💰
60-day bug bounty roadmap

Bug Bounty Course

Recon, OWASP Top 10, SSRF chains, reporting and earning bounties on HackerOne and Bugcrowd.

📋 28 lessons live 🎯 60 days total 💪 Intermediate ⚡ Free
Start Day 1 -> Join Free to Track Progress
Day 1
Day 1: What Is Bug Bounty? How Beginners Are Earning $10,000/Month Finding Bugs From Home (2026)
⏱ 10 min ⚡ +10 XP Up next
Day 2
Day 2: Setting Up Your Bug Bounty Hacking Lab — Burp Suite, Firefox & Your First Intercepted HTTP Request (2026)
⏱ 10 min ⚡ +10 XP
Day 3
Day 3: How the Web Works — HTTP, DNS & the Request-Response Cycle Every Bug Bounty Hunter Must Understand (2026)
⏱ 10 min ⚡ +10 XP
Day 4
Day 4: OWASP Top 10 Explained — The Official Bug Bounty Vulnerability Map Every Hunter Needs (2026)
⏱ 10 min ⚡ +10 XP
Day 5
Day 5: Burp Suite Deep Dive for Beginners — Scanner, Intruder, Decoder & Your First Real Vulnerability Test (2026)
⏱ 10 min ⚡ +10 XP
Day 6
Bug Bounty Day 6: Subdomain Enumeration — Build Your Full Attack Surface Map (2026)
⏱ 10 min ⚡ +10 XP
Day 7
Day 7: XSS Bug Bounty Hunting — Find, Exploit & Report Cross-Site Scripting Bugs That Pay (2026)
⏱ 10 min ⚡ +10 XP
Day 8
Day 8: IDOR Bug Bounty Hunting — Find Insecure Direct Object Reference Vulnerabilities That Pay (2026)
⏱ 10 min ⚡ +10 XP
Day 9
Day 9: SQL Injection for Bug Bounty 2026 — Manual Testing + SQLmap Complete Guide
⏱ 10 min ⚡ +10 XP
Day 10
Day 10: SSRF — Server-Side Request Forgery Hunting (2026 Bug Bounty Complete Guide)
⏱ 10 min ⚡ +10 XP
Day 11
Day 11: Open Redirect Bug Bounty Hunting 2026 — Find, Chain and Report the Vulnerability That Turns $200 Bugs Into $5,000 Findings
⏱ 10 min ⚡ +10 XP
Day 12
Day 12: File Upload Vulnerabilities — From Bypassing Filters to Remote Code Execution (Bug Bounty 2026)
⏱ 10 min ⚡ +10 XP
Day 13
XXE Injection Bug Bounty 2026 — Day 13 Hack Server Files via XML
⏱ 10 min ⚡ +10 XP
Day 14
BB Day 14: Command Injection Bug Bounty 2026 — Find OS Injection in Web Apps & APIs That Pay
⏱ 10 min ⚡ +10 XP
Day 15
BB Day15: Business Logic Vulnerabilities Bug Bounty 2026 — Bypass Payment Like a Hacker
⏱ 10 min ⚡ +10 XP
Day 16
BB Day16: Rate Limiting Bug Bounty 2026 — Find Bypass Flaws in Login, OTP and API Endpoints
⏱ 10 min ⚡ +10 XP
Day 17
BB Day17: JWT Attacks Bug Bounty 2026 — Algorithm Confusion, None Attack & Weak Secrets
⏱ 10 min ⚡ +10 XP
Day 18
BB Day18: OAuth 2.0 Bug Bounty 2026 — CSRF in OAuth, Token Leakage & Account Takeover Chains
⏱ 10 min ⚡ +10 XP
Day 19
BB Day19: CSRF Bug Bounty 2026 — Find Cross-Site Request Forgery That Pays and Chain It to Account Takeover
⏱ 10 min ⚡ +10 XP
Day 20
Clickjacking Bug Bounty 2026 — Find UI Redressing Vulnerabilities and Chain to Account Takeover | Bug Bounty Day20
⏱ 10 min ⚡ +10 XP
Day 21
HTTP Request Smuggling 2026 — TE.CL, CL.TE Techniques & High-Impact Exploitation | BB Day21
⏱ 10 min ⚡ +10 XP
Day 22
GraphQL Bug Bounty 2026 — Introspection Abuse, Injection & Broken Authorization | BB Day 22
⏱ 10 min ⚡ +10 XP
Day 23
WebSocket Bug Bounty 2026 — Cross-Site WebSocket Hijacking & Message Injection | BB Day 23
⏱ 10 min ⚡ +10 XP
Day 25
Day 25 Bug Bounty — Host Header Injection Attacks 2026
⏱ 10 min ⚡ +10 XP
Day 25
CRLF Injection Bug Bounty 2026 — Full Exploit Guide (XSS, Response Splitting) BB Day 24
⏱ 10 min ⚡ +10 XP
Day 26
SSTI Bug Bounty 2026 — Server-Side Template Injection to RCE on 5 Template Engines | BB Day 26
⏱ 10 min ⚡ +10 XP
Day 27
Path Traversal LFI Bug Bounty 2026 — Directory Traversal, proc Leaks & Log Poison | BB Day 27
⏱ 10 min ⚡ +10 XP
Day 28
Prototype Pollution Bug Bounty 2026 — Client-Side, Server-Side & RCE Escalation | BB Day 28
⏱ 10 min ⚡ +10 XP

🔒 32 more lessons coming soon