Glad you have liked this article :) Well, to explain my whole methodology alone, it would take at least 3 articles. It really depends on the program, if it's wide scope or just single target. For each case I apply different methodology. But to summarize:

1. Program accepts every asset they own as a company (Like Tesla). I do horizontal recon — gather 2nd level subdomains what belong to that company. Subdomain enumeration and for each of those subdomains I do automated testing, using most renown bug bounty tools.

2. Program has subdomain wildcards scope. Same as 1st methodology, but without horizontal recon.

3. Program has single target or very small scope. I apply manual testing. First 1–2 hours is to get know the application. I read API/developer docs, application docs, try to create multiple user accounts if the app has multiple role functionality (2 accounts per role). I try to do every functionality of the application, while burp is running in background to collect all the traffic. Also, I like to check pricing page of the target app and check which functionalities I can unlock by purchasing some plans (this is my golden tip, since not a lot of hunters like to spend money). Next, I do some manual hacking for 2–4 hours, testing XSS, IDORs first. If I really like app, I spend more time on it and test for other vulns.