Bugs, Bounties & Peace of Mind

As a Bug Bounty Hunter, finding Bugs or security vulnerabilities in websites always feels like finding some hidden treasure in unknown territory. These bugs are like Gems of imperfection, ready to be found by the worthy and get disposed of. The rare the bug or the difficult it is to find the more enthusiastic and proud you feel. If you have found a bug that is difficult to find or by employing some creative techniques you have found a hidden flaw(the hidden gem), even if reporting that bug does not provide you with bounty or anything, you feel accomplished and proud and your skills sharpened by the experience.

But this article is about my emotional experience with those bugs that I found easily(without any efforts) and got rewarded(by bounty) for some of those.

I was lucky enough that in the first few days of starting bug hunting I found a technical bug, from starting I was keen to not report any bug like SPF or DMARC record misconfiguration, or any scanner founded vulnerability that does not have any immediate great practical impact, that's when I found the bug Parameter tampering on which I wrote my very first article. Even if I did not get rewarded by bounty or swag, I was happy and excited for more, this finding boosted my confidence and give me the subtle motivation that I am not just a wannabe and am capable of contributing to cybersecurity. After this I found similar bugs in some websites with their own VDP and reported them, they awarded me with monetary reward.

After these came a slump in my bounty hunting, I was unable to find any bugs so I resorted to reporting LHF(Low Hanging Fruit), the same type of vulnerabilities that I did not wanted to report, Interestingly I reported the SPF misconfiguration for a banking organization bounty program and get awarded with the largest amount of bounty I have ever received, for that LFH finding, but instead of being proud of that high reward, I was dissatisfied and became a victim of Impostor Syndrome.

Due to this slump, I tried getting an Internship in Cyber Security to get direction and guidance, It was a badly managed organization with no defined future goals, this internship further swelled my self-loathing, as for saying I was employed but did not learn anything new apart from a little android application pentesting. I again switched and found another internship, this company was a startup but professionally managed, here I started slow-paced but when I found XSS on file uploads, XSS on uploading files with XSS payloads in name, and some other cool vulnerabilities, I felt that adrenaline rush that I experienced in the starting days, I felt back on the track, I learned comparatively more in this internship and enjoyed my time there, it helped in restoring my self-confidence as a Cyber Security Enthusiast.

The conclusion of this article can not seem fit for all the intellectuals reading this, but I think the conclusion will seem fit for a majority of people working in this highly competitive domain. I think we should not thrive exclusively for the bounty amount and the numbers of LFH or dupes that we can add and flaunt on to our social media account, instead, we should work on the essence that is securing and learn from those ideals working in cybersecurity, the message of giving back to the community and contributing towards a much more educated Cyber World.

𝒜𝓂𝒶𝓉𝑒𝓊𝓇 𝒜𝓇𝓉𝒾𝓈𝓉𝓈 𝓌𝑜𝓇𝓀 𝒻𝑜𝓇 𝓉𝒽𝑒 𝒸𝑜𝓂𝓅𝑒𝓃𝓈𝒶𝓉𝒾𝑜𝓃 𝑜𝒻 𝒽𝒾𝓈 𝒶𝓇𝓉,
𝒢𝓇𝑒𝒶𝓉 𝒶𝓇𝓉𝒾𝓈𝓉 𝒻𝒾𝓃𝒹 𝓉𝒽𝑒 𝒸𝑜𝓂𝓅𝑒𝓃𝓈𝒶𝓉𝒾𝑜𝓃 𝑜𝒻 𝒽𝒾𝓈 𝓌𝑜𝓇𝓀 𝒾𝓃 𝒽𝒾𝓈 𝒶𝓇𝓉.

🙏