// the find
jhaddix/tbhm
The Bug Hunters Methodology
A collection of notes and checklists from Jason Haddix covering web app security assessment methodology — reconnaissance, mapping, common vuln classes, mobile. It started as companion material for conference talks and grew from there. Aimed at bug bounty hunters who want a structured mental model for approaching a target.
The topic coverage is solid for a first-pass checklist: auth, sessions, IDOR, file upload, CSRF, SQLi, XSS, mobile — the usual suspects are all here. Coming from Haddix, who has a legitimate track record in bug bounty, the philosophy sections reflect actual field experience rather than textbook theory. The PDF and XMind files suggest this was battle-tested material from real talks, not just markdown pulled from OWASP.
The repo is effectively abandoned — last meaningful update was 2023, the history table in the README still has placeholder 'xxx' entries three years later. The v4 directory contains a single all2.txt file with no explanation of what it is or how it relates to the rest of the content. Several sections listed in the README (Reconnaissance, Web Services) have no linked content at all — they're just heading text. For anything published after 2022 (OAuth attacks, modern SSRF chains, LLM injection), you'll need to look elsewhere.