Why You Fail at Bug Bounties

Reasons you are not finding bugs, and ways to improve

Vickie Li
Vickie Li
May 3, 2020 · 4 min read
Photo by Estée Janssens on Unsplash

You’ve poured hours and hours, days and days into looking for vulnerabilities and still haven’t found a single one.

You follow all the rules. You use all the tools. You stay in scope. What could be going wrong? What secrets are the leaderboard hackers hiding? Today, let’s discuss the mistakes that prevent you from succeeding in bug bounties, and how you can improve!

You participate in the wrong programs

First, you might be targeting the wrong programs all along.

Some programs downplay the severity of vulnerabilities to avoid payment. Some programs delay acknowledging and fixing bugs because they lack the resources to deal with reports. Finally, some programs restrict their scopes to an extremely small subset of their assets. They run bug bounty programs to benefit from the positive publicity, without the intention of actually fixing vulnerabilities.

Avoid these programs to save yourself the headache. Pick your programs carefully, and prioritize programs that invest in you.

You don’t stick to a program

How long should I target a program? If your answer is “a few hours” or “a few days”, this is the reason you are not finding anything! Countless of experienced hackers have already hacked on your public program. So you have to differentiate yourself from the competition or risk submitting duplicates!

You can differentiate yourself in two ways: you can dig deep, or you can search wide. Dig deep into each functionality of an application to search for complex bugs, or discover and hack obscure assets of the company.

Doing these things well takes time. Don’t expect to find bugs right away when you are starting fresh on a new program. Be patient. Don’t quit a program if you can’t find bugs right away.

You don’t recon

Jumping into big public programs without recon is another way to fail at bug bounties. Effective recon helps you discover new attack surfaces: new subdomains, new endpoints, and new functionality.

Spending time on recon gives you an incredible advantage over other hackers. You get to all the simple and complex bugs first on all the assets that you discover. And therefore, you can report without much fear of duplicates.

You go for low-hanging fruits

First off, don’t rely on scanners. You should assume that all bugs that can be discovered by vulnerability scanners have already been reported.

And avoid only looking for the “obvious” bug types. Simplistic bugs on big targets have probably already been found. For example, a stored-XSS on a forum comment field is something that many hackers will test for.

Instead, strive to gain a deeper understanding of the application’s underlying architecture and logic. From there, you can develop your unique testing methodology that will result in more valuable bugs.

Alternatively, you can develop rare skills, such as mobile hacking and source code review.

You write shitty reports

What if you have no trouble finding bugs, but can’t get companies to resolve your reports?

First, always try to escalate your bugs. If you get a lot of informative, the bugs you find are not impactful and companies see them as an “accepted risk”. In this case, don’t despair. Minor bugs can become big issues if you learn to escalate them. When you find a low-severity bug, don’t report it immediately. Take note and use it in future bug chains instead. For example, instead of reporting an open redirect, use it in an SSRF chain instead.

You might also fail to communicate the bug’s severity in your report. As the researcher who discovered the vulnerability, you shoulder the responsibility of helping your reader understand the impact. Always strive to learn more about a bug class, so that you can explain its impact accurately.

Tips to do better

In conclusion, here are a few tips to help you improve your bug bounty game!

  1. Find programs dedicated to running a good bug bounty program.
  2. Be patient. Don’t quit a program if you can’t find bugs right away.
  3. Hack programs with large scopes and recon a lot! Automate your recon process to save time.
  4. Avoid low-hanging fruits. Hunt for novel bug classes and complex vulnerabilities.
  5. Develop skills to hack mobile and source code programs.
  6. Keep comprehensive notes about the target and chain informative issues into bugs.
  7. Write reports with your reader in mind, and always include a severity assessment.

The Startup

Get smarter at building your thing. Join The Startup’s +785K followers.

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +785K followers.

Vickie Li

Written by

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics. https://twitter.com/vickieli7

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +785K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store