---
name: program-player
description: Get invited to private bug bounty programs and build reputation on platforms. Use when building platform reputation,
  applying to private programs, or optimizing your hunter profile for maximum opportunities.
domain: cybersecurity
tags:
- cybersecurity
- player
- program
- security
- threat-defense
---

# Program Player

Private programs pay 5-10x more than public ones. But you need reputation to get invited. This skill covers building your reputation, getting into private programs, and maximizing your opportunities.

## When to Use

- Starting from zero on a bug bounty platform
- Want to get invited to private programs
- Building long-term bug bounty career
- Optimizing hunter profile and reputation
- Networking with security teams

## The Process

1. **Scope the task** — define objectives, boundaries, and success criteria
2. **Gather information** — collect all necessary data and context before proceeding
3. **Execute the core workflow** — follow the domain-specific steps methodically
4. **Validate results** — verify outputs against expected outcomes or baselines
5. **Document findings** — record results, anomalies, and recommendations
### 1. Platform Reputation Building

#### HackerOne Reputation System
```
Reputation = (Signal × 10) + (Impact × 5) + (Accuracy × 3) - (Noise × 2)

Signal: Valid bugs found
Impact: Severity of findings (critical > high > medium > low)
Accuracy: Signal / (Signal + Noise)
Noise: Invalid/duplicate reports

Target: Top 1000 ranking → automatic private program invites
```

#### Reputation Building Strategy
```
Phase 1 (Month 1-2): Build Signal
- Find 10-20 valid bugs on public programs
- Focus on easy wins: info disclosure, missing headers, CORS
- Every valid report = reputation points

Phase 2 (Month 3-4): Build Impact
- Target medium-high severity bugs
- Chain low bugs into critical findings
- Focus on IDOR, auth bypass, SSRF

Phase 3 (Month 5+): Private Programs
- Apply to every private program invitation
- Accept triager feedback, learn from rejections
- Specialize in 2-3 target types
```

### 2. Getting Private Program Invitations

#### Direct Application
```
# HackerOne Signal program
# Apply when you have 5+ valid findings
# Show your best work, demonstrate methodology

# Bugcrowd Priority
# Top hunters get early access to new programs

# Platform-specific programs
# Some companies invite based on:
- Platform ranking
- Specific technology expertise
- Previous findings on similar targets
```

#### Networking
```
# Attend security conferences (virtual or physical)
# Join bug bounty Discord/Slack communities
# Share writeups (builds reputation + attracts invitations)
# Collaborate with other hunters
# Engage with security teams on Twitter/X
```

#### Cold Outreach
```
# Find companies without bug bounty programs
# Send professional email:

Subject: Security Vulnerability Disclosure

Dear [Company] Security Team,

I am a security researcher and have identified potential
security issues in your application. I would like to
responsibly disclose these findings.

Would you be open to receiving a vulnerability report?

Best regards,
[Your Name]
[HackerOne Profile Link]
```

### 3. Hunter Profile Optimization

#### Profile Elements
```
# Profile photo: Professional, recognizable
# Bio: Concise, highlight expertise
# Specializations: List your top skills
# Badges: Earn platform badges (first bug, critical finder, etc.)
# Writeups: Share sanitized versions of accepted reports
```

#### Portfolio Building
```
# Maintain a blog/writeup site
# Document your methodology (not just findings)
# Share tools and scripts you've built
# Present at meetups/conferences
# Contribute to open-source security tools
```

### 4. Program Selection Strategy

#### Program Research Checklist
```
- [ ] Active program (check response times)
- [ ] Good payout history (check public reports)
- [ ] Wide scope (more surface = more chances)
- [ ] Fair triage (not "informative" on everything)
- [ ] Reasonable rules (not too restrictive)
- [ ] Technology you know (leverage expertise)
- [ ] Recent scope expansion (fresh surface)
```

#### Red Flag Programs
```
- Program closed/paused for months
- All reports closed as "informative"
- Payouts below platform average
- Very narrow scope (single endpoint)
- Aggressive "not applicable" responses
- Rules that prevent meaningful testing
```

### 5. Triager Relationship Management

#### Best Practices
```
# Be professional in all communications
# Provide clear, reproducible reports
# Accept feedback gracefully
# Don't argue about severity (provide CVSS calculation)
# Respond promptly to questions
# Thank triagers for good interactions
```

#### Handling Rejections
```
# "Duplicate" → Learn from the original report
# "Informative" → Consider chaining with other bugs
# "Not Applicable" → Verify scope, provide more evidence
# "Needs More Info" → Provide additional context/PoC
# "Won't Fix" → Accept, move on to next target
```

### 6. Time Management

#### Weekly Schedule
```
Monday: Recon and target research (2h)
Tuesday-Thursday: Deep testing on primary targets (6h each)
Friday: Automated scanning on secondary targets (4h)
Weekend: Writeup cleanup, learning, tool development (4h)
```

#### Time per Target
```
# Don't spend more than 20h on a single target
# If no findings after 10h, switch targets
# Rotate targets every 2-4 weeks
# Keep a "hit list" of promising targets
```

### 7. Income Diversification

```
# Bug bounty (primary income)
# Security consulting (leverage bounty reputation)
# Tool development (sell tools/scripts)
# Training/courses (teach what you know)
# Writeups/content (paid writeups, sponsorships)
# CTF competitions (prize money)
# Responsible disclosure rewards (non-bounty programs)
```

## When NOT to Use

- Task is outside your authorization scope
- You need to implement controls (use implementing-* skills)
- Task is about analysis, not action (use analyzing-* skills)
- You don't have access to target systems
- Task requires compliance expertise (consult professionals)
- Task is about defense, not offense (use defensive skills)


## Red Flags

- Submitting low-quality reports for reputation farming
- Arguing with triagers about severity
- Public shaming of companies for not paying
- Testing out of scope for reputation points
- Copying other hunters' findings

## Verification

- Profile is complete and professional
- At least 5 valid findings on platform
- Reputation score in top 50% of hunters
- At least 1 private program invitation
- Writeup portfolio demonstrates methodology
- Weekly schedule is sustainable

## Revenue Potential

| Stage | Monthly Income | Time Investment |
|-------|---------------|-----------------|
| Beginner (0-6 months) | $0-$1000 | 10h/week |
| Intermediate (6-12 months) | $1000-$5000 | 20h/week |
| Advanced (1-2 years) | $5000-$20000 | 30h/week |
| Expert (2+ years) | $20000+ | Full-time |

Private programs typically pay 5-10x more than public programs for the same vulnerability type.

## Overview

> Section content — see SKILL.md body for full details.

## Process

1. Analyze the task requirements
2. Apply domain expertise
3. Verify output quality
