Understanding bug bounty target types helps researchers focus their testing and choose programs aligned with their skills. Below is a comprehensive list of common target categories, each with a one-line description.
Web
Traditional websites and web applications accessible through a browser.
API
Backend services (REST, GraphQL, SOAP) that power applications and integrations.
Mobile (Android / iOS)
Native or hybrid mobile applications and their supporting backend services.
Web3 / Smart Contracts
Blockchain-based applications, smart contracts, DeFi protocols, and on-chain logic.
Cloud / Infrastructure
Cloud environments such as AWS, Azure, and GCP including storage, compute, and IAM.
Network / Servers
Server-level services, exposed ports, protocols, and network configurations.
Desktop Applications
Installed software for Windows, macOS, or Linux environments.
Browser Extensions
Chrome, Firefox, or Edge extensions that interact with web content and user data.
Hardware / IoT
Physical devices, embedded systems, routers, smart devices, and connected hardware.
Source Code / Repositories
Public or private codebases including GitHub repositories and SDKs.
Thick Client Applications
Heavier client-side software communicating directly with backend systems.
Embedded Systems / Firmware
Low-level device firmware and operating systems running on hardware components.
Automotive Systems
Connected vehicle systems, infotainment platforms, and telematics services.
AI / ML Systems
Machine learning models, AI APIs, prompt injection surfaces, and data pipelines.
Authentication Systems (SSO, OAuth)
Identity providers, login flows, token handling, and session management systems.
Email / SMTP Infrastructure
Mail servers, email routing systems, and email authentication configurations.
DNS / Domain Infrastructure
Domain configurations, DNS records, subdomain management, and takeover risks.
CDN / Edge Services
Content delivery networks and edge computing services handling distributed traffic.
Third-Party Integrations
External services connected via APIs, plugins, or embedded components.
DevOps Pipelines / CI/CD
Build systems, deployment workflows, automation pipelines, and artifact storage.
Containers / Kubernetes
Containerized workloads, orchestration systems, and cluster configurations.
Identity & Access Management (IAM)
User roles, permissions, privilege escalation paths, and access control policies.
Payment Systems
Payment gateways, transaction processing systems, and financial workflows.
Messaging Systems
Chat systems, message brokers, real-time communication platforms, and queues.
Cryptographic Implementations
Custom encryption, hashing, key management, and cryptographic protocol usage.
This structure covers nearly all target types found across modern bug bounty programs and provides a clear framework for organizing your directory.