I’ve been hacking since 2014 and more recently focusing on bounty hunting in the blockchain space. For example, I found a critical bug in Mushrooms Finance, and I’m a recipient of Immunefi’s Whitehat Scholarship. But it’s taken a while to get to this point in blockchain hacking and hacking in general. When I first started learning how to hack in 2014, I was really slow and procrastinated a lot. At times, I haven’t been active at all. The following article represents only my personal thoughts based on what I experienced and what lessons I learned on how to stay motivated and how to hone my security craft.
Feel free to comment below with your own experiences. The hacking journey is different for everyone.
When we want to hack or program something, and take a look at the project, we often see the big picture of the project as if it’s a huge castle. We stand in front of it, look up the walls, see how secure everything is — and sometimes, even give up. But we often forget, that we are here to look for the small things. Small things with a huge impact.
People who start with hacking and later with bug bounty hunting constantly read about what was found recently, who got how much, and who is new on the leaderboard. It’s easy to assume that you’ll never be able to get there, and sometimes you may think that you don’t even have enough time to learn the skills that the top hackers have — nor should you, as you won’t even get close to their level anyway. Additionally, personal circumstances may also influence the decision whether this is something for your or not. After all, hacking really is not for everyone.
It All Starts the Same Way
At first, there is the learning process. You put in hour after hour, read articles and tutorials, watch videos about a vulnerability that you don’t really understand, read more, watch more, connect with people in Discords, and then at some point, join the first CTF-challenge.
Over time, you get better and better. You start to get this feeling that you want to test out your skills in the real world. You want to find these small bugs and get paid. But, now it’s not that easy anymore.
There’s no more “great job!”. In a CTF, you get points for challenges where the task is clear, and it’s up to you to find a solution. However, even if you can’t find the solution, there’s always a way to discover it, whether on the project’s social media channels or blog. You’ll get these points.
But no one is going to tell you, “Hey, here’s a bug on HackerOne”, or “here’s a bug on Immunefi”. You are now on your own when looking for bugs, and no matter how much time you put into the hunt, there won’t be any points, there’s no ready solution, and there’s no direct reward just for your time spent trying to find a bug.
So, how do you continue?
Everyone Is Different…
First of all, everyone is different. I was never really a fan of CTFs and started trying out my skills in the real world pretty soon after starting. I don’t know if that’s the best way, because there really is no best way, in my opinion.
Hacking and bug hunting require you to take a unique and creative approach. You have to occupy the vantage point of a potential attacker and try to see what they would might do to exploit the app, and you have to constantly learn and try different things to see what is even possible. You can go out, take a shovel, and dig for gold. Or, you can spend time on researching where the best place to find gold is. You can experiment with different digging techniques and invest in better equipment and machinery.
… and So Is Everything
Not only is everyone different, but so is everything else — in this case, every project. You can test smart contracts, servers, IPs, domains, websites, programs, tools, actual physical items like hardware, and web assets. Every project is also different internally. A website is not programmed the same way another website is programmed. Every piece of content you find is different, meaning that every approach you do will be different.
Find what you like, but don’t just follow the money. While diversity is good in terms of trying and learning different things, it won’t help you if you put your focus on the potential reward, while spending all your time on something you don’t like at all.
As weird as it may sound, find a project you actually like. It will make you way happier if you spend hours and hours of doing tests in an environment you enjoy, even if you don’t find anything. Maybe you like server hacking more than website hacking? Maybe you get goosebumps when reading 127.0.0.1 and localhost? Or maybe you love putting random funny meme names before .domain.com to see what awaits you behind that door?
Learn, test, and find out.
Patience and Honesty Are Key
Finding your first successful bug in the wild web takes a lot of time. You will spend endless hours testing and not finding anything. You will be unsuccessful, and you will get tired fast. Patience here really is key. You have to be patient and enjoy what you do, or else sooner or later you get depressed and burned out. At this point, you also have to be honest with yourself. Do you really like what you do? And do you really want to do it?
Just because there are rewards of thousands of dollars, even up to millions of dollars, like at Immunefi, it doesn’t automatically mean that you’ll be successful. If you do bug hunting only to get those rewards, you’ll most likely lose. Put in the time. Be patient. You can do it part-time, too. Learn, learn, learn, and keep doing.
Not only liking the project is important, but generally liking what you do. And I don’t mean that you constantly have to be happy, over-excited and can’t wait to wake up and start up your favorite tools or load your already bookmarked websites. Bad days will come too, for everyone.
Take time for yourself to see where you want to go and what is realistic. That does not mean that you should stop dreaming and learning, but be honest with yourself. But also if you find something, remember that there are a lot of things to keep considering.
For example, you can spent hours and hours, days and days, just to find out that someone was faster. And yes, that’s also a part of your journey sooner or later. Everyone who is already active in the bug bounty scene, should skip this part. It’s called “duplicates” — the nightmare of every bug bounty hunter. You finally find a vulnerability after all the sweat you’ve shed, but then the triager (the person who validates your report and takes over the communication between you and people working on a fix, the payment etc.) tells you: “Hey sorry, but someone was faster.” You have to live with that. And look at it from a different perspective, because you found a bug. It’s just that you won’t get paid for it.
But also, the decision if you get a reward or not, depends ultimately on the team and project itself. Maybe you find something, but it turns out to be out of scope, which basically means that it’s still a valid bug, but just not in the project or not important enough to be considered dangerous for the project.
All these things can happen and prevent you from being successful and consistent with going on, when you don’t admire that learning and practicing is equally important for your journey and that getting paid is not the only thing that determines how good you are.
… But So Is Luck
Finding a bug does not need to take months. Sometimes you are faster, sometimes you are not. Sometimes others find bugs before you do but sometimes you find bugs before anyone else does.
In the end, “unfortunately”, luck is also a component of the journey of getting a bounty hunter. Of course, you can optimize your process, automate a lot of things and constantly increase your skills. But in the end, luck still will be part of the game. I mean, we depend on someone else making a mistake and not being careful enough. And often, that mistake has to go through multiple pairs of eyes.
You anyway will spend most of your time reading secure and acceptable code, so live with the fact that luck is a part of all of this. This will help you to stop thinking that you’re not good enough or you are too bad. If you keep going, keep digging and using and improving your equipment, you’ll maybe eventually be successful too.
You Don’t Need to Tear down the Castle
Last, but not least, you don’t need to tear down the castle. In the end, an open window is enough to let you in, no matter how thick the walls are or how many soldiers are guarding it. You are looking for these windows. They are tiny, tiny little holes in a project, but they can have a huge impact. Data leaks and hacks do not happen because someone reproduced the whole project’s code. They happen because of the tiny little bugs that people left. One single wrong line of code, sometimes even just adding or leaving one single symbol, can allow malicious hackers to steal data or funds. Keep that in mind whenever you do your experiments, research, and tests.
Happy hunting!
P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.
