# Thread by @ArchAngelDDay on Thread Reader App

![douglasday.eth Profile picture](https://pbs.twimg.com/profile_images/1578051823453495296/5br2cb_v_bigger.png)

100 (very) short bug bounty rules:

1/ Spend at least 30 minutes on a new target\
2/ Look for “No”s\
3/ Use Italics Tags in your inputs instead of XSS payloads\
4/ Focus on SaaS apps that are multi-tenant\
5/ Buy Burp Pro

6/ On a new target go straight to the User Management section\
7/ See if inviting an existing user to your org exposes their name\
8/ See if inviting an existing user removes them from their own org\
9/ If the scope has a wildcard, use sub finder to find subdomains

10/ Run HTTPX on the list of subdomains to narrow down alive targets\
11/ On an app you’re not familiar with, use it like a normal user first\
12/ If the docs say you can’t do X, but you can do X then you have a bug\
13/ Use match & replace rules to find new endpoints

14/ Budget time into your week specifically for hacking\
15/ Give yourself a no-bug time limit. I do 3 hours.\
16/ Go back to old dupes and see if you can still reproduce.\
17/ Look for “+2” in your reputation log to find dupes that should be now.\
18/Ask for help from other hackers

19/ Make your report a conversation, not a sales pitch\
20/ Accept & expect that dupes will happen\
21/ File & Forget\
22/ If an endpoint has “api/v2/“, try “api/v1/”\
23/ If an endpoint has “api/v2”, try removing the “v2” altogether

24/ 6 $1000 Mediums pay more than 1 $5,000 crit. Don’t ignore any bugs\
25/ Lows are still bugs that should be filed\
26/ Be kind to your triager\
27/ Say “thank you” when you get a bounty

28/ If an app uses UUIDs, you can still look for IDORs. Just set “AC:H”.\
29/ If UUID IDORs exist, then look for an endpoint that exposes UUIDs\
30/ Pin your success on whether your followed your plan, not if you found bugs

31/ A program that has a lot of hackers doesn’t mean there isn’t low-hanging fruit\
32/ Going deep \_will\_ payoff\
33/ Working with new hackers will payoff in dividends\
34/ Don’t be jealous

35/ Bug Bounty income isn’t consistent. Be okay with peaks & valleys for your own sanity\
36/ If you find a bug that’s OOS, still ask the customer if they care\
37/ There’s no end. Enjoy the journey\
38/ Have a hobby that’s not related to hacking

39/ Have friends that don’t hack\
40/ Figure out what time of day you hack the best. Late nights aren’t for me.\
41/ Spend that extra 2 minutes to make your report look/read nice\
42/ “Subscribe” to programs that pay well and have good scope

43/ Don’t whine on Twitter about a single report. Or at all for that matter.\
44/ IDORs and Privilege Escalations are a great place to start\
45/ Unmet expectations lead to disappointment\
46/ Teach someone else how to hack\
47/ Time spent reading/learning is time-well spent

48/ Focus on programs that you actually use in your day-to-day\
49/ Establish a relationship with the program\
50/ Try asking the program what types of bugs they want to see\
51/ Look at a programs leaderboard to see who you should collar with

52/ When collaborating, an even bounty split eliminates hassle\
53/ Take a break when you stop having fun\
54/ At an LHE, start hacking ahead of time\
55/ Look for programs that are active in resolving reports

56/ Look for programs that haven’t awarded a lot recently\
57/ Look for programs that have collaboration enabled\
58/ Look for programs that don’t list out a bunch of known issues\
59/ Look for programs that have a history of adding new scope

60/ Change your strategy if you’ve gone a while without a finding\
61/ If you’re on a roll, keep doing what you’re doing\
62/ But don’t let success keep you from evolving/growing\
63/ Compare yourself against yourself from last year\
64/ Maintain online presence for new opportunities

65/ Be thankful for failure\
66/ Read disclosed reports\
67/ Focus on one program at a time. Cycle if you get bored.\
68/ Don’t spray XSS payloads everywhere\
69/ If possible, work at a company that has a BBP

70/ Spend bounty money on tools that will generate more bounties\
71/ Budget a specific amount of your bounties for fun. And stick to it.\
72/ When hacking a store, don’t be afraid to make small purchases\
73/ Look for changes in JS files to know when there may be new functionality

74/ Look for references to subdomains in a company’s GH repos\
75/ Look for references to subdomains in employee’s GH repos\
76/ If the app uses Intercom, try booting it with another email\
77/ Look for second-degree IDORs

78/ SSRFs exist when the app makes any external request. Look for these requests.\
79/ Look for actuator endpoints\
80/ Find hackers that hack differently than you.\
81/ Try hacking in a different room of the house\
82/ Try hacking at a different location altogether

83/ If you find the same bug on different endpoints, file as different bugs\
84/ Try always having some pending bugs in your pipeline\
85/ Break your yearly bounty goal into monthly goals\
86/ Know when a bounty isn’t worth fighting over

87/ Push back gently when a report gets downgraded\
88/ Use the leaderboard as motivation, not as comparison\
89/ Don’t re-invent the wheel when a tool exists\
90/ Don’t be afraid to build the wheel if the tool doesn’t\
91/ Try collabing in real time over video chat

92/ Always ask why something works the way it does\
93/ When collabing, don’t be afraid to be the underperformer\
94/ When collabing, don’t get salty about being the oqerperformer\
95/ Use mediation, but use it sparingly\
96/ Be generous with your earnings

97/ Hack for fun, not for a paycheck\
98/ LHEs are a privilege, not an expectation\
99/ Programs are your friend, not your adversary. Work with them\
100/ The platform is your friend, not your adversary. Work with them

profile: [@ArchAngelDDay](https://twitter.com/ArchAngelDDay?t=F23nBECLFVoJEgJKoXpjfA\&s=09)

• • •

Missing some Tweet in this thread? You can try to [force a refresh](https://cipherops.gitbook.io/bug-bounty-notes/~/revisions/OFMFgVhvJXTppHDgTUPa/twitter/broken-reference)