My First Attempt at a Bug-Bounty Recon Process

Sep 21, 2019 • edited Feb 28, 2020

A version of the map that I'll try to keep relatively updated is here - last updated December 7th 2019

So… Since I'm starting to get into bug-bounty, I figured that I should probably come up with some sort of consistent process for recon that I can fall back on, if what I'm doing isn't panning out.

recon flowchart

scripted events are marked by the scroll while the manual events are marked by the fist

And upon doing so, I realized how little I actually know and understand about recon :
My current strategy, as you can tell from the flowchart, is to do a lot of subdomain discovery and OSINT.
While these are both important, there's definitely plenty of things that I'm missing. Even as I write this I can see that I'm doing almost no port discovery and forgot about the wayback machine… whoops. But since this post is all about my first attempt, I'll leave it for now, and hopefully in a few months I can come back with a much much better process.


Searching through commits and repos is done manually

Google Dorks

Most of this is done manually, but here's some sources for inspiration.

Subdomain enumeration

Virtual Hosts



Chromebooks and Why They're Great

Using XSS Hunter to solve Google CTF Quals Beginners Quest Challenges