[ssclafani]

I've been doing bug bounties for the past few years, here's some advice to get started:

1. Monitor https://hackerone.com, https://bugcrowd.com and Twitter for announcements of new programs.

2. When looking for bugs in sites with existing programs like Facebook your best chance is when they announce a new feature or product. This includes acquisitions (Facebook paid out over $100,000 for bugs when they added the Oculus websites to their program).

[earlz]

In general do you need to register or anything like that? I think it'd be a fun thing to try, but also don't want any of the bad legal repercussions that can come with it

[ssclafani]

Some programs require you to register an account to report a bug while others use email, but you don't need to get permission to look.

All bug bounty programs have rules that outline what parts of their site/product you can test and what kinds of bugs they are looking for (here's Facebook's https://www.facebook.com/whitehat/). As long as you follow the rules you won't have any legal problems.