NahamSec's New Video: Common Mistakes and Tips for Beginner Bug Bounty Hunters

In this video, NahamSec discusses common mistakes made by beginners in bug bounty hunting and offers valuable advice to improve their skills. He starts by emphasizing that most people struggle at the beginning not due to a lack of intelligence or motivation, but because they approach bug hunting inefficiently. One of the most frequent mistakes is the lack of a clear goal. NahamSec stresses the importance of setting specific objectives, whether it's for fun, to gain experience for a job, or to become a full-time bug hunter. He recommends writing down these goals and breaking them into smaller steps. For example, if the goal is to find the first XSS (Cross-Site Scripting), one should first learn everything about XSS, their different forms (reflected, stored, blind) and tricks to bypass WAFs (Web Application Firewalls) and filters. Once this step is completed, one can start hunting. Another crucial point is the selection of programs. NahamSec advises beginners to start with VDPs (Vulnerability Disclosure Programs) or vulnerability disclosure programs to develop their own methodology. This allows them to gain experience in searching for vulnerabilities like XSS, SSRF (Server-Side Request Forgery), and IDOR (Insecure Direct Object References). Once this experience is gained, one can move on to broader programs. He mentions companies like Ford, GM, IBM for VDPs, and Epic Games and Netflix for paid bug bounty programs. NahamSec also warns against reporting vulnerabilities without real impact. It is important to be able to explain the consequences of a vulnerability for users or the company's infrastructure. Reports should be relevant and not simply point out elements like missing headers or outdated versions without context. Finally, he addresses the issue of duplicates and informative reports. Many beginners use the same tools in the same way as everyone else, leading to redundant reports. NahamSec recommends mastering basic web vulnerabilities before using automated tools. The key to success lies in consistency and continuous learning. He concludes by emphasizing the importance of not working alone. Joining a community, such as a Discord server, can be extremely beneficial. Sharing notes and methods with other bug hunters can change the way one approaches vulnerabilities. For those who want to know more about how NahamSec started, he invites them to leave a comment for a future video on the topic.