Still-life of a sealed manila envelope on dark slate with a thin cyan ribbon of light crossing the frame.

Your first paid finding.

Bug bounty is the most accessible legal ethical-hacking work in 2026. There's no employer to convince, no clearance to wait for, no degree to verify. You sign up, you read scope, you find something real, you write it up well, you get paid. Some people make a living from it · most people use it as a credentialing path into full-time security roles.

The single rule: read the scope before you touch anything. The scope is the authorization. Out-of-scope testing is a CFAA violation regardless of how friendly the platform looks. See /learn/cyber/legal.

HackerOne

visit ↗

Largest by program count and bounty pool. Hosts the DoD VDP + many Fortune 500 + frontier model labs. Has 'Hacktivity' (publicly disclosed reports) — best place to learn what a good write-up looks like.

::start → Sign up free. Read 50 public reports in your favorite vuln class. Pick a program with broad scope and public engagement. Spend 4 hours reconning before you write a single payload.

Bugcrowd

visit ↗

Second-largest. Strong on private invite programs once you build a track record. Bug Bash events (paid live-hacking competitions) for senior researchers.

::start → Same as HackerOne. Their educational content (Bugcrowd University, free on YouTube) is excellent on web vulnerability categories.

Intigriti

visit ↗

European-headquartered. Strong roster of EU enterprise programs. Excellent CTF program ('1337up Live'). Often higher signal-to-noise than the US platforms.

::start → Free signup. Their public CTF challenges are a low-stakes intro to their platform mechanics.

YesWeHack

visit ↗

French-headquartered. Strong on EU government + critical-infrastructure programs that aren't on US platforms. Multilingual.

::start → Free signup. Read their published Dojo training material first.

Synack Red Team

visit ↗

Vetted invitation-only researcher pool. Customers pay Synack, Synack pays the researchers. Higher pay per finding, harder to get in (technical interview + background check).

::start → After you have 50+ valid findings on HackerOne / Bugcrowd. Not an entry path.

Department of Defense VDP

visit ↗

US DoD's public Vulnerability Disclosure Program on HackerOne. Hosted at hackerone.com/deptofdefense. You report bugs in DoD-controlled .mil websites within scope. NO bounties — just public credit + the satisfaction of helping defend US systems.

::start → Read the scope. The scope is wider than people think. Submit a real finding. People have used DoD VDP submissions as resume credentials for federal cyber roles.

The first-finding playbook

01Pick the right program.Filter for: large scope (gives you surface area), public engagement (means staff are reading reports), reasonable response time (median < 7 days on HackerOne program pages), bounty range (don't start on a $10K-only program — start where $100-$500 findings are common). Examples of historically beginner-friendly programs at various times: Shopify, GitLab, Wordpress.org, Mozilla, Internet Bug Bounty, the DoD VDP.
02Read the scope document twice. Highlight every domain that's explicitly in. Highlight every exclusion. If the scope says “*.example.com EXCEPT example.com/admin” — that carve-out is binding. The exclusions are usually the easy way to get banned.
03Recon before you exploit.Most successful first-findings come from researchers who spent 4-12 hours understanding the application surface before touching a single payload. Subdomain enumeration. JS file inspection for endpoint discovery. Read the application's legitimate API documentation (often public). Find the feature that's clearly new or recently changed.
04Hunt the boring vulns first.Famous beginner findings: IDORs (insecure direct object reference — changing a userID parameter and seeing someone else's data), broken access control on admin-flagged routes, business-logic flaws in pricing/coupon/refund flows, open redirects with auth-token leakage, subdomain takeover via abandoned DNS records (acquireForge wrote the canonical post on this). Stay away from reflected XSS as a first finding · they're duplicates 95% of the time.
05Write the report like you're briefing a tired engineer.Title states the finding in one sentence. Steps to reproduce in 5-8 numbered steps. Screenshots of the proof (not 40 — three). Impact in plain language. Recommended fix in two sentences. CVSS score optional (most reviewers re-score anyway). The platform-published example reports under “Hacktivity” on HackerOne are your template. Mimic them.
06Wait. Then wait more. Triage on most programs takes 1-7 days. Resolution + bounty payout takes 2-12 weeks. The patience is the discipline. While you wait, work on the next finding.

The most-common mistakes new hunters make

○Out-of-scope testing. The fastest way to get banned. Read scope, stay inside it.
○Automated scanner output dumps. Nessus, ZAP, sqlmap output pasted into a report is closed as Not Applicable instantly. Triage staff hate it. Manual validation only.
○Trivial findings with inflated severity. “Missing security header” isn't High. Open redirect without exploitation chain isn't Critical. Calibrate your severity claims to actual impact or the triage team will calibrate you down and trust will erode.
○Duplicate-chasing. Reflected XSS in a search bar has been reported 400 times. Don't. Look at the program's recently-disclosed reports — patterns repeat. Find what they haven't found yet.
○Disclosure violations. Most programs require you NOT to disclose the finding publicly until the program approves disclosure (or after a fixed timeline). Posting it on Twitter early is a ban + potentially CFAA exposure.
○Argument escalation. Disagreement with triage about severity happens. Argue politely once. If they hold the line, move on. Programs ban hunters for ugly disputes, even when the hunter was technically right.
○Volume chasing. Twenty low-quality findings beats one good one in your head but not on the platform. Reputation is built on signal-to-noise ratio, not submission count.

Realistic earning ladders

· Year 1, part-time: $0-$5K total. Mostly Low-Medium findings. Goal is rank + portfolio.
· Year 1-2, part-time: $5K-$25K/year is typical for someone serious putting in 10-15 hrs/week.
· Year 3+, full-time solo: $50K-$200K/year is realistic for full-time hunters who've specialized. A subset hits $300K+.
· Top tier (Synack invite-only, top 50 globally, private programs): $300K-$1M+/year. Rare. Visible on HackerOne's public leaderboard.

Source: HackerOne Hacker-Powered Security Report (annual), Bugcrowd Inside the Mind of a Hacker report (annual), self-reported income surveys on Twitter/X by named researchers. Top-of-band earnings are highly variable and dependent on specialty, timing, and luck. Median bounty hunter earnings remain modest — the platform skews heavy-tailed.

certs page →military + federal →← cyber index