Helping you connect the bug to bounty


We aim to become your go to place for everything bug bounties. Learn how to test for security vulnerabilities on web applications with our various real-life web applications and gain the confidence to begin applying your newly found knowledge on bug bounty programs. Browse and digest security researcher tutorials, guides, writeups and let us help you on your journey.

Made with by @zseano
Artwork by laracallejaillustrations


Learning to identify vulnerabilities on web applications


New or experienced, test your skills against custom made web application challenges based on real bug bounty findings! Learn about new techniques and bypasses whilst embracing the mindset of a hacker. With a variety of challenges designed to teach you a broad amount of web application bugs there is something for everyone.

Learn about various mistakes developers make when developing and how vulnerabilities arise from this.

The stage is yours, take it.

Browse our free web application challenges

For newcomers

You may only redirect to *.bugbountyhunter.com

🔥 Level up

Can you access our private tool, XSS Destroyer?

🔥 Level up

What's behind this admin panel?

🔥 Level up

Check out these HackerPhotos! Nothings wrong here.

ZSeano's Playground


FastFoodHackings is a demo web application a glimpse into what you can expect when purchasing membership. With over 25 unique findings to discover but no knowledge on what to find, it's up to you to learn the hacker mindset and discover all of the vulnerabilities!

Learn how the web application works and explore the various features available and begin your hunt!

Please note there is no triage available for this demo. Our members only web application BARKER is a much larger web application with more bugs, more features, more frequent updates as well as triaging of your issues!


BugBountyHunter Membership

Gain confidence testing web applications with BARKER

Take your learning to the next level and put your knowledge & skills around web vulnerabilities to the test and apply them on our fully working web application dubbed BARKER.

BARKER contains over 100 real-life vulnerabilities, real bugs from real life scenarios, all you have to do is understand the features & begin testing for vulnerabilities! True hacker style. Signup, login and begin interacting with the various features and start testing for vulnerabilities instantly.

Gain confidence as you go through the application & begin to understand how everything works, parameters used etc, rather than being told, "there's xss here, can you find the bypass?". Over time the more you play with BARKER, the more you'll begin to find. How many bugs are staring at you in the face?

Learn more about joining BugBountyHunter



Reading material

Jump into our treasure trove of security related content and begin your journey into the world of bug bounties! Learn about the various types of security vulnerabilities, explore disclosed vulnerabilities & read guides to help you with bug bounties.

New to bug bounties and need a helping hand on how to get started? Or perhaps you're interested in learning about various tools used by top bug hunters? Look no further, we've got it covered for you.



Disclosed Reports

Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.

  • CurlCVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport
  • CurlCVE-2021-22922: Wrong content via metalink not discarded
  • MailruStored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv]
  • SecurityOpen Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io
  • Github-security-lab[go]: Add query for detecting CORS misconfiguration
  • Algoliaemail verification bypass
  • MailruStored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv]
  • MailruBlind SSRF на calendar.mail.ru при импорте календаря
  • OpenmageCSRF in changing password after using reset password link
  • MailruMCS Graphite SSRF: internal network access

View more