Prerequisites
Solid web security fundamentals: SQLi, XSS, IDOR, SSRF, auth bugs. Report writing skills. Patience for duplicate rejections.
First steps
Complete 30+ Cyfotok labs. Read disclosed reports on HackerOne Hacktivity. Start with VDP (Vulnerability Disclosure Programs) with wide scope and no payment pressure.
Tools
Burp Suite Community, browser DevTools, ffuf, nuclei (later). Labs teach technique; tools automate recon.
Legal rules
Only test in-scope assets. Read program policy carefully. Never test out of scope — account bans and legal risk.