Before I start I will give you a simple advice. Try to understand what you are doing. Don't leave open questions. Read and inform yourself about new stuff and convert this information in a way you can understand.


The Scope

Everything has to start somewhere. It doesn't matter whether you're a whitehat attempting a bug-bounty program (with it's Dos and Don'ts) or a blackhat trying to break illegaly into a system. Defining the scope of your target is the first step and here is how to do it.

d1-1

1.) Read the policy

Since we are trying to act in a legal way it's important to understand the policy of the choosen bug-bounty program. This step is required because submissions could be denied or juritical pursued. Summarize the information in e.g. a text-file (which will be your "database") or develop yourself a small application for holding target information.


An example

Target: "GoodRX" (https://hackerone.com/goodrx)

Scope:

- www.goodrx.com (Main)
- gold.goodrx.com
- heydoctor.goodrx.com

- com.goodrx (App)
- com.goodrx.iphone

Not accepted:

- CSRF login/logout/non-sensitive
- MitM / physical
- Best practises (SSL/TLS)
- DDoS
- Content-Spoofing/Text-Injection
- Username enumeration login/logout
- Brute Force
- Clickjacking (X-Frame-Options)
- Non HttpOnly/Secure flagged cookies 
- Vulnerabilities in other assets

If you're familiar with the topic and it's terms:

T:    https://hackerone.com/goodrx
S:    goodrx.com (Main), gold., heydoctor.
N:   CSRF(IO),MitM,SSL/TLS,DDoS,CI/TI,UE(IO),BF,CJ,HttpOnly/Secure

d2

You can see that the company declared some vulnerabilities within it's policy which are "Out of Scope". Read and understand these but don't give too much attention (it can hurt your creativity):

  • Out-of-scope vulnerabilities can be transfered in-scope (chaining)
  • Best practise != security vulnerability
  • DDoS/Brute Force is only about the capacity
  • Social Engineering/Physical Security are other fields

It' also important to choose where to start (setting the entry-point). The main-application has probably the most impact but other participants might already tested the hell out of it (except if you're the choosen one).


2.) Prepare your "lab"

After locking our target it's time to sharpen our tools and arrange the penetration test. Since the target might differ in it's type (network, binary, web-application, app) it's useful to have a customized VM for each type of target (especially for android/ios apps). I recommend starting with Kali Linux and Android Tamer (it eliminates the extra expense for setting up your own distro).

It's also important to prepare some kind of documentation (a simple text-file with some columns is enough to start with; you might later setup some open-source software or develop your own [recommend!]).

Finally I highly suggest using a VPN. Some targets might block/blacklist your IP address, which can slow down your actions.