Asset types to hunt in

In the context of a bug bounty program, an asset is an application, website, or product that you can hack. There are different types of assets, each with its own characteristics, requirements, and pros and cons. After considering these differences, you should choose a program with assets that play to your strengths, based on your skill set, experience level, and preferences.

Asset type Skill set Attack surface Beginners
Social sites
The ability to use a proxy, like the Burp Suite
proxy, and knowledge about web vulnerabilities
such as XSS and IDOR. It is also helpful to
have some JavaScript programming skills and
knowledge about web development.
General web
Knowledge about client-side and server-side web
vulnerabilities, and the ability to use a proxy.
It is also helpful to have some knowledge
about web development and programming.
(Android, iOS,
and Windows)
Hacking web applications with knowledge about
the structure of mobile apps and programming
techniques related to the platform, and
certificate pinning bypass, mobile reverse
engineering, and cryptography.
APIs Many of the same skills as hacking web
applications, mobile applications, and
IoT applications, with a focus on common API
bugs like data leaks and injection flaws.
Source code
Knowledge of web vulnerabilities, programming
skills related to the project’s codebase, and
code analysis skills. Cryptography, software
development, and reverse engineering skills.
and IoT
A deep familiarity with the type of device,
understanding common IoT vulnerabilities,
knowledge about web vulnerabilities,
programming, code analysis, and reverse
engineering, IoT concepts and industry standards
such as digital signing and asymmetric encryption
schemes. Cryptography, wireless hacking, and
software development skills will be helpful too.