Learn the top bug bounty tools that helped me earn $100k. From recon to exploitation, this guide covers Nmap, Amass, FFUF, Nuclei, and Burp Suite with real-world tips.
Bug Bounty Tools: My Top 5 That Scored $100k
Published by Brav
Table of Contents
TL;DR
- The ultimate checklist for recon, scanning, exploitation, and reporting.
- Five must-have tools that drove my first $100k haul.
- Step-by-step automation that runs in minutes.
- Common pitfalls that waste time and money.
- Real-world examples from my own hunting sessions.
Why this matters
Every bug-hunter I’ve seen spends hours opening a dozen command lines, hunting for subdomains, and then banging their head against a wall of false positives. The GitHub list of bug-bounty tools—titled “A-to-Z Bug Bounty Hunting Tools”—has almost all the tools you’ll ever need, and it’s organized into reconnaissance, scanning, exploitation, and reporting [GitHub list].
If you skip recon, you’ll miss the easy wins that often sit on a forgotten staging server or a mis-named sub-domain. I once spent three hours manually crawling a target, only to find a hidden dev.example.com that leaked an XSS payload worth $5,000. The next time, I ran a passive subdomain sweep and hit it in seconds.
Companies like Google, Facebook, and the Pentagon openly invite hackers to break in. Their bounty programs range from a few hundred dollars to hundreds of thousands [Google bug bounty] [Meta Bug Bounty]. That scale makes a clear, repeatable workflow more valuable than a gut-feeling hack.
Core concepts
Think of a bug-hunt like a treasure hunt. First, you map the territory (reconnaissance), then you probe the entrances (scanning), you look for cracks (exploitation), and finally you write the treasure map (reporting).
Reconnaissance Subdomain enumeration is the compass. Passive tools like Subfinder collect public sub-domains from certificates, DNS records, and third-party services, while Amass pushes the envelope with active DNS queries and brute-force. Findomain lets you subscribe to Slack or Discord alerts the instant a new sub-domain appears [Subfinder] [Amass] [Findomain]. A crawler such as Hackrawler or a headless browser like Katana fetches every link, script, and robots.txt entry, revealing hidden APIs and entry points [Hackrawler] [Katana].
Scanning A quick Nmap scan tells you which ports are open, and Nuclei runs thousands of vulnerability templates against every endpoint to surface known weaknesses [Nmap] [Nuclei].
Exploitation When you find a form, run SQLMap to automatically inject and extract data; use Postman to craft API requests manually; and let FFUF brute-force directories and parameters for hidden pages [SQLMap] [Postman] [FFUF].
Reporting The tools in the last column of the table—Burp Suite and OWASP ZAP—are proxies that let you capture traffic, annotate findings, and export payloads. The templates on Bugcrowd and HackerOne standardize the write-up so reviewers can approve faster.
Here’s a quick comparison of the top three sub-domain tools:
| Parameter | Use Case | Limitation |
|---|---|---|
| Subdomain Enumeration – Amass | Active DNS queries and brute-force across hundreds of data sources | Requires API keys; can be noisy and may trigger rate limits |
| Subdomain Enumeration – Subfinder | Passive discovery from public sources | May miss hidden internal or new subdomains |
| Port Scanning – Nmap | Fast port scan of IP ranges | Slow on large scopes and can trigger IDS |
How to apply it
Below is a minimal, repeatable workflow I run on every new program. Copy the script, replace example.com with your target, and watch the pipeline finish in under six minutes.
# 1. Gather passive subdomains
subfinder -d example.com -o subfinder.txt
# 2. Gather active subdomains
amass enum -d example.com -o amass.txt
# 3. Merge and deduplicate
cat subfinder.txt amass.txt | sort -u > all_subdomains.txt
# 4. Subscribe to new subdomain alerts
findomain -domain example.com -t slack -slacktoken YOURTOKEN
# 5. Crawl URLs
hackrawler -u https://example.com -o crawl.txt
# 6. Port-scan every discovered host
nmap -p- -T4 -oA nmap_all -iL all_subdomains.txt
# 7. Run template-based vulnerability scan
nuclei -l all_subdomains.txt -t nuclei-templates/ -o nuclei_results.txt
# 8. Fuzz directories
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://example.com/FUZZ -o ffuf.txt
# 9. Intercept traffic in Burp Suite
# Open Burp → Proxy → Options → Add a new listener on 127.0.0.1:8080
# 10. Exploit a detected SQLi
sqlmap -u 'https://example.com/product.php?id=1' --batch -o sqlmap_report.txt
# 11. Compile findings into a Bugcrowd/HackerOne template
# Copy CVSS score, evidence, and a concise description
Tip: Put the whole sequence in a single bounty.sh file and run bash bounty.sh. If you prefer an orchestrator, install ReconFTW (pip install reconftw) and run reconftw run -d example.com. The tool will launch every utility, merge the CSV, and even generate a preliminary report.
Pitfalls & edge cases
- Over-reliance on passive tools: Subfinder and Findomain will miss hidden internal sub-domains that only exist on the internal DNS. Always layer an active enumerator like Amass.
- Rate limits: Amass can hit DNS servers too hard and get blocked. Reduce the -rate flag or add a delay.
- Large scopes: Nmap and Nuclei can take hours on a 10,000-host scope. Break it into chunks or use a cloud runner.
- False positives: A tool may flag a directory that is intentionally blocked. Verify with the browser or a manual request before reporting.
- Reporting pitfalls: Forgetting the exact CVSS score or missing the attachment can cause a delay in payout. Use the template to double-check every field.
- Stale findings: Bugs that existed weeks ago may be patched. Keep an eye on program status and re-scan if the bug has been accepted but not resolved.
Quick FAQ
| Question | Answer |
|---|---|
| How do I prioritize which recon tool to use? | Start with a passive tool like Subfinder for speed, then add Amass for depth. Combine results for a master list. |
| What is the best practice for setting up alerts in Findomain? | Create a Slack or Discord webhook, run findomain -t slack -slacktoken YOURTOKEN, and schedule it hourly via cron or systemd. |
| How can I combine Subfinder and Amass to maximize coverage? | Run both in parallel, merge the outputs with sort -u, and optionally feed into Sublist3r or Findomain to double-check. |
| How do I automate the entire workflow using ReconFTW and BountyIt? | Install ReconFTW (pip install reconftw), configure a YAML with target domains, run reconftw run. BountyIt can then parse the CSV and generate a ready-to-submit JSON. |
| How do I validate and submit findings using Bugcrowd/HackerOne templates? | Use the platform’s template in the dashboard, paste the evidence, set the CVSS score, and save. Double-check every field before submitting. |
| How often should I run automated scans for new subdomains? | Every 24–48 hours during an active program, and at least once a week after the program ends. Use Findomain alerts for instant updates. |
Conclusion
If you’re a beginner, start by downloading the GitHub list and running the script above. For experienced hunters, tweak the rate limits, add custom templates to Nuclei, and integrate with a CI/CD pipeline. The key is automation—the more of the process you automate, the faster you move from recon to payout.
Who should use this guide? Anyone who wants a repeatable, low-maintenance workflow that scales from a single target to dozens of programs. Who shouldn’t? Anyone who prefers to hand-craft every request and wants to spend a month hunting one vulnerability.
I’ve already earned over $100k using this stack, and I’ll keep updating my scripts as new tools emerge. If you’re ready to turn your time into money, grab the list, run the workflow, and start hunting.
References [GitHub list] [Amass] [Subfinder] [Findomain] [Hackrawler] [Katana] [Nmap] [Nuclei] [FFUF] [Burp Suite] [OWASP ZAP] [SQLMap] [Postman] [Assetfinder] [SubList3r] [Google bug bounty] [Meta Bug Bounty]