[Retr0spectrum]

I've been wanting to start doing bug bounties for a while now, but I have only been able to find serious bugs in sites without bug bounty schemes. I was starting to think that it would be impossible to get any bug bounties because of the number of people searching, but this post gives me some confidence.

[ssclafani]

I've been doing bug bounties for the past few years, here's some advice to get started:

1. Monitor https://hackerone.com, https://bugcrowd.com and Twitter for announcements of new programs.

2. When looking for bugs in sites with existing programs like Facebook your best chance is when they announce a new feature or product. This includes acquisitions (Facebook paid out over $100,000 for bugs when they added the Oculus websites to their program).

[earlz]

In general do you need to register or anything like that? I think it'd be a fun thing to try, but also don't want any of the bad legal repercussions that can come with it

[ssclafani]

Some programs require you to register an account to report a bug while others use email, but you don't need to get permission to look.

All bug bounty programs have rules that outline what parts of their site/product you can test and what kinds of bugs they are looking for (here's Facebook's https://www.facebook.com/whitehat/). As long as you follow the rules you won't have any legal problems.

[SamHoustonCM]

New programs are launching all the time or the scope of current programs is expanding out to include new products or features. It's never too late to get started, there's actually more work than researchers at the moment and it will be like that for many, many years to come.

In terms of how to get started, I definitely suggest monitoring the various bug bounty sites to see what's new and if a bounty's scope has expanded.

There's also a bunch of guides, tutorials, and tools listed on Bugcrowd's Forum: https://forum.bugcrowd.com/c/security-research