Three Months of Full-Time Bug Bounty Hunting as a Newbie in 2024

Hi, my name is Chaitanya Reddy. I have written this article to share my experience of trying bug bounty hunting for three months as a full-time job in 2024. So let’s begin.

I'll try to keep this section short as the main focus of this article is to share my bug bounty experience.

After four years in the cybersecurity industry, I chose to step away from the conventional 9-to-5 grind. My plan was to push myself to the limits for one year in terms of improving myself in this field.

What I had in my mind was:

Getting OSCP CertifiedGetting proficient in web security through PortSwigger Labs and OSWETrying out full-time bug bounty hunting as a replacement for my traditional jobExploring Cloud Security

From January to mid-February, I dedicated myself to preparing for the OSCP exam, which I sat for in mid-February. I successfully achieved certification, earning 90 points in just 7 hours. Following this milestone, I took a brief time off to recharge before diving into the next phase of the plan.

I began with PortSwigger Labs, a free and excellent resource. I spent the entire month of March working through its exercises. In April, I enrolled in the OSWE. From April till June, I went through the complete course and solved all the labs in this course. I sat for the OSWE exam in the first week of July. Despite my extensive preparation, I did not pass.

Facing financial constraints, I decided to postpone my OSWE goal to the first quarter of 2025 and shift my focus towards full-time bug bounty hunting.

I decided to start hunting on platforms like Hackerone/Intigriti/Bugcrowd. Although the competition is very high, if you can get bugs on the programs listed on these platforms, you’ll start getting invites to private programs, and finding bugs on BBPs becomes a bit easier.

The first month of bug hunting on public programs proved to be one of the most challenging thing I’ve faced recently — more challenging than my OSCP preparation. Despite dedicating an average of seven hours a day for three weeks, I struggled to find any bugs. It became clear that the entry barrier was incredibly high. Most of the bugs had already been discovered on these long-standing programs.

So to circumvent this barrier, I have to change my strategy. I made the following changes to my approach:

Focus Exclusively on Newly Launched Programs: I directed all my attention to newly launched programs.Target Vulnerability Disclosure Programs (VDPs) and Programs with Recently Updated Domains/Subdomains List: For instance, I zeroed in on programs like Redbull on Intigriti, which frequently adds new domains and subdomains every few days.

This new strategy paid off. Within five days of implementing these changes, I discovered my first bug. Shortly thereafter, I found another on a recently launched program. This breakthrough marked a crucial turning point in my journey. With these successful submissions, I began receiving invitations to private programs on Intigriti.

After receiving invitations to several private programs, I shifted my entire focus to these opportunities. Within a month, I was able to discover a few low-severity bugs on these programs.

During this period, I noticed a new program on HackerOne, so I decided to give it a try. Fortunately, I found several bugs, which resulted in a signal of 3. Following this, I received invitations to multiple private programs on Hackerone and started getting results.

To sum it up, here are the statistics.

Total Bugs Accepted: 10 (6 BBP and 4 VDPs)

Severity: 2 Medium and 8 Low

Total Bounty Received: 2331 USD (1000 USD x 2 + 100 Euros x 2 + 50 Euros x 2)

Primary Goal: At the very beginning of this journey, your primary goal should be to rack up reputation points on these platforms. This will help you start receiving invitations to private programs, which are where you have a real possibility of earning money (at least as a beginner).

Types of Programs to Focus On:

Programs that have been launched recently (you can track them via bbradar.io).Vulnerability Disclosure Programs (VDPs) with a broad scope, as there is typically less competition there.Learning and Development: Dedicate 30% of your daily time to learning new things and the rest 70% on practicing on programs. Some of my favorite sources include Hacktivity Feed, Bug Bounty Articles and LinkedIn PostsPhysical Fitness: Ensure you exercise for at least one hour every day. This could be swimming, going to the gym, playing badminton, etc. Many people don’t realize that physical and mental fitness go hand in hand. You cannot give your best mentally if you are not physically fit.System for Learning: It’s not humanly possible to remember everything. Therefore, you need a system (a “Second Mind”) to store all your learnings. I use Notion for this purpose. Write down all notes, commands, tips, and tricks so that you can refer to them quickly without wasting any time.Persistence: Don’t get demotivated if you encounter many duplicates or struggle to find bugs. You are competing with some of the best minds, so this is expected. Keep pushing yourself, and you will start seeing results eventually. It might take a few weeks or even months, but persistence will pay off if you don’t give up.Beating Burnouts: Burnout in cybersecurity is a real issue, so be sure to take breaks regularly to recharge yourself.

I’m planning to go on a trip to recharge myself. The options are either Meghalaya or Ladakh, but the destination has not yet been decided. I’m open to suggestions.

After the trip, I will start focusing on cloud security in addition to bug bounty hunting. I plan to dedicate 2–3 hours each day to cloud security, 1–2 hours to web security learning, and the rest of the time to finding bugs related to that day’s learnings. After 2–3 months, I will reassess my progress and make future decisions accordingly.

Thank you for reading.

Feel free to contact me on LinkedIn (Link) if you have any questions.