Bugbop with spider-like logo

Bug Hunter Guide

Learn how to find and report security vulnerabilities on Bugbop.

← Back to Documentation

Getting Started as a Bug Hunter

Welcome to Bugbop! As a bug hunter, you'll be searching for security vulnerabilities in participating programs and earning rewards for your findings. This guide will help you get started on your bug hunting journey.

Step 1: Setting Up Your Profile

Complete your profile to build credibility:

  • Add a professional profile picture
  • Fill in your bio with relevant skills and experience
  • Link your social profiles (Twitter, GitHub, LinkedIn)
  • Set up your payment details for bounty payments

Step 2: Finding Programs to Participate In

Discover programs that match your skills:

  1. Browse the "Public Programs" directory
  2. Read program policies carefully before participating
  3. Join programs that align with your expertise

Step 3: Understanding Program Details

Before hunting, study these critical sections:

  • Scope: What assets are included/excluded
  • Rewards: Bounty ranges for different severity levels
  • Rules: Program-specific guidelines and expectations
  • Out of Scope: Vulnerability types not eligible for rewards

Step 4: Testing for Vulnerabilities

When hunting for bugs:

  • Only test assets explicitly listed in scope
  • Never attempt destructive testing or DoS attacks
  • Respect rate limits and avoid excessive automated scanning
  • Document your findings thoroughly with clear reproduction steps
  • Consider the real-world impact of each vulnerability

Step 5: Submitting Your Bug Report

Create high-quality submissions:

  1. Navigate to the program page
  2. Click "Submit Report"
  3. Include essential information:
    • Descriptive title: Summarize the issue clearly
    • Affected asset: Specific URL or component
    • Steps to reproduce: Detailed instructions
    • Impact: Explain the security implications
    • Suggested fix: If you have recommendations
    • Screenshots/videos: Visual evidence when helpful
  4. Submit one vulnerability per report
  5. Check for duplicates before submitting
Important: Never publicly disclose vulnerabilities without authorization from the program. Premature disclosure may violate program rules and result in disqualification.

Step 6: Handling Responses

After submitting a report, be prepared for different outcomes:

  • Valid: The team confirms your finding and may award a bounty
  • Needs more info: Provide additional details as requested
  • Duplicate: Someone else reported the same issue first
  • Not applicable: The team determined it's not a security issue or is out of scope

Maintain professional communication regardless of the outcome.

Step 7: Requesting Payout

Once you have accumulated at least $20 in bounties, you can request payout via the following methods:

  • PayPal: Send an invoice to [email protected] via PayPal (PayPal's documentation).
    If your PayPal's email address does not match your BugBop address, include your BugBop email address in the invoice so we can verify you sent it.
  • Bank Transfer: Send an invoice to [email protected] with your bank details. You will need to verify your identity first (Under: User Profile > Details).
  • Charity Donation: If it's impossible for Bugbop to pay you, you can request that we make a donation to a registered charity in your name.
  • Contact Us: If none of these options work for you, you can Contact Us and we will attempt to find an alternate solution.

Maintain professional communication regardless of the outcome.

Next Steps

As you gain experience:

  • Study Bug Writing Best Practices to improve your reports
  • Learn from public disclosure reports shared by other researchers
  • Develop specializations in specific vulnerability types or technologies
  • Build relationships with program teams through quality submissions
  • Consider joining private programs as your reputation grows