My first 6 months experience as a Bug Bounty Hunter
I completed 6 months in Bug Bounty Hunting .I am sharing what I have experienced and learning during these initial months . When i say “you “ in this article its mostly pointed towards me .I don’t mean to direct you to what you should/shouldn’t do .Here “you” means “I” .And kindly pardon for my bad english .
Things I learned :
1 . Never trust the platform .Don’t waste your time sending support mails or contact their high profile employees who boast in public about researcher well fare .All you will get is “professional English” in return .You will be dreaming all this time about how nicely this awesome man will talk to the program and change the status of your submission .
I am not blaming anyone here .Its how it is . For the platform their customers are important .If one researcher leaves 1000 will come . So all these stake holders are forced to go with their customers . Don’t fall in the PR/marketing stunts by their employees .
Solution :- Just move on to the next bug .I wouldn’t say change the platform .There is a skill to be learned here .Stay and learn it !!
P.S. I have experience only with one platform and this is not a generalised opinion about other platforms , which I haven’t tried .
2. Most part of BB community is awesome .But not all . You should adhere caution on whom you follow and trust .There are people just fake bounty payments
3. Never share “yay I awarded” It will only attract frustration energy towards you .If you wish to show case your payments consider adding some pointers about the submission . Share knowledge .Be humble
4. Basics Basics Basics. I understood the importance of reading books like Web hackers handbook and doing labs like @PentesterLab and others
5. BB is a tough job .Patience is important
6. Stick to one program . I am yet to choose one
7 . Note taking in an organised way is very important
8 . Follow a checklist
9 . Read write-ups and reports .They are gems (If you are beginner this is TLDR; for this article )
10 . Don’t stress.Enjoy the process .
11. Follow some awesome hunters . Know the fake ones who come on the screen to show off and make some extra income . I admire many (not sharing the names here as I cannot give an exhaustive list now . I will update soon ). I learned to recognise people who really know stuff versus just show offs
12 . There are many hidden hunters who don’t bother to come in limelight .They are just awesome .You are lucky if you find one and willing to help you .
13. Awesome Whats-app statuses won’t make a good hacker. I used to think like that . But when talking they even lack basics.
14. Don’t get disheartened that it will take time to excel in BB . If you work hard I think you can succeed. I used to study for 12 hours in the initial months . Just joining some Whats-app group will not make u a hacker .Again , It will give u a false sense of achievement*
15. Watching YouTube and other videos also make you feel like you are a good hacker .But when you practice you will tremble . Practice practice practice .IMHO write-ups / reports are the real game changer in this field than you-tube videos .I thank each and everyone in the community who takes time to write these without expecting anything in return .
16. Mental health should be taken care .Do exercise , meditation and slowly build the strength to face the triagers !! :-) Lol just kidding .But seriously more than technical aspect I find the emotional aspect is very important to stay in the game .
17. Some programs really function unethically.They have a BB program just for the sake of marketing . Identify them early and move on the next program
18 . If the community was not sharing I wouldn’t have found anything . So its my responsibility to give back anything I can .
19 . BB is nothing like OSCP .
20. Twitter has options to mute certain words . I mute “ yay I was awarded” and other words for my peace of mind !!
Thanks for reading .Appreciate it . I follow “praise in public and criticise in private “ But still I had to write about the platform as the first point because that’s the biggest lesson I learned in these 6 months .I wish I wouldn’t have to add it in this article .
Edit :- After publishing this story I am getting many questions on how many bounties I earned . So addressing it here .
Out of the 6 months probably 5 months taken for learning . Hunted for nearly 1 month . Around 10 paid reports .Five in a platform & rest in a VDP .
MFA bypass and XSS were the vuln I found in the platform. In VDP many other vul types were found .
Catch me on Twitter for any beginner queries @siLLyDadddy . DMs are open :)