how to approach bug bounty - without getting frustrated

20 Feb 2022 - mrtn

I’ve recently watched one of the most inspiring talks i’ve ever seen. How to crush bug bounties in 12 months by hakluke. And although the title suggests that it is about optimizing for earning, the real optimization when you hack on bounties is on yourself.

If you are - like me - interested in bug bounties or cyber security in general, you can (and probably should) start with doing bug bounties. Just for the sake of learning on real world targets. Make sure to stick to the scope of the program(s) you chose and get started.

Following the advice from hakluke in this talk, you could start with automating the boring tasks away. If you focus on that part, you might even be able to generate passive income from bounties. Or at least reduce the manual effort to the fun part of exploiting the juice stuff you’ve found.

And no worries if you don’t find anything in the first days, weeks or months - if you stick to it and make a habit out of investing some time in your automation, skills or just general tool-handling, it’ll pay itself forward.

Another factor that plays a huge role in this talk is the looming threat of burn out in IT security professionals. This is also something that should be taken into account when you start doing bug bounties: You might be highly motivated and might be able to do six, 10 or even 12 hour sessions hacking away. In the long run, you won’t keep up with that pace. So if you are serious and want to make this something that lasts for longer than a few weeks you should see it as a new habit that you form. So don’t burn yourself out with extreme intensity at the start - but rather dip your toes in and do one or two hours every day. You’ll be fine.

And with that said - gotta go back to my automation-fiddling