Platforms & Program Selection
Choosing the right targets to maximize your success rate
What You'll Discover
🎯 Why This Matters
Where you hunt matters as much as how you hunt. Some programs are overcrowded, some pay poorly, some never respond. Choosing the right program can mean the difference between a $50 bounty and $5,000 for the same effort. Learn to evaluate programs strategically.
🔍 What You'll Learn
- Reading and understanding program scopes
- Evaluating program quality (response time, payouts)
- Public vs private programs
- VDP vs bounty programs
- Finding less crowded targets
🚀 Your First Win
In 20 minutes, you'll know how to identify programs where you can compete effectively and get paid.
Skills You'll Master
Scope Interpretation
Understanding wildcards, exclusions, and what you can legally test
Program Evaluation
Reading metrics to predict which programs are worth your time
Strategic Targeting
Finding programs with less competition and more opportunity
Platform Navigation
Using HackerOne, Bugcrowd, and Intigriti effectively
🔧 Try This Right Now
Evaluate a program's stats on any bug bounty platform:
# On any program page, look for these metrics:
# RESPONSE TIME
# How fast does the security team reply to reports?
# - Under 1 week = Excellent (they're engaged)
# - 1-2 weeks = Good (normal for most programs)
# - Over 1 month = Red flag (your report may sit unread)
# - "N/A" = Nobody's responding (avoid this program)
# BOUNTY RANGE
# What do they pay for vulnerabilities?
# - Shows minimum and maximum per severity
# - Example: "$100 - $5,000" means $100 for low severity,
# up to $5,000 for critical issues
# RESOLVED REPORTS
# How many bugs have they fixed?
# - High number = Active program, pays out regularly
# - Low number = Either new, or they don't engage much
# LAUNCH DATE
# When did the program start?
# - New programs (under 6 months) = Less competition
# - Old programs (3+ years) = Easy bugs already found
# SCOPE SIZE
# How much attack surface do they expose?
# - *.target.com (wildcard) = Many subdomains to test
# - www.target.com only = Very limited testing areaYou'll see: These metrics tell you whether a program is worth investing your time.
Understanding Program Types
"The best program isn't the one with the highest bounties - it's the one where you can actually find bugs."
Program Types Explained
Public Programs
Open to anyone with a platform account. You can start testing immediately.
Pros: No barrier to entry, great for building reputation, variety of targets
Cons: More competition, common vulnerabilities get found quickly
Strategy: Start with public programs. They're where you build your track record.
Private Programs
Invitation-only programs reserved for researchers with proven track records.
Pros: Less competition, often higher payouts, access to sensitive targets
Cons: Require invitation based on reputation metrics
How to get invited: Submit consistent, valid reports on public programs. Platforms automatically invite researchers based on signal (your ratio of accepted vs rejected reports) and report quality.
VDP (Vulnerability Disclosure Program)
Programs that accept vulnerability reports but offer recognition instead of money. Think of VDPs as companies saying "please tell us about security issues" without a financial reward.
Why they exist: Many companies can't afford bounty programs but still want security feedback
What you get: Public acknowledgment, reputation points on platforms, experience
Strategic value: VDP reports still count toward your platform statistics and private program invitations. They're excellent for learning without the pressure of racing against experienced hunters.
Self-Hosted Programs
Companies running their own bug bounty programs outside major platforms, typically at /security or /responsible-disclosure pages.
Pros: Often overlooked by researchers, less competition
Cons: Variable quality, inconsistent communication, no platform mediation if disputes arise
Finding them: Search "[company name] security" or check their footer for security pages
Reading Scope Correctly
⚠️ Critical: Testing out-of-scope assets can get you banned from platforms or face legal action. Always verify scope before testing.
Understanding Wildcard Notation
# IN SCOPE - Assets you CAN test
*.target.com
# The asterisk (*) is a WILDCARD meaning "anything"
# This covers: api.target.com, app.target.com, dev.target.com
# Basically any subdomain of target.com
# This is VALUABLE - more subdomains = more attack surface
app.target.com
# SPECIFIC subdomain only - no wildcard
# You can ONLY test app.target.com
# Cannot test api.target.com or any other subdomain
*.*.target.com
# Double wildcard - covers sub-subdomains too
# Example: staging.api.target.com is in scope
iOS/Android apps
# Mobile applications - test through proxying traffic
# Look for API endpoints and mobile-specific bugsOut of Scope (Never Test These)
# EXCLUDED ASSETS - Testing these can get you banned
Third-party services
# Services the company uses but doesn't own
# Example: If they use Zendesk for support, don't test Zendesk
# Even if accessed via support.target.com
*.staging.target.com or *.dev.target.com
# Staging/development environments often excluded
# Less stable, may contain test data, not production security
Social engineering
# Never phish employees, call support to extract info, etc.
# This is almost always out of scope
Physical attacks
# Breaking into offices, USB drops, etc.
# Requires explicit authorization for physical pentestsCommon Exclusions (Usually N/A)
# These are typically excluded or marked N/A:
DoS/DDoS attacks
# Flooding servers with traffic
# Don't test availability - only confidentiality/integrity
Self-XSS
# XSS that only affects the person entering it
# No victim can be exploited without social engineering
Missing security headers without demonstrated impact
# "Missing X-Frame-Options" alone is not a vulnerability
# You need to show exploitable clickjacking
Clickjacking without sensitive action
# Clickjacking on a public page doesn't matter
# Need to show you can trick users into damaging actions
Rate limiting "issues" without impact
# "I can make 100 requests per second" isn't a bug
# Unless you can demonstrate account lockout bypass, etc.Strategic Program Selection
Programs That Maximize Your Success
# IDEAL FIRST PROGRAMS - Look for these characteristics:
✓ Recently launched (under 6 months old)
Why: Experienced hunters haven't exhausted the easy bugs yet
✓ Broad scope with wildcards (*.company.com)
Why: More subdomains = more endpoints = more opportunity
✓ Active engagement (recent resolved reports)
Why: They actually respond and pay - not abandoned
✓ Reasonable payouts ($50+ for low severity)
Why: Your time has value, even small bugs should pay
✓ Good response time (under 1 week average)
Why: Fast feedback helps you learn and improvePrograms to Approach Later
# SAVE THESE FOR LATER - Not ideal when starting out:
✗ Major tech companies (Google, Meta, Apple)
Why: Thousands of experienced hunters competing daily
Result: High duplicate rate, need deep expertise to find new bugs
✗ Programs older than 3 years
Why: Common vulnerabilities already found and fixed
Result: Need advanced techniques to find remaining bugs
✗ Narrow scope (single page or feature)
Why: Very limited attack surface
Result: Few bugs to find, high competition for what exists
✗ Programs with poor response metrics
Why: Your reports may sit unreviewed for months
Result: Wasted time, no feedback to improveFinding Less Crowded Targets
# STRATEGIES FOR REDUCED COMPETITION:
1. New programs
- Filter by launch date on platforms
- HackerOne: Sort by "Newest"
- Get in before the crowd
2. Scope updates
- When programs add new assets, it's like a fresh launch
- Follow program announcements
- New mobile app added? Test it first
3. Non-tech industries
- Healthcare, finance, retail, government
- Fewer security researchers target these
- Often have weaker security practices
4. Regional platforms
- Intigriti (Europe-focused, smaller researcher pool)
- YesWeHack (French platform, less competition)
- Smaller platforms = less competition
5. Smaller companies
- Fortune 500 programs attract thousands
- Series B startups attract dozens
- Math works in your favorReal Program Analysis
Good Program Example
Scope: *.company.com, iOS app, Android app
Bounty Range: $100 - $5,000
Response Time: 3 days average
Resolved Reports: 150+ (active)
Launch: 6 months ago
Analysis: Wildcard scope means many subdomains to explore. Mobile apps add attack surface. $100 minimum is reasonable. 3-day response shows engaged security team. 150+ resolved means they actually pay. Six months old means it's not picked clean. This is worth your time.
Avoid This Program
Scope: www.company.com only (no wildcard)
Bounty Range: Hall of Fame only (no money)
Response Time: 45 days average
Resolved Reports: 5 (inactive)
Launch: 3 years ago
Analysis: Single domain with no wildcard = minimal attack surface. No monetary reward = only reputation value. 45-day response = your reports sit in limbo. Only 5 resolved in 3 years = effectively abandoned. Move on to better targets.
Frequently Asked Questions
Should I focus on one program or many?
Start with 2-3 programs and learn their applications deeply. Surface-level testing across 50 programs is less effective than thorough testing of a few. When you know a target well - its technology stack, its patterns, its edge cases - you find bugs that casual hunters miss. Depth beats breadth.
How do I get invited to private programs?
Build reputation on public programs through consistent valid reports. Platforms track your "signal" - your ratio of accepted reports to total submissions. High signal (meaning most of your reports are valid, not duplicates or N/A) plus good report quality triggers automatic invitations. There's no shortcut - demonstrate competence through your work.
Are VDPs worth the time?
Absolutely - they're valuable learning grounds. VDPs are typically less competitive and excellent for building skills and platform reputation. Your valid VDP reports still count toward your statistics and private program invitations. Balance your time between VDPs (learning, reputation) and paid programs (income). They're not mutually exclusive.
What's the difference between HackerOne, Bugcrowd, and Intigriti?
HackerOne: Largest platform, most programs, most competition. Good variety but crowded.
Bugcrowd: Second largest, strong enterprise focus, good private program access.
Intigriti: Europe-focused, smaller researcher pool means less competition, growing program list.
Create accounts on all three - different programs on different platforms.
🎯 You Can Choose Programs Strategically!
You now know how to evaluate programs, read scope correctly, and identify targets where you can actually succeed. Strategic program selection is half the battle - the other half is consistent, quality testing.
Ready to set up your hacking environment