There are many ways to get into the security realm, the traditional degree and certification pathway is one of them, but we’re going to talk about more accessible ways to get into security, sometimes you can’t afford a degree, which could be in terms of finance or time.

Lets do the What, Why and How with the Bug bounty

With ever increasing cyber threats, you need more ways to secure your product, than just depending on penetration testing and having an internal team. It’s utilizing the intelligence of a bigger mass, that’s where bug bounty platform and program comes in. Bug bounty program(BBP) is simply company allowing you to hack on their application and report the vulnerabilities(bugs) you find , for which you can get paid depending on the severity of the bug. Now some programs like Google manage their bug bounty program themselves, while others use platforms like hackerone, bugcrowd, who manages their BBP for them.

Lets Understand How Bug Bounty Platform Works

Here I am logged into hackerone, I recommend to pause the read here, sign-up and look around, most of the stuff there is self explanatory.

You can filter out the programs you’re interested to hack based on industry or asset type(web app, mobile app, source code analysis etc)

Before you decide to hack on a program be sure to check their response rate, you don’t want to wait 6 months for a vulnerability to be patched. Always look for programs with a good response rate.

You also don’t want to end up with a response that the vulnerability you found was not accepted or it was an asset not in scope for that program. When you’re starting out always always read the scope and don’t hack on the assets that are not included.
Once you find some decent amount of bugs on these platforms, you’ll get private invites, it’s where people make more money, why? because they’re private, only few selective hackers are invited to hack on these programs.
here I am going to list down some famous bug bounty platforms:

• Hackerone

• Bugcrowd

• Intigritti

• YesWeHack

Your Background will Forge the Path Ahead

Now if you’re coming from a non tech background, it’s totally normal. But having a tech background definitely helps, I will discuss it in brief as possible.
First lets nail down the foundation with my bias. Start with web hacking, even if you don’t want to do it in a long run, the experience and things you’ll learn, will help you.

Web Fundamentals

Now I am not asking you to become a wizard but you should at least know fundamentals of html, css, javascript and how they form a website together, you can get better on these topics along the way ,so just get the foundation done. Get to know how website works, what's a server, basic cycle of request and response.

some resource to learn:

• scrimba.com(only pick their html and css course and then the javascript by per)

Network Fundamentals

No matter what type of hacking you would get into later, getting good at networking will always help you, Just get done with the basics of how network works, how the internet works, protocols, ips, Tcp/IP and OSI model.

resources to learn them:

• NetworkChuck (watch his CCNA playlist)

• CertBros(you can also look on their CCNA playlist)

Mindset

Remember hacking is a mindset, it takes time to get your brain to think like a hacker, remember a hacker is driven by curiosity and that curiosity is backed by persistence to achieve what they want. Stay optimistic, nothing is really secure even if the top 5% of the elite hackers are hacking on a program, you have to keep your impostor syndrome aside and jump in.

When you’re starting out it’s common not to get things in first turn, you might need to rewatch a video several time, maybe find other resources to understand that topic, and that’s completely normal. Just stay persistent and try out different resources, if one doesn’t work for you.

Portswigger Labs and Writeups

You dont have to do 1000 labs randomly to prepare, just get these basic labs on portswigger like xss, acess control, business logic and you're all good to start hacking. Try your best to read as much writeups as you can, I’ll list down some good security blogs and twitter accounts you can follow.

• https://infosecwriteups.com/

• https://book.hacktricks.xyz/

• https://twitter.com/Rhynorater

• https://twitter.com/Jayesh25_

• https://twitter.com/zhero___

• https://twitter.com/PortSwiggerRes

Common Questions and Mistakes

Q1: How long will it take, until I start finding bugs?

You should give it at least 3-6 months with dedication and persistence to reap the reward, jumping here and there, expecting fast results doesn’t work anywhere

Q2: There are already people hacking on it?
That’s something you have to get comfortable with

Q3: How long until I start hacking on actual programs?

Avoid spending too much time on just learning without practical, as soon as you do some labs and read some writeups, you should jump and try it in the wild.

Q4: I am not sure what I am doing OR Can something go wrong?

Safe testing exist, if you’re not sure what you’re doing, you should stop there and get some help(I know about cases where hackers deleted the production database during unsafe testing and were banned from the platform).

Additional Resources

• https://www.youtube.com/@NahamSec

• https://www.youtube.com/@davidbombal

• https://www.youtube.com/@LiveOverflow

• https://www.youtube.com/@BePracticalTech

• https://www.youtube.com/@BugBountyReportsExplained