Regarding proceeding to bug bounty


I’m a beginner in this field of bugbounty

I have found bugs in one website, how should i proceed to inform them?
thanks in advance

If you think you have found valid security issues in websites then you are coordinately expected to disclose them in a responsible manner under bug bounty or RVDP (Responsible Vulnerability Disclosure Program) to respective websites may it be on platforms like Hackerone, Bugcrowd or independent programs (websites that host their programs by themselves without the involvement of any third party company). I always recommend to start with vulnerability disclosure programs rather than jumping straight to bug bounty programs as money is what attract most bug hunters. If you choose RVDPs there is a high chance of you to succeed as there won’t be much traffic. However there are exceptions such as Sony attracts much user traffic under its RVDP. I highly recommend this guide to beginners for a better understanding on how to move forward with bug bounties and RVDPs:

Also have a look at this thread:

I would also recommend you to join various discord servers such as Hsploit, Hackerone, The Cyber Mentor, Medium infosec writeups, etc

I hope this will make you clear all your doubts regarding bug bounties and responsible vulnerability disclosure programs :smile:

1 Like

Thanks, it helps me alot.
So,we can only disclose the bugs on those sites which are the clients of those sites?

for example, some Y site which i found has bug and is NOT the client of these bugbounty site(like hackerone etc.,), can’t i disclose it?

Or should i mail them individually?do tell me.,


It’s not at all important that you can only disclose client side vulnerabilities. You can also disclose server side vulnerabilities if you think you find a legitimate one. If you found a bug on a site that is not on the platforms like Hackerone, Bugcrowd, etc you can check if they have:

else report it on their security emails like [email protected] . You can check out more information online. If you don’t find anything relating then that’s a clear sign for you to move on to another website for bugs and vulnerabilities discovery. Give a reasonable time (maybe 30 days) to the company to verify and fix your reported vulnerability or bug if they don’t accept, contact you back, do not respond to your first email regarding vulnerability submission then you are free to release information about that bug/vulnerability publicly. But do remember to follow reasonable timeline. Additionally you can check this out if you want more clear idea of vulnerabilities that can be reported: