Things you should look for:

• [ ] friendly and responsive team
• [ ] large enough scope
• [ ] a scope that is not completely interconnected
• [ ] bugs you are interested in
• [ ] an interesting attack surface
• [ ] Assets that may play to your strengths

→web apps

→mobile apps

→Source code

• [ ] A private or public program
• Large scope = lots of low hanging fruits

Start looking from:

• [ ] Has anyone else found anything and disclosed a writeup? search Google, HackerOne disclosed and open-bugbounty, disclosed.io reports.
• [ ] insight into the types of issues to look out for when getting a feel for how the site works. (Sometimes you can even bypass old disclosed bugs!)
• Testing publicly disclosed bugs can give you a starting point instantly
• [ ] how their main web application works
• [ ] start taking notes write down interesting endpoints and behaviour
• [ ] make a wordlist from the endpoints you note and from robots.txt