How to earn your first bug bounty on HackerOne

Bug bounty rewards skill and patience - most hunters earn their first payout months in, not days.

Build the foundations first

Learn web fundamentals deeply - HTTP, authentication, and the OWASP Top 10. Free resources like Hacker101 (run by HackerOne) and practice labs teach the core vulnerability classes. You cannot find what you cannot recognize.

Pick targets where you can win

Start with public programs that have wide scopes and active triage, or vulnerability disclosure programs where competition is lower. Read the program policy carefully - out-of-scope reports waste everyone time and hurt your signal score. Old, broad scopes beat shiny new ones for beginners.

Write reports that get paid

A good report includes clear reproduction steps, impact explained in business terms, and a proof of concept. Duplicates are part of the game - your signal and reputation grow with each valid report, unlocking private program invitations where the real earnings are.