Asset types to hunt in
In the context of a bug bounty program, an asset is an application, website, or product that you can hack. There are different types of assets, each with its own characteristics, requirements, and pros and cons. After considering these differences, you should choose a program with assets that play to your strengths, based on your skill set, experience level, and preferences.
| Asset type | Skill set | Attack surface | Beginners |
|---|---|---|---|
| Social sites and applications |
The ability to use a proxy, like the Burp Suite proxy, and knowledge about web vulnerabilities such as XSS and IDOR. It is also helpful to have some JavaScript programming skills and knowledge about web development. |
Huge | ✅ |
| General web applications |
Knowledge about client-side and server-side web vulnerabilities, and the ability to use a proxy. It is also helpful to have some knowledge about web development and programming. |
Large | ✅ |
| Mobile applications (Android, iOS, and Windows) |
Hacking web applications with knowledge about the structure of mobile apps and programming techniques related to the platform, and certificate pinning bypass, mobile reverse engineering, and cryptography. |
Huge | |
| APIs | Many of the same skills as hacking web applications, mobile applications, and IoT applications, with a focus on common API bugs like data leaks and injection flaws. |
Small | |
| Source code and executables |
Knowledge of web vulnerabilities, programming skills related to the project’s codebase, and code analysis skills. Cryptography, software development, and reverse engineering skills. |
Huge | ❌ |
| Hardware and IoT |
A deep familiarity with the type of device, understanding common IoT vulnerabilities, knowledge about web vulnerabilities, programming, code analysis, and reverse engineering, IoT concepts and industry standards such as digital signing and asymmetric encryption schemes. Cryptography, wireless hacking, and software development skills will be helpful too. |
Enormous | ❌ |