Rikesh, who goes by the username (Itsrickyy), is one of our best-performing researchers. He also recently surpassed the $1000 milestone on our platform. Rikesh is an inspiration among the new bug bounty hunters. We asked him to share with us some of his tips to help our community members get better at bug bounties. Here are a few of his advice that he shared with us:
- Sharpen your tools
While spraying nuclei templates and random payloads using public “recon tools” is very outdated since everyone is doing it, never underestimate the power of tools in manual testing.
There are excellent tools in BurpStore and even GitHub.
Use it, modify and integrate them in your workflow for better results.
- Don’t force yourself on a program
Everyone has a taste. I don’t force myself to hunt on a target just because I got a private invite.
I primarily focus on targets like e-commerce and mostly single user-based targets.
The targets that bore me are role-based sites.
The sites that involve multiple user roles such as admin, manager, etc.
So I just don’t focus on that.
That’s why I haven’t tested FB page roles and privilege escalation issues till now.
There is no “ideal program.” It’s all about which target interests you.
- Understanding your target
Knowing the target is the essential factor.
Why do we see newcomers with very little technical knowledge smashing good bounties on Facebook every other week?
Because they are familiar with the target, they use it regularly and intentionally and sometimes unintentionally encounter an issue.
Even in my case, I just hunt on two private programs in HackerOne, because I know the program so well that switching to a new one feels exceptionally tiresome.
- Hunt on Self-hosted programs
For a beginner, directly hacking on HackerOne and Bugcrowd public programs might feel comparatively hard.
At that time, you can hunt on newly launched bugv programs or self-hosted programs.
Hunting on self-hosted programs dramatically increases your chances of finding untouched targets and might as well get you into private HackerOne/Bugcrowd programs.
- Diving deep
Bug bounty has become very, very competitive as of now.
Consider yourself extremely lucky if you come across a non-duplicate low-hanging fruit.
So make sure you visit the old endpoints, read JSFiles, hunt on old APKs.
That way, you might come across an endpoint which no one has touched, landing you a good bounty.
- Keep learning
Learn a new thing every day. Medium writeups, telegram groups, and the information out there are abundant.
So try to grab new information every day but don’t stress yourself out in the process. And don’t forget to take a break if you need one.
We would like to thanks Mr. Rikesh for enlightening the community members with his advice. We hope this will help beginners and advanced bug bounty hunters improve their bug bounty game.
Rikesh Baniya ( itsrickyy ) has been registered at Bugv since its early stage and has shown his excellence in his skillsets and has helped our customers to secure their digital assets. He is an active bug bounty hunter who is one of the top security contributors for Facebook and is currently at #2 on Facebook’s global leaderboard.