1
00:00:00,000 --> 00:00:04,720
What if I told you that companies are literally waiting to hand you thousands of

2
00:00:04,720 --> 00:00:08,480
dollars for finding security issues in their assets?

3
00:00:08,520 --> 00:00:10,280
And I'm not talking about small chance here.

4
00:00:10,280 --> 00:00:14,120
We're talking about 10 to $15,000 per vulnerability.

5
00:00:14,240 --> 00:00:18,240
And listen, I have been in this whole bug bounty game for long enough to know

6
00:00:18,240 --> 00:00:21,640
that making $100,000 a year is completely doable.

7
00:00:21,840 --> 00:00:25,720
And to be honest, I'm not here to sell you on some get rich and quick scheme.

8
00:00:25,760 --> 00:00:29,520
I'm here to show you exactly the roadmap that I would personally take if I had

9
00:00:29,520 --> 00:00:32,800
to start with my first $100,000 all over again.

10
00:00:33,040 --> 00:00:37,360
And the thing with bug bounties is that every major company out there has a bug

11
00:00:37,360 --> 00:00:40,480
bounty program, take your meta, Google, Apple, TikTok.

12
00:00:40,680 --> 00:00:44,560
They all are willing to pay you serious money for finding these vulnerabilities.

13
00:00:44,760 --> 00:00:45,520
But here's a thing.

14
00:00:45,560 --> 00:00:49,880
In order for us to reach that 100k mark, we need to break it down into achievable

15
00:00:49,880 --> 00:00:50,480
milestones.

16
00:00:50,680 --> 00:00:54,840
First will aim for a thousand dollars, then make that 1000 to 10,000 and

17
00:00:54,840 --> 00:00:57,640
then eventually scale up to a hundred thousand dollars.

18
00:00:57,720 --> 00:01:01,000
But before we dive into the video, I'm thinking about creating an exclusive

19
00:01:01,000 --> 00:01:05,400
100k club on Discord where we can share tips, collaborate on findings and help

20
00:01:05,400 --> 00:01:09,080
each other and keep each other accountable in order to hit our six figure goal.

21
00:01:09,120 --> 00:01:13,000
So if you're interested, drop me a comment with 100k and I'll send you a link

22
00:01:13,040 --> 00:01:13,520
to join.

23
00:01:13,560 --> 00:01:16,720
Let's start off with just picking the right targets first because this is

24
00:01:16,720 --> 00:01:18,960
literally where most people tend to mess up.

25
00:01:18,960 --> 00:01:21,760
You need to find companies that need two critical criteria.

26
00:01:21,800 --> 00:01:25,560
One is a high payout and two having a massive attack surface.

27
00:01:25,720 --> 00:01:29,200
I'm going to break down the three examples of good programs to hack on, starting

28
00:01:29,200 --> 00:01:32,760
with Amazon, because for example, if you look at them, they're constantly pushing

29
00:01:32,760 --> 00:01:34,760
new code, sometimes multiple times a month.

30
00:01:34,960 --> 00:01:38,200
One day you look at Amazon.com and next day they have added a new feature for

31
00:01:38,200 --> 00:01:40,640
prime members or they have rolled out a new service.

32
00:01:40,800 --> 00:01:42,720
Each deployment is a new opportunity.

33
00:01:42,840 --> 00:01:43,720
Plus think about it.

34
00:01:43,880 --> 00:01:45,920
Amazon has hundreds of microservices.

35
00:01:45,920 --> 00:01:48,960
They have primed to have some central to have books that have authors.

36
00:01:49,160 --> 00:01:52,040
Those are all gold mines of potential vulnerabilities.

37
00:01:52,120 --> 00:01:55,800
FIS is another massive program to go after because they're handling financial

38
00:01:55,800 --> 00:01:58,200
transactions for banks all around the world.

39
00:01:58,280 --> 00:02:02,000
The complexity of their systems means when you find a vulnerability, it's usually

40
00:02:02,000 --> 00:02:05,120
a good one and not to mention their scope is massive.

41
00:02:05,160 --> 00:02:09,120
You can also look at programs like T Mobile, TikTok, Epic Games for similar

42
00:02:09,120 --> 00:02:09,560
reasons.

43
00:02:09,640 --> 00:02:13,720
These companies are constantly evolving, pushing new futures and maintaining huge

44
00:02:13,720 --> 00:02:17,520
attack surfaces that create the perfect opportunity for bug hunters.

45
00:02:17,600 --> 00:02:21,240
And here is something that most people don't know with these direct programs.

46
00:02:21,320 --> 00:02:25,960
They often have special invite only tiers if you're consistently providing value

47
00:02:25,960 --> 00:02:28,160
in sending them good bugs and communicating professionally.

48
00:02:28,360 --> 00:02:31,960
You may get invited to a private program or even a special live hacking event.

49
00:02:32,000 --> 00:02:33,600
Now here is something crucial.

50
00:02:33,600 --> 00:02:37,920
You need to understand about being successful with any program that you choose

51
00:02:37,920 --> 00:02:38,760
to focus on.

52
00:02:39,000 --> 00:02:43,240
And this also ties in with a colored tweet from moderator Justin that says,

53
00:02:43,240 --> 00:02:46,280
pick a target with lots of depth and a communicative team.

54
00:02:46,320 --> 00:02:48,240
Then become the world expert on it.

55
00:02:48,360 --> 00:02:50,920
This right here, this is the secret sauce.

56
00:02:51,120 --> 00:02:54,480
You need to understand two critical things about your target.

57
00:02:54,840 --> 00:02:59,280
First, their business model, what makes the money, what would hurt them the most?

58
00:02:59,480 --> 00:03:03,960
If you're hunting on meta, understand their ad system for Apple, know their ecosystem.

59
00:03:04,160 --> 00:03:06,120
For Amazon, learn their seller networks.

60
00:03:06,120 --> 00:03:10,040
When you understand what's sensitive to them, you'll know exactly where to look

61
00:03:10,040 --> 00:03:11,640
for for high impact bugs.

62
00:03:11,680 --> 00:03:14,600
Second, their tech stock, what frameworks do they use?

63
00:03:14,760 --> 00:03:16,240
How do they handle authentication?

64
00:03:16,400 --> 00:03:17,840
What's the deployment process like?

65
00:03:18,040 --> 00:03:21,920
The deeper you go, the more likely you are to find bugs that others miss.

66
00:03:21,960 --> 00:03:24,200
And here's something that sets top hundreds apart.

67
00:03:24,240 --> 00:03:26,600
They don't just understand the current system.

68
00:03:26,640 --> 00:03:30,520
They follow every CVE and end date that comes out of their targets.

69
00:03:30,560 --> 00:03:31,120
Tech stock.

70
00:03:31,160 --> 00:03:35,120
When a new vulnerability drops in a framework your target uses, you should be

71
00:03:35,120 --> 00:03:37,320
the first one testing if they're affected.

72
00:03:37,360 --> 00:03:40,080
This is how you turn knowledge into real money.

73
00:03:40,280 --> 00:03:43,960
But don't just chase CVEs blindly, follow the right people, read the right

74
00:03:44,000 --> 00:03:48,160
content and when someone drops it right up about your target, don't just read

75
00:03:48,160 --> 00:03:49,960
it, understand it deeply.

76
00:03:50,160 --> 00:03:53,840
Ask yourself, what other futures might have the same issue.

77
00:03:54,040 --> 00:03:56,240
That's how you turn one bug into many.

78
00:03:56,360 --> 00:04:00,280
Now, before we dive into specific vulnerabilities, let's talk about picking your

79
00:04:00,280 --> 00:04:00,600
niche.

80
00:04:00,640 --> 00:04:03,160
This is where most bug hunters get it wrong.

81
00:04:03,360 --> 00:04:06,840
They try to learn everything at once and end up mastering nothing.

82
00:04:06,960 --> 00:04:07,720
Here's what works.

83
00:04:07,760 --> 00:04:09,880
Focus on web and mobile security.

84
00:04:10,000 --> 00:04:11,000
That's where the money is.

85
00:04:11,000 --> 00:04:12,840
And that's where most programs are.

86
00:04:13,000 --> 00:04:16,880
But don't just scatter your efforts across every platform, pick one major target

87
00:04:16,880 --> 00:04:19,560
and become the expert on that specific program.

88
00:04:19,760 --> 00:04:20,240
Think about it.

89
00:04:20,280 --> 00:04:21,480
Security is massive.

90
00:04:21,520 --> 00:04:25,600
We've got Web3 client side, server side, mobile desktop, but you don't need to

91
00:04:25,600 --> 00:04:26,640
master all of it.

92
00:04:26,760 --> 00:04:28,120
Pick one area and go deep.

93
00:04:28,320 --> 00:04:29,400
I mean, really deep.

94
00:04:29,600 --> 00:04:32,920
Learn the tech stack inside and out, understand their business model, build a

95
00:04:32,920 --> 00:04:36,480
collection of relevant bug reports, join this for communities that focus on

96
00:04:36,480 --> 00:04:40,120
your niche and follow the right researchers, reading other bug bounty hunters,

97
00:04:40,200 --> 00:04:42,720
the methodology and bug writeups is an optional.

98
00:04:42,760 --> 00:04:45,800
It's part of the job set time aside each week to study.

99
00:04:45,960 --> 00:04:48,200
Look at how other successful hunters approach your target.

100
00:04:48,320 --> 00:04:49,360
What techniques do they use?

101
00:04:49,400 --> 00:04:50,680
What patterns do you notice?

102
00:04:50,920 --> 00:04:52,200
This isn't about copying.

103
00:04:52,240 --> 00:04:54,840
It's just about building on what works.

104
00:04:54,880 --> 00:04:58,000
And don't get caught up trying to perfect your automation or tools.

105
00:04:58,200 --> 00:04:59,920
Learn just enough to be effective.

106
00:05:00,080 --> 00:05:01,840
Then spend time on actually hunting.

107
00:05:01,880 --> 00:05:05,200
The real progress happens when you're actively testing, not when you're

108
00:05:05,200 --> 00:05:07,600
tweaking your tools for the hundreds of time.

109
00:05:07,920 --> 00:05:09,600
Here's a strategy that actually works.

110
00:05:09,960 --> 00:05:12,040
Look for companies that run live.

111
00:05:12,040 --> 00:05:15,840
I can convince pick one become active on their program and make yourself

112
00:05:15,840 --> 00:05:18,080
known by building enough reputation.

113
00:05:18,280 --> 00:05:21,800
And you might even get invited to an exclusive event where the real money is.

114
00:05:21,840 --> 00:05:26,200
That's actually a tip that came from a treat from Douglas Day, AKA Archangel.

115
00:05:26,400 --> 00:05:28,720
I want to know, hey, how do you make 100 K and this was as

116
00:05:28,720 --> 00:05:29,360
responsive?

117
00:05:29,720 --> 00:05:31,080
I couldn't agree anymore.

118
00:05:31,160 --> 00:05:34,160
If you're still not ready and you need to master a specific vulnerability

119
00:05:34,160 --> 00:05:37,720
is before you decide on a niche, let me break down some vulnerability types

120
00:05:37,760 --> 00:05:41,800
that I personally think you should focus on that consistently lead to high

121
00:05:41,840 --> 00:05:42,680
impact finding.

122
00:05:42,920 --> 00:05:47,280
Let's start off with my favorite success, but not your basic alert

123
00:05:47,360 --> 00:05:48,040
success.

124
00:05:48,240 --> 00:05:51,280
I'm talking about chaining success with other functionalities or even

125
00:05:51,320 --> 00:05:54,200
open redirects to perform things like account takeovers.

126
00:05:54,320 --> 00:05:58,240
When you show a company how their accesses can lead to mass account compromise,

127
00:05:58,440 --> 00:06:01,360
then that's when those 10 K bounties start rolling in.

128
00:06:01,560 --> 00:06:03,200
But let me tell you something even better.

129
00:06:03,360 --> 00:06:07,800
Blind accesses, these are absolute gold because they often hit internal admin

130
00:06:07,800 --> 00:06:09,400
panels and support dashboards.

131
00:06:09,440 --> 00:06:13,600
Think about it when a support agent views a ticket or an admin reviews a profile,

132
00:06:13,680 --> 00:06:16,240
your payload executes with their privileges.

133
00:06:16,480 --> 00:06:20,640
I've seen blind accesses findings that pay more than most critical vulnerabilities

134
00:06:20,720 --> 00:06:23,680
because companies take internal compromise very seriously.

135
00:06:23,720 --> 00:06:27,320
So drop your accesses payload everywhere like a user profile for submissions,

136
00:06:27,320 --> 00:06:30,040
your user agent or even in error messages.

137
00:06:30,080 --> 00:06:34,160
The beautiful thing is that it might hit a few weeks or months later when someone

138
00:06:34,160 --> 00:06:36,360
internally finally reviews that data.

139
00:06:36,520 --> 00:06:39,920
And even if you get ahead, you're often looking at a security vulnerability

140
00:06:40,160 --> 00:06:42,480
that is going to give you access to internal systems.

141
00:06:42,680 --> 00:06:47,000
That's the kind of finding that can easily push you closer to that 100 K goal.

142
00:06:47,120 --> 00:06:50,720
That was an example of a client type vulnerability, but now we need to talk about a

143
00:06:50,720 --> 00:06:52,680
server cycle, not really like SSRF.

144
00:06:52,720 --> 00:06:56,080
SSRF is such a fun vulnerability, especially in cloud environments.

145
00:06:56,240 --> 00:06:59,600
Companies are pushing everything to AWS Azure and GCP.

146
00:06:59,600 --> 00:07:03,680
And when you can demonstrate how your SSRF can access internal services or

147
00:07:03,680 --> 00:07:06,440
a metadata endpoint, you are looking at a massive payday.

148
00:07:06,640 --> 00:07:08,520
But here's what most hunters don't think about.

149
00:07:08,760 --> 00:07:11,440
SSRF goes beyond just hitting the cloud metadata endpoints.

150
00:07:11,680 --> 00:07:14,560
Modern companies are running complex internal infrastructures.

151
00:07:14,560 --> 00:07:18,760
Think about your Kubernetes clusters, Kafka message cues internal APIs and even

152
00:07:18,760 --> 00:07:19,840
the monitoring systems.

153
00:07:19,880 --> 00:07:23,680
If you can pivot your SSRF to reach these services, then you're looking at a

154
00:07:23,720 --> 00:07:25,960
potential infrastructure while impact.

155
00:07:26,160 --> 00:07:29,800
These kinds of findings show real business impact because you're proving access

156
00:07:29,840 --> 00:07:32,240
to their entire backend infrastructure.

157
00:07:32,320 --> 00:07:36,400
The key here is to understand what modern companies are running internally.

158
00:07:36,560 --> 00:07:39,480
Learn about the common internal services, the default ports, the typical

159
00:07:39,480 --> 00:07:40,400
infrastructure setups.

160
00:07:40,600 --> 00:07:44,560
And when you find SSRF, don't stop at the first internal service that you

161
00:07:44,560 --> 00:07:44,840
hit.

162
00:07:45,240 --> 00:07:47,960
Think about what else might be accessible from there.

163
00:07:48,080 --> 00:07:51,280
Authorization issues are also where there is a ton of money to be made,

164
00:07:51,560 --> 00:07:53,200
especially for SaaS platforms.

165
00:07:53,240 --> 00:07:54,960
But here is what most hunters miss.

166
00:07:55,160 --> 00:07:56,600
Don't just look for basic items.

167
00:07:56,640 --> 00:07:57,480
Think bigger.

168
00:07:57,520 --> 00:08:00,800
Think about leaking sensitive information through the API endpoints.

169
00:08:00,840 --> 00:08:02,640
Can you access admin functionalities?

170
00:08:02,840 --> 00:08:04,280
Can you view other users data?

171
00:08:04,480 --> 00:08:06,360
That's what the companies are about.

172
00:08:06,360 --> 00:08:07,280
And that's what they care for.

173
00:08:07,440 --> 00:08:11,160
Here's a pro tip when you find these issues, always test them on off.

174
00:08:11,400 --> 00:08:14,680
By the night or within this, try it and see if we can access them without being

175
00:08:14,680 --> 00:08:15,160
logged in.

176
00:08:15,360 --> 00:08:19,120
If you find some admin functionality working for a regular user, then test

177
00:08:19,160 --> 00:08:21,680
out without being logged in and see if it can get access to it.

178
00:08:21,680 --> 00:08:25,200
Because testing for things like this, take a simple functionality from an

179
00:08:25,200 --> 00:08:28,880
admin that may not have an impact into a massive pative because you

180
00:08:28,880 --> 00:08:33,000
were able to prove multiple vulnerabilities within a single functionality.

181
00:08:33,040 --> 00:08:36,680
This actually leads me to one of the most overlooked aspects of bug hunting,

182
00:08:36,680 --> 00:08:40,720
which is proper API testing, but that comes with learning how to fuzz them properly.

183
00:08:40,880 --> 00:08:44,080
Most hunters just spray random parameters, but smart fuzzing is about

184
00:08:44,080 --> 00:08:46,960
understanding the API infrastructure and finding patterns.

185
00:08:47,000 --> 00:08:50,040
When you find one vulnerability, look for it across all of the API

186
00:08:50,040 --> 00:08:53,400
and points, one of my favorite things to actually look for is four or three

187
00:08:53,400 --> 00:08:55,320
bypasses and the patterns that come with it.

188
00:08:55,360 --> 00:08:57,440
Most people that see a four or three, they move on.

189
00:08:57,440 --> 00:09:01,160
But if you can bypass it and show how it leads to a massive data league, that

190
00:09:01,160 --> 00:09:02,520
is an easy critical finding.

191
00:09:02,520 --> 00:09:05,920
And then you can take that pattern and apply it across all of the different

192
00:09:06,080 --> 00:09:07,400
applications that the company owns.

193
00:09:07,440 --> 00:09:10,840
And don't sleep on patch reversals, especially when dealing with reverse

194
00:09:10,840 --> 00:09:14,880
proxies, modern applications are complex and the complexity creates one

195
00:09:14,880 --> 00:09:18,440
that abilities, one executed patch reversal can actually expose an entire

196
00:09:18,440 --> 00:09:20,000
internal network and tooling.

197
00:09:20,000 --> 00:09:22,880
So keep that in mind, even better, if you learn how to use patch

198
00:09:22,880 --> 00:09:26,120
reversals when it comes down to client side vulnerabilities, which is a whole

199
00:09:26,120 --> 00:09:28,840
different topic that I got to give a shout out to Justin, aka Ryan and

200
00:09:28,840 --> 00:09:30,640
writer and their podcast.

201
00:09:30,640 --> 00:09:34,000
Before we wrap up, I want to just talk about something that most people

202
00:09:34,000 --> 00:09:37,360
overlook on their journey to making their first 100,000.

203
00:09:37,360 --> 00:09:39,360
And that's that every single dollar count.

204
00:09:39,440 --> 00:09:42,320
Listen, everyone dreams about landing that massive critical bug.

205
00:09:42,480 --> 00:09:46,760
The reality is that consistent medium findings can also add up and it helps

206
00:09:46,760 --> 00:09:47,640
build momentum.

207
00:09:47,640 --> 00:09:49,960
Don't get caught up and only hunting for criticals.

208
00:09:50,080 --> 00:09:53,680
If you can demonstrate real impact, reported those $500 and $1,000

209
00:09:53,680 --> 00:09:58,120
bounties, they stack up some of my most successful months come from multiple

210
00:09:58,120 --> 00:10:01,200
medium and high findings, rather than just one big hit.

211
00:10:01,520 --> 00:10:03,120
But here's the thing about reports.

212
00:10:03,320 --> 00:10:04,720
I love how Stoke explained this.

213
00:10:04,800 --> 00:10:07,680
They are your personal brand in debug bounty world.

214
00:10:07,760 --> 00:10:09,800
Think of each report as your shops window.

215
00:10:10,000 --> 00:10:13,280
You never know who's reading it or who they are connected to.

216
00:10:13,480 --> 00:10:17,000
I've seen hunters get private invites just because the reports were consistently

217
00:10:17,000 --> 00:10:20,720
professional and well run and learn to communicate impact clearly.

218
00:10:20,760 --> 00:10:21,360
Whatever you're using.

219
00:10:21,360 --> 00:10:23,960
See the assessor or not, make your point easy to understand.

220
00:10:24,160 --> 00:10:28,320
And if a charger doesn't accept the impact right away, don't get frustrated or

221
00:10:28,320 --> 00:10:29,200
just argue with them.

222
00:10:29,400 --> 00:10:30,680
Work on explaining it better.

223
00:10:30,720 --> 00:10:34,560
Sometimes a well explained medium bug can get escalated just because you

224
00:10:34,560 --> 00:10:36,360
communicated the impact clearly.

225
00:10:36,560 --> 00:10:39,760
And if a report gets undervalued and they get paid differently than

226
00:10:39,840 --> 00:10:41,600
you expected, don't let it get to you.

227
00:10:41,640 --> 00:10:44,480
State professional bug bounty is a long game.

228
00:10:44,680 --> 00:10:47,080
And your reputation is worth more than a single bounty.

229
00:10:47,120 --> 00:10:50,800
I have personally seen way too many bug bounty hunters burn bridges over a

230
00:10:50,800 --> 00:10:52,120
single downgraded report.

231
00:10:52,240 --> 00:10:55,160
And trust me, that's not how you get to $100,000.

232
00:10:55,400 --> 00:10:55,680
All right.

233
00:10:55,720 --> 00:10:56,280
What do you think?

234
00:10:56,360 --> 00:10:57,680
Are you ready to join the 100k club?

235
00:10:57,840 --> 00:10:58,840
Let me know down below.

236
00:10:59,080 --> 00:11:00,840
And I will see you all in next week's video.

237
00:11:01,120 --> 00:11:01,600
Peace.