Bug Bounty $100,000 Roadmap — 12-Month Plan
I had claude help me make a 12 month plan and I am going to do it. 2026 is already 25% over. I do not want to waste any more time. I also used some info from this post by Justin Gardner (@Rhynorater)
I will spend as much time on Bug Bounty as I possibly can starting this Thursday, 26th March 2026.
Profile: BS Cybersecurity | A+, Net+, Sec+, Pentest+, CySA+, ISC2 SSCP
Commitment: 40+ hours/week
Track: Web Application Hacking
Math
To hit $100k, you need roughly one of these scenarios:
- 10–15 high-severity bugs at $5k–$10k each
- 3–5 critical bugs at $15k–$30k each + a handful of mediums
- 50–80 medium bugs at $1k–$2k each
The plan below optimizes for the middle path: specialize fast, get your first bounties within 90 days, then compound skills to chase criticals.
Overview
| Phase | Months | Focus | Earning Target |
|---|---|---|---|
| 1 | 1–2 | Foundation & tooling | $0 (building skills) |
| 2 | 3–4 | Core vuln classes + first bounties | $500–$2,000 |
| 3 | 5–7 | Advanced techniques & chaining | $5k–$15k total |
| 4 | 8–12 | Full hunter mode | $85k–$100k+ total |
Phase 1 — Months 1–2: Foundation (~350 hrs total)
JavaScript — 40 hours
Resource: javascript.info (free) — complete Parts 1 and 2
Focus on:
- DOM manipulation
document.location,innerHTML,eval()- Event listeners and
fetch() - How cookies work in JS
postMessageand cross-origin communication
Practice: Open any website, open DevTools, read their JS files. Try to understand what data flows where.
DOM XSS, client-side logic flaws, and postMessage vulnerabilities are all high-payout and invisible if you can’t read JS.
Burp Suite Mastery — 30 hours
Resource: PortSwigger Web Security Academy (free) — Burp Suite-specific sections
Learn:
- Intruder, Repeater, Comparer, Decoder, Logger
- Match-and-replace rules
- Writing Burp extensions in Python (Montoya API)
- Setting up FoxyProxy
- Intercepting mobile apps with Burp
HTTP & Web Fundamentals — 20 hours
Learn:
- Every HTTP status code and what it means in a bug context
- CORS, SameSite cookies, CSP headers
- How OAuth 2.0 flows work at the protocol level
Practice: Use curl for everything — it forces you to understand what Burp is doing under the hood.
PortSwigger Academy Labs — Ongoing
Start these in week 1, run in parallel with everything else. Goal: 50 labs completed by end of month 2.
Priority order:
- SQL injection
- XSS (all three types)
- CSRF
- Access control
- Authentication
Phase 1 Goals (by day 60)
- Solve 50 PortSwigger labs
- Read JS well enough to spot sources and sinks
- Write a basic XSS payload from scratch without looking it up
- Understand every HTTP verb and common header
- Set up a full local Burp proxy environment
Phase 2 — Months 3–4: Core Vulnerability Classes (~350 hrs)
Now you start hunting for real, alongside learning.
IDOR & Broken Access Control — 25 hours
This is the #1 source of first bounties for new hunters. Companies consistently miss these because they require understanding business logic, not just technical scanning.
What to do:
- Every time you see a numeric ID in a URL or request body, try changing it
- Look for UUIDs — people think they’re secure by obscurity; they’re not if leaked elsewhere
- Test horizontal and vertical privilege escalation separately
Resources:
- The “IDOR Bible” write-up by @r0x
- Every HackerOne disclosed IDOR report (filter by “Broken Access Control” on HackerOne Hacktivity)
XSS Deep Dive — 25 hours
Go beyond <script>alert(1)</script>.
Learn:
- Stored XSS in rich text editors, file uploads, profile fields
- DOM XSS via
location.hash,document.referrer,window.name - Filter bypass techniques — encoding, polyglots, SVG payloads, mutation XSS (mXSS)
- How to use XSS Hunter to prove impact to triagers (this affects payout)
Resource: PortSwigger XSS labs — complete all of them including expert-level
SQLi, SSRF, XXE — 25 hours
SQL Injection:
- Focus on blind and time-based — these are still found in the wild constantly
- Learn
sqlmapbut understand what it’s doing under the hood
SSRF (Server-Side Request Forgery):
- This is a high-payout vulnerability. Learn cloud metadata endpoints (
169.254.169.254) - How to pivot SSRF to internal services
- Blind SSRF via out-of-band (use Burp Collaborator or interactsh)
XXE:
- File disclosure via external entity
- Blind XXE via OOB
Resource: PortSwigger labs for all three categories
Auth & Session Attacks — 15 hours
Learn:
- Password reset flow flaws (host header injection, token predictability, race conditions)
- Session fixation and session puzzling
- 2FA bypass techniques (code reuse, response manipulation, backup code flaws)
Resource: PortSwigger Authentication labs
Start Hunting in Month 3
Sign up for HackerOne and Bugcrowd. Start with programs that have “safe harbor” language and wide scope.
Good starting programs:
- HackerOne’s own bug bounty program
- U.S. Department of Defense VDP (great for learning, lower competition)
- Large tech companies with broad scopes and fast triage
Your goal in month 3 is not money — it is getting your first report triaged, even if it comes back as N/A. The feedback is invaluable.
Phase 2 Goals (by day 120)
- Submit first bug report (even if N/A)
- Win first bounty (aim: $100–$500)
- Complete HackTheBox or TryHackMe web labs
- Build a personal recon methodology document
- Read 20 disclosed reports on HackerOne Hacktivity
- Set up a notes system (Obsidian or Notion) for your findings
Phase 3 — Months 5–7: Advanced Techniques & Chaining (~420 hrs)
Business Logic Flaws — 30 hours
These cannot be found by scanners. They require understanding what the app is supposed to do and figuring out how to make it do something it should not.
Examples:
- Price manipulation and coupon stacking
- Quantity overflows and negative values
- Workflow bypasses (skipping steps in a multi-step process)
- Race conditions — two simultaneous requests that each independently pass a check
Resources:
- PortSwigger Business Logic labs
- Every disclosed “logic” bug on HackerOne Hacktivity
OAuth / JWT / SSO Attacks — 25 hours
These are disproportionately high payout because:
- They affect authentication, which is always critical impact
- They are complex enough that most junior hunters cannot find them
- Account takeover via OAuth is often a P1 ($10k+)
Learn:
stateparameter CSRF in OAuth flows- Open redirect chaining to steal authorization codes
- Token leakage via referrer header
- JWT
alg:noneattack - JWT secret brute-forcing with
hashcat - Implicit flow vulnerabilities
Resources:
- PortSwigger OAuth labs (all of them)
- “An Illustrated Guide to OAuth and OpenID Connect” (okta.com)
API Hacking — 25 hours
Every app has an API. Many are poorly documented and undertested.
Learn:
- Mass assignment vulnerabilities (sending extra JSON fields the API accepts)
- Excessive data exposure (API returns more data than the UI shows)
- Broken Object Level Authorization (BOLA — essentially API-level IDOR)
- Using Postman and REST Client to interact with APIs manually
Resources:
- OWASP API Security Top 10
- APIsec University (free)
GraphQL & WebSockets — 15 hours
GraphQL:
- Introspection queries to map the entire API surface
- Batch queries to bypass rate limiting
- GraphQL injection
WebSockets:
- Message tampering via Burp
- Cross-site WebSocket hijacking
Resource: PortSwigger GraphQL labs
Bug Chaining — 20 hours
This is the skill that 10x’s your payouts. A medium-severity XSS combined with an information disclosure that leaks an admin token equals a critical account takeover.
Practice:
- Every time you find a low-severity bug, ask: “what can I do with this?”
- Study how top hunters chain bugs in their public write-ups
Resource: https://pentester.land/list-of-bug-bounty-writeups — filter for “chain” write-ups
Build Your Recon Automation Pipeline
Set this up and let it run in the background while you manually test.
# Basic recon pipeline
subfinder -d target.com | httpx -silent | nuclei -t nuclei-templates/
# Passive URL collection
echo target.com | gau | grep "?" | tee urls.txt
cat urls.txt | waybackurls >> urls.txt
# GitHub dorking
# Search: org:targetorg password OR secret OR api_key
Tools to install:
subfinder— subdomain enumerationamass— in-depth DNS enumerationhttpx— HTTP probingnuclei— template-based scanningffuf— fast web fuzzergau— get all URLswaybackurls— Wayback Machine URL fetchernotify— send alerts to Telegram or Discord
Phase 3 Goals (by day 210)
- $5k–$15k earned total
- 1–2 programs you know deeply (understand their tech stack and past findings)
- Land first high-severity (P2) report
- Automated recon pipeline running
- Writing reports that get triaged without back-and-forth
- Receive first private program invite
Phase 4 — Months 8–12: Full Hunter Mode
By now you have a niche, a methodology, and repeating income. The job now is volume combined with depth.
Weekly Time Split
- 30 hours/week actively hunting on programs
- 10 hours/week learning new techniques and reading write-ups
Pick One Niche to Go Expert-Level
The hunters who make $100k+ are known for something. Choose based on where you have found the most success:
| Niche | Why | Payout Potential |
|---|---|---|
| OAuth / SSO | Highest payouts, least competition | P1 frequently ($10k–$30k) |
| Mobile API backends | Poor security, undertested | P1–P2 range |
| GraphQL | Newer tech, overlooked everywhere | P2–P1 range |
| Cloud misconfigs | AWS/GCP misconfigs, metadata leaks | Varies widely |
Private Programs
- HackerOne and Bugcrowd invite top hunters to private programs
- Private programs have less competition, higher payouts, and broader scope
- You get invites by: finding bugs, building reputation, and sometimes by directly asking program managers
- Target: First private invite by month 6–7
Report Quality
A well-written report gets triaged faster, bounty paid sooner, and triagers remember you for future reports.
Every report must include:
- Vulnerability summary — one clear sentence describing the issue
- Steps to reproduce — numbered, explicit, anyone should be able to follow them
- Proof of concept — working exploit code, screenshots, or video walkthrough
- Impact statement — what can an attacker actually do with this? Be specific
- Suggested remediation — shows professionalism, speeds up triage
Phase 4 Goals (by month 12)
- $85k–$100k+ earned total
- Strong reputation score on HackerOne or Bugcrowd
- 3+ active private program invites
- At least one critical / P1 bug in your portfolio
- Recognized niche specialization
- Public write-up or conference talk (optional but accelerates invites)
Weekly Schedule
| Time Block | Activity |
|---|---|
| Mon–Fri mornings (4 hrs/day) | Active hunting on chosen programs |
| Mon/Wed evenings (2 hrs each) | PortSwigger labs or new technique study |
| Tue/Thu evenings (2 hrs each) | Read 5 disclosed reports per session |
| Saturday (6–8 hrs) | Deep dive on one new vulnerability class |
| Sunday (3–4 hrs) | Write-up review, recon automation, program research |
Platforms
| Platform | Notes |
|---|---|
| HackerOne | Start here. Most beginner-friendly, most disclosed reports to learn from |
| Bugcrowd | Good second platform once you have momentum |
| Intigriti | European programs, less saturated |
| YesWeHack | Less competitive than HackerOne |
| DoD VDP | Unlimited scope, great for learning |
| Synack / Cobalt | Avoid early on — curated, hard to get into as a new hunter |
Learning Resources
Free
- PortSwigger Web Security Academy
- PentesterLand write-ups list — https://pentester.land/list-of-bug-bounty-writeups
- HackerOne Hacktivity — disclosed reports, sorted by bounty amount
Tools Reference
Essential Setup
# Install Go (required for most tools)
sudo pacman -S go
# Recon tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install -v github.com/ffuf/ffuf/v2@latest
go install -v github.com/lc/gau/v2/cmd/gau@latest
go install -v github.com/tomnomnom/waybackurls@latest
# Update nuclei templates
nuclei -update-templates
Burp Suite Extensions to Install
- Autorize — automatic access control testing
- Turbo Intruder — fast fuzzing beyond what Intruder can do
- Logger++ — advanced request logging
- JS Miner — extracts endpoints and secrets from JS files
- Param Miner — discovers hidden parameters
Key Mindset Points
The first 60 days are the hardest.
Read more write-ups than you think you need to. The fastest way to learn to find bugs is to understand exactly how other people found them. Aim for 5 write-ups per day in months 1–4.
Go deep on programs, not wide.
Impact is everything. A bug is only worth what an attacker can do with it. Always ask: “can I chain this into something worse?” A self-XSS is N/A. A self-XSS that becomes account takeover via a CSRF is a P2.
Your reports are your reputation.
Last updated: March 2026