My 6 Month bug hunting journey, what to expect.

Hey, I’m tom.sh and for the past 6 months, every single day I have bug hunted, my main platform was BugCrowd but I have also hunted on a couple HackerOne programs.

# What I expected from bug hunting

I expected by now to have made a couple grand, and have a lot of points / rewards by now when I first made the decision to dedicate such a large portion of time to bug hunting. To tell the truth, I’m nowhere near where I expected to be. And no amount of effort could have changed that, let me explain.

My skills in real world engagements / report writing and hacking in general have exploded, I am a way better hacker than I was 6 months ago, BUT, I am no where near good enough to make some good / consistent money from Bug Hunting, like a lot of other people who want to get some of that sweet cash rewards from these programs. That’s the problem though, so many people have had the exact same idea as me, and there is just too many competitors to have a guaranteed stream of income.

# Greed

Also in my experience, the contractors that are behind these programs (not BugCrowd, HackerOne, etc) but the companies that signed up to these services, manage to wriggle themselves out of a lot of bugs and lowball you or just ignore your submissions.

This can be very demotivating, especially after putting in time, and seeing that a couple days after being triaged, you get NA’d.

# Diamond in the rough

Although, it can be very fun, and I know I'm contradicting myself, but rewarding (maybe not financially). I participated in a couple VPD’s starting off, and getting my first Hall Of Fame was very nice to see, finally making a name for yourself among other people can be a big motivator. Seeing your skills progress faster and faster envokes a very strong sense of pride aswell.

# Future

From what I can tell, to set yourself apart heavily, and get invited to private programs and / or make serious money. You have to spend months if not up to a year to get your first, non dupe, non p5, non VPD bug or private contract invite. Basically in the trenches as I would call it, getting a very small bang for your buck in terms of your time: reward ratio. Like I just mentioned “ non dupe”, I think I am on my 10th dupe so far, there are always going to be bigger, smarter and faster fish in the sea.

Like I said in the beginning, “no amount of effort could have changed that”, I quite literally have put sleepless nights, and entire weekends, using up time for assignments for school, cancelled plans with friends to put time into bug hunting, I have never worked so hard for something in my life. And looking back, if I did get sleep that one night, went out with friends and did my school assignments. I would still be relatively close to where I am now in terms of success with bug hunting.

From what it seems, your skill doesn’t really matter past a certain slate, its just a race for who can find that XXS first, or that HTTPRM and so on. Not to mention the rise of automated scanners like nuclei, nikto etc that can outperform the pace / intelligence of a normal hacker. You have to be the first to find those for a while, to get your valid submissions up, to then get noticed on crowdstream, to then potentially get invited to private programs, then once again, be first to find a bug, for then potentially be accepted.

This is just my opinion, along with a couple other people I’ve talked to and agree with me.

Let me know your thoughts. Bye!