Getting Started

All you need to kickstart bug hunting.

1. So, you want to get into bug bounties? by infosec_au
2. How to get into bug bounties by 0xprial
3. Resources for beginners by rhynorater
4. Roadmap - an Excellent roadmap designed for all levels. Junior, Medior, and Senior. You can follow the suggested topics to visualize the obstacles in front of you that you should bypass to become a successful Security Researcher. by HolyBugx
5. So you want to be a web security researcher? by James Kettle
6. A Graduate’s Thoughts: How to Get Started in Information Security and Cyber Security
7. Tip's from a hunter who got his first bounty - A must read for every beginner by rahmetu
8. Reflecting on 2 Years of Bug Bounty by pmnh
9. Prerequisite knowledge before starting to learn about web vulns by Justin

Payloads

Some interesting payloads available public, which you can use for various scenarios

1. sh377c0d3/Payloads - Contains payloads based on various bug types, by sh377c0d3
2. danielmiessler/SecLists - SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. by
3. PayloadsAllTheThings - A list of useful payloads and bypasses for Web Application Security.
4. Super wordlists - https://github.com/fuzz-security/SuperWordlist
5. random-robbie/bruteforce-lists - Some files for bruteforcing certain things
6. CommonSpeak wordlists - Wordlist generated from a tool that leverages public datasets from Google's BigQuery platform.
7. OneListForAll - Project to generate huge wordlists for web fuzzing, by Six2dez1

Tools

List of interesting tools available for shooting. Also here is the github list containing all the interesting tools I have come across

1. Wapiti - Wapiti is a web application security auditor.
2. Bug-Bounty-Toolz - A repo contains personal scripts and tools by m4ll0k
3. puredns - fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.
4. Rengine - Recon framework and does end to end recon
5. BBRF - A tool to organize your recon information in a centralized way.
6. Nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
7. mimproxy - mitmproxy is a free and open source interactive HTTPS proxy. A proxy tool that can replace burp and helps in building tools
8. Armanda - A high performance TCP Reconftw - reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities by six2dez
9. WhatWaf - an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?"
10. GitTools - Find websites with .git files
11. page-fetch - Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files. Run arbitrary JavaScript on many web pages and see the returned values

Automation

Some tools and scripts which can help automate various phases of security testing.

1. discover - Custom bash scripts used to automate various penetration testing tasks including recon, scanning, enumeration, and creating malicious payloads using Metasploit.
2. Bug Bounty Oneliners - A collection of awesome one-liner scripts especially for bug bounty tips.
3. Hakluke: Creating the Perfect Bug Bounty Automation by Hakluke
4. pentest-tools - A collection of tools by gwendallecoguic
5. Rengine - Recon framework and does end to end recon
6. BBRF - A tool to organize your recon information in a centralized way.

Projects

Collection of project ideas which can help improve programming skills by completing real projects.

1. 100-redteam-projects - A list of projects for pentesters and network managers

References, Tricks and Tutorials.

1. Hackikng with CURL - A list of examples and references of hacking with Bash and the Curl command
2. Great OWASP Top 10 Referece
3. BugBounty Mind-Maps

Vulnerable Apps

Vulnerable apps which can tested for practicing the vulnerabilities learned.

1. Awesome vulnerable apps - A curated list of various vulnerable by design applications
2. Gin and Juice Shop by Portswigger

Twitter Threads

Useful twitter threads from various researchers and companies

1. How to use Autorepeater
2. Cheatsheets and Checklists
3. Burpsuite tips and tricks
4. Source code review Tips by infosec_au
5. Maximize your luck of finding a bug
6. 10 Common Mistakes to avoid in bugbounty by Manan

Mental Health

1. Bug Bounties and Mental Health
2. Things to do—and avoid doing—when contacting and working with a mentor by Daniel Miessler

Onward & Upward

1. How to turn security research into profit: a CL.0 case study
2. From Researcher to Engineer and Beyond

Misc

1. The 10 rules to be successful in your bug bounty career by arl_rose
2. What To Do When You're Stuck Hacking
3. How to Make Your Goals Achievable
4. Explore Farnam Street Articles - Help you master the best of what other people have already figured out.
5. Bug bounty hunter to working at Microsoft
6. Asking good questions
7. How to get useful answers to your questions by Julia Evans
8. How to answer questions in a helpful way by Julia Evans
9. Luck VS HardWork
10. How to Create Luck
11. Career Advice and Professional Development