Legit security work, not sketchy nonsense

Get paid to find bugs — the legal way.

A simple guide to white-hat hacker platforms, what each one is good for, and the fastest safe path from curious beginner to paid vulnerability researcher.

Explore platforms See beginner path

$ scope_check
Program rules: allowed
Target: in scope
Report: clear + reproducible
Payout odds: much better

// rule zero
Only test systems where you have explicit permission.

White hat = permission

You’re finding vulnerabilities inside a defined scope, following rules, and reporting responsibly.

Real payouts exist

Small bugs may pay modestly. Critical bugs on mature programs can pay thousands — sometimes much more.

Reports matter

The difference between ignored and paid is often a clean writeup: impact, proof, steps, fix suggestion.

Platform map

Where to look first

Start broad, learn the rhythm, then graduate into more selective networks once you have a track record.

HackerOne

Beginner-friendlyHuge

Largest mainstream bug bounty marketplace with many public programs.

Visit HackerOne →

Bugcrowd

Public + private

Great place to learn program scopes and submit structured vulnerability reports.

Visit Bugcrowd →

Intigriti

EU strong

Clean platform with high-quality web app programs and solid researcher community.

Visit Intigriti →

Cobalt

ProfessionalPentest work

More like vetted client pentesting than casual bounty hunting. Great goal, not the easiest first stop.

Visit Cobalt →

Synack

Selective

Vetted researcher network with higher trust requirements and structured engagements.

Visit Synack →

Immunefi

Web3High payouts

Crypto and smart contract bounties. Big upside, but requires specialized skill.

Visit Immunefi →

Beginner path

The sane 30-day starting plan

Learn web bugs

Use PortSwigger Academy for SQLi, XSS, auth bugs, access control, SSRF.

Practice safely

Use TryHackMe and Hack The Box labs. Break toy systems, not random real ones.

Pick easy scopes

Choose public programs with broad scope and clear rules. Avoid hardened giants at first.

Write clean reports

Include impact, exact steps, screenshots, affected URL, and a practical remediation note.

Do not skip this

Permission is the whole game.

If a target is not explicitly in scope, don’t touch it. Random scanning, password attacks, data extraction, or “just testing” on systems you don’t own can become illegal very quickly.

White hat work is about proof without harm: minimal impact, no persistence, no data theft, no disruption.

Start today

Best first three links:

PortSwigger Academy

TryHackMe Labs

HackerOne Programs

Goal: learn one bug class, reproduce it in a lab, then look for only that class in a legal program scope.