将收集更深层次的/技术信息,这些信息使得报告更复杂和未隐藏的错误成为可能。因此,当测试不同的应用程序/目标扩展和丰富你的知识时,时不时地测试相同的应用程序会提供新的发现,而这些发现往往被忽视。
  • Have your own mental methodology: Every successful bug hunter I met has a unique approach of testing, which is shaped after some time. So find the methodologies that suits best for you and improve them on your way.
  • 有你自己的思维方法论: 我遇到的每一个成功的 bug 猎人都有一个独特的测试方法,这是经过一段时间后形成的。因此,找到最适合你的方法,并在你的路上改进它们。

Last thoughts


As I said on the prolog section of the post: “There is no only true way exist to became successful in any area.”. Every human being has their own journey. We will always use others’ experiences for self-development as on the history, however will also determine our self-journeys within individual efforts and diligence.

正如我在博文的序言部分所说: “在任何领域获得成功都没有唯一的真正途径。”.每个人都有自己的旅程。我们将永远用别人的经验来自我发展,就像历史上那样,然而也将决定我们个人努力和勤奋的自我旅程。

Stay safe and be luck on your side 🙂


【转载】【漏洞分析】Github access token exposure



其实这个报告很简单,就是一个Shopify的员工开发了一个应用,但是不小心把.env 文件发布了。但是这个.env文件中有shopify Github仓库的token,这就拿到了github仓库的权限。

这里为什么没有发现这个github token呢,其实主要是因为这个员工开发的是Electron应用,发布到了公网,而且还有人去分析这个Electron应用并在文件系统中找到这个.env文件夹。


但是我们可以从这个例子中尝试一下怎么去扫描github token等这种验证信息。

目前,github 通过密码扫描服务,会去提醒公共仓库的用户这个安全点。链接:


  1. Gittyleaks 看着不行
  2. scanning feature  github官方扫描
  3. Git Secrets  AWS发布的,用来阻止提交AWS密钥
  4. Repo Supervisor 找到错误的配置和密码
  5. Truffle Hog  这个工具使用正则表达式进行搜索,包括了分支和提交历史。(推荐使用)
  6. Git Hound go写的检查工具
  7. Gitrob  go写的,已经停止维护
  8. Watchtower Radar API AI驱动的检测,发现是个商业项目,可以研究一下
  9. Repo security scanner 是一个命令行工具
  10. GitGuardian  也是一个商业产品
  11. Shhgit 这个很牛b
  12. yar
  13. GitGot
  14. git-wild-hunt

国内的github 扫描器

  1. GSIL
  2. Hawkeye
  3. 码小六 推荐使用×99/code6





  1. 关键字问题


dotfile 文件 例子:




从人出发, 可以全网扫描,把github的账户按照公司归类并从账户的其他项目中寻找公司信息






1.Building a GitHub Secrets Scanner

2. 自己动手打造Github代码泄露监控工具

3. 自己动手打造Github代码泄露监控工具之改进篇



1.为什么侦察是 漏洞挖掘挣钱的关键?



1 – the sqlis were damn easy to identify – discovering the resources affected, not so much. lots of recon (gau, google dorking, spidering, url guessing) on target. discovered a number of web services, however no vulns

SQL注入非常容易识别,发现受影响的资源不容易。大量的侦察(gau,google daring, spidering , url guessing ) ,发现一些网络服务,但是不会有漏洞。

2 – kept URL guessing and found a zip file containing web.config – several creds leaked – more interesting was the URLs disclosed in there as they point to asmx web services – turns out 90% of these are on sites out of scope


3 – the paths of these web services were somehow similar to other folders and couple web services that existed on the main target, so I created several dictionaries to be used in an attack with permutations to see if the site had these endpoints just in different folders


4.- dict1 known folders on target. dict2, dict3 both had paths extracted from the urls in web.config, with some permutations based on names similarities I inferred; dict4 endpoints from web.config. ran ffuf cluster-bomb style out of 35k possibilities, found 10+


5.- 10+ web services that supposedly were on OOS sites, however available in different locations on target in scope. each web service had many endpoints (some even 30-40). moral of the story, these had more holes than swiss cheese. that’s were all sqlis were


6 – TLDR; would i have reported the web.config finding immediately, other people would have seen the URLs and perhaps locate these web services on the target; i didn’t report it and worked until i found their location and reported as many sqlis as i could.


7 – my take away and tip for the reader: don’t report a bug as soon as you find it, especially if it shows that it can be used to further own a target. keep the intel for yourself and hack. if after a while it doesn’t lead to anything, report the bug and move on.


2.I Built a TV That Plays All of Your Private YouTube Videos


3.Breaking GitHub Private Pages for $35k








2.复现漏洞-Google的SSRF 旁路





4.Github的README项目: 如何管理一个开源项目的安全


5.Git clone的漏洞







比较有感想,比如 opencv-python 导入的时候 是import cv2 但是很多人会直接pip install cv2 这给了一些人攻击的机会


2.QuickXSS 新工具








加密的请求被破解之后,内部的WAF 也是有限制的,看看作者怎么突破限制。






作者开始无意发现了一个登陆表单,但是提示没有clientID,然后作者就直接在google搜索,找到了这种clientID,直接就登陆了。 inurl:client_id.