How to Get Started with Bug Bounty Hunting on YesWeHack

By /

Listen to this Post

Featured Image
Bug bounty hunting is an exciting way to test your cybersecurity skills while earning rewards. Johan Brun recently shared his success story on LinkedIn about finding his first eligible vulnerability on YesWeHack, a top French bug bounty platform.

You Should Know:

1. Getting Started with Bug Bounty

  • Choose the Right Platform: YesWeHack (https://www.yeswehack.com/) is a great starting point.
  • Understand Scope: Focus on programs where many testers have already searched—this forces you to think creatively.
  • Start Small: Even low CVSS (Common Vulnerability Scoring System) findings (like Johan’s 3.1) count as wins.

2. Essential Tools & Commands

Reconnaissance & Scanning

 Subdomain Enumeration 
subfinder -d example.com -o subs.txt 
assetfinder --subs-only example.com | tee -a subs.txt

Port Scanning with Nmap 
nmap -sV -T4 -p- -iL subs.txt -oA scan_results

Web Vulnerability Scanning 
nikto -h https://example.com 
gobuster dir -u https://example.com -w /path/to/wordlist.txt

Automating with Bash

!/bin/bash 
 Simple Recon Script 
echo "Starting reconnaissance..." 
subfinder -d $1 -o subs_$1.txt 
httpx -l subs_$1.txt -o live_$1.txt 
nuclei -l live_$1.txt -t ~/nuclei-templates/ -o vulns_$1.txt

3. Common Vulnerabilities to Hunt For

  • IDOR (Insecure Direct Object Reference): Manipulate object references (e.g., `/user?id=123` → /user?id=124).
  • XSS (Cross-Site Scripting): Test input fields with:
    <script>alert(1)</script>
  • Broken Authentication: Test weak password policies or session hijacking.

4. Reporting & Earning Bounties

  • YesWeHack Submission Guidelines: Provide clear steps to reproduce.
  • CVSS Calculator: Use https://www.first.org/cvss/calculator/3.1 to score your findings.

What Undercode Say

Bug bounty hunting requires persistence. Johan’s journey proves that even on well-tested platforms, vulnerabilities exist. Key takeaways:
– Never assume a target is “too secure”—keep testing.
– Automate repetitive tasks (recon, scanning).
– Learn from others: Join platforms like HackerOne, Bugcrowd, and YesWeHack.

Expected Output:

  • A structured bug report with:
  • Vulnerability Type
  • Steps to Reproduce
  • Impact
  • Suggested Fix

Prediction

As more companies adopt bug bounty programs, demand for skilled hunters will rise. Expect AI-assisted vulnerability scanning to become mainstream, but manual testing will remain critical for logic flaws.

Relevant URL:

  • YesWeHack: https://www.yeswehack.com/
  • Nuclei Templates: https://github.com/projectdiscovery/nuclei-templates
  • OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/

References:

Reported By: Johanbrun Quand – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: