Methodology, recon, and process notes. See bug-bounty-methodology for path ordering.

Mindset and target selection

• hacker-mindset-questioning
• program-scope-reading · scope-vertical-vs-horizontal
• target-selection-heuristics · program-selection-tactics
• asset-graphing

Recon — passive and active

• subdomain-enumeration · content-discovery
• js-recon · js-endpoint-extraction
• github-recon · third-party-recon
• google-dorking · certificate-transparency
• acquisitions-recon · asn-enumeration · reverse-whois
• vhost-enumeration · subdomain-permutation
• endpoint-spidering · wordlist-fuzzing-tactics
• analytics-tag-correlation · cloud-asset-recon
• tech-stack-fingerprinting

Methodology workflow

• getting-feel-for-target (step 1)
• expanding-attack-surface (step 2)
• automation-and-rinse-repeat (step 3)
• common-issues-to-start-with
• note-taking-while-hacking
• continuous-recon-automation

Execution patterns

• known-vuln-workflow — tech → CVE → PoC → exploit.
• n-day-rapid-exploitation — race the patch window.
• login-page-attacks
• automated-fuzzer-vuln-discovery
• testing-methodology-checklists
• demonstrating-impact

Process and meta

• report-writing · report-writing-step-by-step
• disclosure-and-comms
• dupe-mental-model
• burnout-and-pipeline