Coping up with Bug Bounty Failures

Of late, I see a lot of newbie bug hunters and security enthusiasts joining Infosec twitter and it pains to see their failure stories in timeline.

I have gone through stress, depression and failure from not finding any security bugs at some or the other point in time and continue to have them occasionally .

I did a self realisation cum analysis today and have come to some conclusions. You are free not to agree with all my views. I will be excited to know your take in the comments.

Most people come into bug bounties due to :

1. Money factor.
2. Learning and knowledge.

People in the first category are those who become frustrated very soon if they are unable to get bounties in a short period of time. This may also make them very desperate to get as little as money as possible to fulfil need of getting paid even if they are ok to find low hanging , P4 bugs .

The problem is; it is not always guaranteed that you will be the first to do so!

If you are still interested in majority time spent towards bug bounty programs , I recommend:

1. Target a specific program and scavenge each and every asset, functionality in it. Just focus on it. Say focus on that program at least for a month. Avoid hoping for finding a P0 bug in midnights.
2. Be ready for the worst to reduce your personal expectations of getting huge bounties. I had a bad habit while I submit a bug, I dreamt of getting paid $$$$ to my account and how many zeroes will I add? And when the reports got rejected, I was shattered.
3. Accept chronology, you will have to learn from mistakes. If your report gets NA , work harder. If your next report is duplicate, know that you have learnt how to find the bug, just that someone else got it a little early. Next time, the bug is all yours.
4. Try finding uncommon bugs other than always looking at common bugs.
5. Learn to code. Some say you don’t need any coding . Jokes on them. Top bounty hunters are very good in tool dev and recon profiling . At least understand basic html, css, JS, php, Python.
6. Try avoiding burnouts.

THE OTHER WAY AROUND-

What is the end goal you want?

In the next 5 years, do you see yourself as working in the security domain or continue to remain a bug bounty hunter? Bug bounty is good but doesn’t give complete stability. If you have an alternative income source, bug bounties is the best for you, otherwise invest your time accordingly towards projects and CTF.

Yes CTF.

I happened to attend the webinar by the_st0rm ( Security Eng, FB), and it confirmed my doubts.

Bug bounty is like finding needle in haystack whereas CTF helps to learn and sharpen your skills.

Bug hunting may improve your recon skills but CTF, will allow you to have working experience of various security issues. This will guide to secure your first job in infosec. While writing this post, I have started to transition from bug hunting to ctf and as a side hustle focus on just my favourite programs.

HOW you can judge your FAVOURITE PROGRAMS-

• Is the ROI acceptable ?
• Are you sure the time you invest on the program will result in good bugs?
• Is the scope wide?
• Is the response time quick?
• Please don’t start hunting in some pinky-ponky programs. If not the money, atleast having it mentioned in your resume should be useful.

That’s it for now, tweet to me for suggestions :)