Ethical Hacking for Beginners: How I Landed My First Bug Bounty in 90 Days
Beginner's guide to ethical hacking — the tools, certifications, platforms, and methodologies to start finding real vulnerabilities and earning bug bounties.
Get more content like this on Telegram!
Daily AI tips, notes & resources — free
Ethical Hacking for Beginners: How I Landed My First Bug Bounty in 90 Days
On day 94 of my ethical hacking learning journey, I received an email I had not quite convinced myself would come: "Thank you for your submission. We have validated and resolved your report. Your reward of $150 has been processed."
One hundred and fifty dollars is not a life-changing amount of money. But that report — a reflected cross-site scripting vulnerability in a medium-sized SaaS application's search parameter — represented something the money could not fully capture: proof that I could find real vulnerabilities in real systems. Not in lab environments built to be vulnerable. In production software used by actual people.
I want to tell you exactly how I got there in 90 days, because most of the content about bug bounty for beginners is either unrealistically optimistic (promises of $10,000 first reports) or vague to the point of uselessness ("learn web application security"). I will cover the exact learning resources I used, the tools I spent time with, the methodology I followed, and the honest mistakes I made along the way.
One critical point before we go further: ethical hacking means operating within authorized scopes. Everything I practiced was either in lab environments I owned, on deliberately vulnerable platforms designed for practice, or within the published scope of bug bounty programs that explicitly invite security research. Never test systems you do not own or have explicit written authorization to test.
For the full cybersecurity career picture, see our cybersecurity career guide and the cybersecurity resources hub.
What Ethical Hacking Actually Involves
Before tools and techniques, let me give you an honest picture of what ethical hacking practice looks like day to day for a beginner.
The romanticized version involves sitting at a keyboard, running some commands, and immediately compromising systems in dramatic ways. The reality is mostly reading: reading documentation, reading error messages, reading source code, reading security research papers and blog posts to understand how specific vulnerability classes work.
Ethical hacking requires understanding systems deeply enough to find the gaps between how they are designed to work and how they actually behave under unusual conditions. That gap is where vulnerabilities live. Finding it requires patience, systematic thinking, and the ability to stay curious when the first fifty things you try do not work.
The hands-on skill builds faster than most beginners expect once you find the right practice platforms. The methodology builds more slowly because it requires developing intuition about what to look for and where.
The Essential Ethical Hacking Toolkit
You do not need expensive tools to start. Here is the toolkit I built during my first 90 days and what each tool actually does:
Ethical Hacking Tools Table
| Tool | Category | What It Does | Cost | Learning Curve | Best For |
|---|---|---|---|---|---|
| Kali Linux | Operating System | Purpose-built security distro with 600+ pre-installed tools | Free | Moderate — learn Linux first | Primary working environment for security testing |
| Burp Suite Community | Web App Testing | Intercepts and modifies HTTP/S requests; spider, scanner, repeater, intruder | Free (Community) / $449/year (Pro) | Moderate — very deep feature set | Web application security testing — your most-used tool |
| Nmap | Network Reconnaissance | Port scanning, service detection, OS fingerprinting, scripting engine | Free | Low-moderate | Network enumeration and discovery |
| Metasploit Framework | Exploitation | Exploit framework for known CVEs; payload generation, post-exploitation modules | Free (Community) / Paid (Pro) | High — complex but well-documented | Learning exploitation concepts in lab environments |
| Wireshark | Network Analysis | Capture and analyze network packets in real time | Free | Moderate | Understanding network traffic, finding cleartext credentials |
| SQLMap | Database Testing | Automated SQL injection detection and exploitation | Free | Low | SQL injection testing on authorized targets |
| Gobuster / ffuf | Web Enumeration | Directory and subdomain brute-forcing for hidden content | Free | Low | Discovering hidden endpoints, files, and subdomains |
| Nikto | Web Scanning | Web server misconfiguration and vulnerability scanner | Free | Low | Quick surface scans for obvious misconfigurations |
| John the Ripper / Hashcat | Password Analysis | Password hash cracking | Free | Moderate | Lab exercises involving captured hashes |
My day-to-day tools were Burp Suite and a browser. Roughly 80% of bug bounty work for web applications flows through Burp Suite — intercepting requests, modifying parameters, replaying requests with altered inputs. If you only have time to learn one tool deeply, make it Burp Suite for web security.
Bug Bounty Platforms: Where to Start
Bug bounty platforms host programs where companies invite security researchers to find vulnerabilities in exchange for recognition and financial rewards. They provide the legal framework — the scope, rules of engagement, and payment mechanism — that makes authorized testing possible for independent researchers.
Bug Bounty Platform Comparison
| Platform | Programs Available | Beginner Friendliness | Payout Range | Private Programs | Best Feature |
|---|---|---|---|---|---|
| HackerOne | 3,000+ (public + private) | Good — has educational content and easy programs | $50-$1M+ | Yes — invite based on reputation | Largest program selection; best brand recognition |
| Bugcrowd | 1,000+ (public + private) | Good — Bugcrowd University free training | $50-$500k+ | Yes | University training resources; strong managed program quality |
| Intigriti | 500+ (mostly EU companies) | Moderate — fewer beginner-friendly programs | €50-€100k+ | Yes | Strong European company coverage; growing rapidly |
| Synack Red Team | Private enterprise programs | Low — application/vetting required | Higher average payouts | All programs are private | Higher-quality targets; vetting ensures serious researchers |
| Open Bug Bounty | 1,000+ (coordinated disclosure) | High for XSS beginners — no payment | Hall of fame recognition | No | Non-financial submissions; good for building report history |
| YesWeHack | 400+ | Moderate | €50-€100k+ | Yes | Strong French and European presence |
My recommendation for beginners: start with HackerOne. Create your profile, complete the free hacker education content in the platform, and begin with programs that explicitly welcome new researchers. Look for programs that mention "all severity levels welcome" or that have broad scope including wildcard domains. Programs with very narrow scope or that only pay for critical vulnerabilities are discouraging for beginners.
The 90-Day Learning Roadmap
Here is the exact 90-day plan I followed. I was spending 2-3 hours per day on learning and practice.
90-Day Learning Roadmap
| Week | Focus | Resources Used | Hours/Day | End-of-Week Goal |
|---|---|---|---|---|
| Week 1-2 | Web fundamentals: HTTP, HTML, cookies, sessions, same-origin policy | PortSwigger Web Academy (free), MDN Web Docs | 2 | Understand how web requests work; intercept first request in Burp Suite |
| Week 3-4 | OWASP Top 10 study: SQL injection, XSS, IDOR, SSRF, security misconfigurations | PortSwigger Web Academy labs, OWASP Top 10 documentation | 2-3 | Complete SQL injection and XSS lab tracks on PortSwigger |
| Week 5-6 | Hands-on practice: DVWA and TryHackMe web app rooms | DVWA (locally hosted), TryHackMe OWASP Top 10 room | 2-3 | Exploit each OWASP Top 10 vulnerability in controlled environment |
| Week 7-8 | Burp Suite deep dive: Repeater, Intruder, active scanning, extensions | PortSwigger Web Academy Burp Suite learning path | 2-3 | Comfortable with Burp Suite workflow; run first active scan |
| Week 9-10 | Recon methodology: subdomain enumeration, JS file analysis, endpoint discovery | TCM Security bug bounty course, Bug Hunter's Methodology (Jason Haddix) | 2-3 | Build repeatable recon workflow for a target |
| Week 11 | First real program: pick beginner-friendly HackerOne program, do full recon | HackerOne program of choice | 3 | Complete recon on first real target |
| Week 12 | Report writing: how to write clear, reproducible PoC reports | HackerOne Hacktivity (read accepted reports), Intigriti report guides | 2 | Submit first report (valid or not — the feedback is valuable) |
| Week 13 | Iterate: analyze feedback, expand scope, refocus based on what programs respond to | Continue on same program or pivot based on results | 3 | Second submission |
The single most important resource in my first 90 days was PortSwigger Web Academy (portswigger.net/web-security). It is completely free, built by the creators of Burp Suite, and provides hands-on labs for every major web vulnerability class. There is no better structured web security curriculum available at any price point.
Methodology: How I Actually Found the XSS
I want to give you a concrete example of the thought process behind finding a real vulnerability, because methodology is harder to teach than tools.
The XSS I found was in a SaaS application's site-wide search feature. My process:
Step 1: Understand the application. I spent an hour clicking through every feature, creating accounts at different permission levels, understanding what data flows where, and mapping the application's functionality.
Step 2: Identify input points. Every place the application accepts user input and reflects it back into the page is a potential XSS vector. Search boxes, URL parameters, form fields, profile fields, comments.
Step 3: Test the search parameter. I typed <script>alert(1)</script> into the search box and watched what came back. The application appeared to sanitize this — no alert popped. But in Burp Suite, I could see the response included my input in the page HTML.
Step 4: Investigate the sanitization. The application was removing <script> tags but not all JavaScript contexts. I tried an image tag with an event handler: <img src=x onerror=alert(1)>. That also got filtered.
Step 5: Try encoding variations. URL encoding, HTML encoding, double encoding, Unicode encoding. The one that worked was an HTML entity encoding variation on the event handler: <img src=x onerror=alert(1)>. The sanitizer was not fully decoding before filtering, which left this path open.
Step 6: Write a clear report. A clearly written proof-of-concept with exact reproduction steps, screenshots, and an explanation of the impact is what separates a valid accepted report from a rejected one. Many beginners find bugs and write poor reports that get triaged as "informational" or "out of scope" — the report quality matters as much as the finding.
Honest Assessment: What I Got Wrong
I want to be honest about what did not work in my first 90 days, because reading about it may save you the same time.
I spent too long on infrastructure tools before web security. I set up Kali Linux, spent two weeks learning Nmap and Metasploit in depth, and then realized that 90% of accessible bug bounty programs are web applications. Network penetration testing tools like Metasploit are essential for internal network testing and CTF challenges, but they have limited direct application to bug bounty web programs. I should have gone straight to Burp Suite and PortSwigger Web Academy.
I tried programs that were too advanced too early. HackerOne's most prestigious programs — major tech companies, defense contractors, financial institutions — are intensely competitive. Thousands of researchers with years of experience are continuously testing these targets. As a beginner, you will find nothing there. Start with programs that have broad scope, low competition, and explicitly welcome new researchers.
I submitted too quickly before verifying scope. My first two submissions were marked "out of scope" — the specific subdomain I tested was excluded in the program's scope definition. Read the scope carefully before testing anything. A detailed scope violation can get your account restricted on some platforms.
For more on building skills in this area and related security disciplines, explore our learning courses and free notes library, and check out the full range of tech career and cybersecurity resources.
Frequently Asked Questions
What is ethical hacking and is it legal?
Ethical hacking is authorized security testing with written permission from the system owner, or within a published bug bounty program scope. It is entirely legal within those constraints and illegal without authorization. Bug bounty programs provide the legal framework for independent researchers to practice on real targets.
What tools do I need to start ethical hacking?
The essential free toolkit: Kali Linux (or Parrot OS), Burp Suite Community Edition, Nmap, and Wireshark. For web security specifically, Burp Suite is your primary tool. All of these are free — do not invest in paid tools until you have outgrown the free tiers.
How much can I earn from bug bounties?
Entry-level bugs earn $50-$500. Medium-severity vulnerabilities pay $500-$5,000. Critical vulnerabilities can pay $20,000+. Most beginners earn nothing for the first few months. Treat early bug bounty as skill development with occasional income rather than a primary income source.
Do I need programming skills for ethical hacking?
Not strictly as a prerequisite, but Python and basic JavaScript knowledge accelerate your learning significantly. You can start with no coding background, but you will hit limits when you need to understand exploits or write custom payloads. Learn Python basics in parallel with security fundamentals.
What is the difference between a penetration tester and a bug bounty hunter?
Penetration testers work under formal contracts for defined clients, produce formal reports, and receive fixed compensation. Bug bounty hunters work independently, choose their targets from public programs, and earn per valid report — no guaranteed income. Bug bounty is the better entry path for self-learners because the scope is publicly defined and feedback from triagers teaches you what real security teams care about.
Conclusion
My $150 first bug bounty took 94 days to earn. It required more reading, more failed tests, and more rejected preliminary reports than I expected. But the skills built along the way compounded faster than I would have believed at the start.
Ethical hacking for beginners in 2025 has better learning resources than any previous era of the field. PortSwigger Web Academy is genuinely world-class free content. HackerOne and Bugcrowd give you legal access to real production systems. The community on Twitter, Discord servers, and Reddit is accessible and generally generous with advice.
The path I have described works: web fundamentals, OWASP Top 10, Burp Suite proficiency, recon methodology, beginner-friendly programs, clear report writing. Give it 90 days of consistent daily effort before evaluating whether you are making progress. Most people who quit do so in the first month, before the methodology starts to crystallize.
Your first valid report changes how you see every piece of software you use. It is worth the work.
External resources:
- PortSwigger Web Security Academy — the best free web application security learning platform available
- OWASP Web Security Testing Guide — comprehensive methodology reference used by professional penetration testers worldwide
Frequently Asked Questions
AiTechWorlds Team
✓ Verified WriterThe AiTechWorlds team is passionate about AI, technology, and education. We create high-quality, research-backed content to help you learn, grow, and succeed in the modern digital world.
Related Articles
Bug Bounty Hunting: How to Make $10,000/Month Finding Vulnerabilities
The complete bug bounty guide for 2025 — learn how ethical hackers earn $10,000+ per month finding vulnerabilities on HackerOne, Bugcrowd, and Synack with proven strategies.
Affiliate Marketing in 2025: Which Niches Actually Make Money
Affiliate marketing in 2025 still pays well — if you pick the right niche. Here's which niches generate real affiliate income and which top programs to join.
Affiliate Marketing for Beginners: How I Made My First $1,000 in 90 Days
Complete affiliate marketing guide for beginners — choosing niches, joining programs, creating content, and the realistic timeline to your first $1,000 in commissions.
AI and Cybersecurity: How Hackers Use AI (And How to Stop Them)
AI cybersecurity threats are evolving fast — deepfake fraud, AI-powered phishing, autonomous malware. Here's exactly how hackers use AI and the AI defense tools fighting back.