How much money I made in my 1st year of bug bounty? Bounty vlog #4

Bug Bounty Reports Explained

19 Nov 202217:02

Summary

TLDRA year ago, I left my job as a pentester to pursue bug bounty hunting full-time, despite having only one prior bounty. Initially, I found success but struggled with motivation, time management, and balancing work with personal life. Over the year, I experimented with different strategies, found bugs in major platforms like Facebook and Google, and gained valuable insights. This video shares my honest journey, including financial results, challenges, and lessons learned. It's a story of perseverance, adjusting to my own rhythm, and realizing that consistency and doing what I enjoy are key to success in bug bounty hunting.

Takeaways

😀 Quitting a stable job to pursue bug bounty hunting was a risky decision, but it came from a belief in consistent bug discovery during pentests.
😀 Initial bug bounty successes were encouraging, with a notable $7,200 earned from a 100-hour challenge on Stripe, showing that bug bounty could be a viable career.
😀 The reality of bug bounty hunting proved more challenging than expected, with the second challenge yielding only $584 for 100 hours, leading to self-doubt.
😀 Finding the right target and enjoying the hacking process is crucial for staying motivated and productive in bug bounty hunting.
😀 Time management became a major obstacle due to balancing bug bounty hunting, content creation, and personal business ventures like BBRE Premium.
😀 Personal growth and discipline took a hit, with increasing procrastination and reduced focus over time, despite having the flexibility of being one's own boss.
😀 The lifestyle after quitting a full-time job had its positives, including improved work-life balance, pursuing hobbies like bouldering, and better physical health.
😀 A slump in motivation occurred, leading to a realization that without changes, returning to employment might be necessary. Collaboration with others reignited the spark for bug bounty hunting.
😀 The key to success in bug bounty hunting is to focus on methodologies that suit personal preferences, rather than trying to follow others' paths or forcing oneself into uncomfortable tasks like recon.
😀 Making small adjustments in daily life, like waking up earlier and reducing distractions, helped restore productivity and focus on bug bounty as a priority over content creation.
😀 Achieving success in bug bounty hunting requires continuous learning, persistence, and understanding that rewards often come after extended effort and evolution of skills.

Q & A

Why did you quit your job as a pentester?
-I quit my job as a pentester to pursue bug bounty hunting and content creation. Despite having only one bounty at the time, I believed that if I was finding bugs consistently during pentests, I could replicate that success in the bug bounty space.
What did you expect after one year of bug bounty hunting?
-I expected to have earned five or six figures in bounties and to have more confidence in bug bounty hunting. I thought it would be a clear upward trajectory, but it didn't go as planned.
Why is transparency important to you in bug bounty hunting?
-Transparency is crucial to me because I want to help others avoid unrealistic expectations. Many people see success stories on social media or read write-ups about high bounties and believe it's easy. I want to be open about the challenges and the reality of the journey.
What was your initial bug bounty challenge and how did it go?
-I challenged myself to spend 100 hours on Stripe's public bug bounty program on HackerOne without doing any recon. In the end, I found two XSS vulnerabilities, an SSRF, an auth bypass, and a bug that let me buy a BBRE Premium subscription for a lower price, earning $7,200 in total.
What lessons did you learn from your experience with the Elastic bug bounty program?
-From the Elastic bug bounty program, I learned that the approach I was using—focusing on understanding how things work without doing recon—didn't always lead to success. I found only one bug for $584, which made me question my methodology.
What was the most rewarding bug bounty experience you had in your first year?
-The most rewarding experience was when I found four bugs in a private program that I enjoyed working on, which earned me $2,500. More importantly, it was a great experience because I enjoyed the process and the challenges it presented.
How did personal growth and other responsibilities affect your bug bounty work?
-While I enjoyed the freedom of being my own boss, I became less disciplined over time. Balancing content creation, running my business, and managing other responsibilities took up more time than I expected, leading to procrastination and lower productivity in bug bounty hunting.
What motivated you to get back on track with bug bounty hunting?
-The turning point came after meeting David Shütz in Budapest. Hacking with him, especially when we found a bug for Facebook that earned us $5,000, reignited my motivation and made me realize the potential of bug bounty hunting. I then made some changes in my lifestyle to improve my productivity.
How did you adjust your methodology after hitting a low point in motivation?
-I focused more on finding targets I was genuinely interested in, like Todoist and Discourse, and stopped forcing myself to follow other people's methodologies. I started working more on understanding the apps I was targeting and enjoying the process more.
What advice would you give to others who are struggling with motivation in bug bounty hunting?
-My advice is to not compare yourself to others or force yourself to follow a methodology you don't enjoy. Bug bounty hunting offers a lot of freedom to adjust your style. Focus on what you like to do and what you’re good at. Also, take breaks and try something new when you're in a rut.