A version of the map that I'll try to keep relatively updated is here - last updated December 7th 2019
So… Since I'm starting to get into bug-bounty, I figured that I should probably come up with some sort of consistent process for recon that I can fall back on, if what I'm doing isn't panning out.
And upon doing so, I realized how little I actually know and understand about recon :
My current strategy, as you can tell from the flowchart, is to do a lot of subdomain discovery and OSINT.
While these are both important, there's definitely plenty of things that I'm missing. Even as I write this I can see that I'm doing almost no port discovery and forgot about the wayback machine… whoops. But since this post is all about my first attempt, I'll leave it for now, and hopefully in a few months I can come back with a much much better process.
Links for everything:
Searching through commits and repos is done manually
Most of this is done manually, but here's some sources for inspiration.