My Bug Bounty failures

I was very frustrated due to my constant failures in Bug Bounty, I had high expectations when I started and I thought that I would have a lot of valid bugs, but none of those things have happened yet. I was feeling very frustrated until I recently realized that I was not failing after all.

I’m Alvaro and this is my first post ever, I need to express my situation, I hope it will help you.

Summary

I began doing Bug Bounty 7 months ago and I’ve submitted 9 bugs since then, 2 of them were closed as duplicated, which indicates that other hackers have previously reported them. The rest of the bugs were closed as informative. Now I still do not have bugs.

My first Report

One of the first bugs that I submitted was an AccountTakeover that affects directly anyone who clicks on a malicious website. This bug was closed as informative by the triager, showing that he had no idea of the impact of the bug. I tried to have my report reevaluate but no one responded to me since he closed the report.

Frustration

I was so angry that I changed of Bug Bounty platform, I quickly focused on another program and I found a bug, the problem was that I did not look at the program status before hunting. THE PROGRAM WAS SUSPENDED INDEFINITELY, I felt quite foolish, the program didn’t have any type of security mail so I decided to reserve the bug in case they came back. The program information showed that they would be back in a while.

After that moment, 4 months had passed and I was unmotivated, I spent 2 months without finding anything and using less time for hacking, I spent a lot of time watching YouTube videos, and listening to podcasts about bug bounty to help me think and reflect. After that, I found a program that I cared about and I liked hacking on.

Fail and know yourself

I spent almost 2 months hacking on that application, understanding the whole product, finding interesting behaviors, taking notes, generating attack scenarios in my mind, trying to exploit them from different perspectives…

I really liked that methodology even though I didn’t find any bugs on that application, at that moment I realized that I was enjoying the process and learning a lot about mental processes and persistence. I was not failing after all.

I started hacking on another program, hacking as I like, understanding the whole application, and taking notes of all possible attack scenarios. I found a little bug with no impact, but thanks to my understanding of the app I found a way to escalate the bug and I submitted it.

The bug was closed as duplicated, at least I increased my reputation.

Now I’m still hacking and learning, I thought that writing about my experience could help someone in my situation. Every failure is a little more progress and learning. To progress and persist, you have to find what you like and not focus on the results.

I hope you found my experience useful.