6 Questions that Guarantee your Bounty
1. How does the app pass data?
parameter or path?
2. How/Where does app Talk about users?
Cookie or API Calls? uid or username or email or uuid?
3. Does site have multiple user levels?
admin, user, viewer, etc...
4. Has there been past vulns?
5. How does the app handle?
XSS? CSRF? Code Injection?
6. Does site have unique threat model?
Credit
Based on Jhaddix's peresentation