Difficulties of being a full-time hunter
It can be hard to become a full-time bug hunter, and now that I'm on it, I can see everything from the inside. I wanted to take some time with you to expose all the problems I can face and how not to replicate them if you want to live from Bug Bounty.
It can be hard to become a full-time bug hunter, and now that I'm on it, I can see everything from the inside. I wanted to take some time with you to expose all the problems I can face and how not to replicate them if you want to live from Bug Bounty.
When looking at Twitter ( X sorry ), you can easily see a lot of tweets from hunters earning so much money, 5k, 10k, sometimes 50k with one bug. And I'm sure that at first, you were like oh god it's possible to be rich as much with this job. And of course, it's possible, but not as easy as you can think. So let's come back down to earth.
Survivor Bias
One big thing is that bias. According to my best friend ChatGPT, here is the definition of that bias :
Survivor bias is a cognitive tendency to focus on successes or survivors, overlooking failures. This can lead to biased conclusions by neglecting non-survivors or unsuccessful cases, distorting our understanding of events.
This means that you will only see those who earn big amounts of money and still think that this is simple. But the reality is different and so many hunters are not able to make a living only with that. That's why you need to first focus on yourself and your knowledge and not have to look at others and compare with them.
If you have a strong knowledge in security, you will find bugs, and otherwise, you will find a job in this field.
That's what I'm trying to do. I'm not only hunting but I continue to learn and to find resources to expand my knowledge to find new bugs and not be focused on one type of vulnerability.
That's also why I started this blog to speak about my journey and to force me to dedicate time to learning and writing technical content. Learning by Teaching is one of the best things to improve your skills I think.
Impostor Syndrom
It's very hard with this one. You have to fight with yourself every day to know your value. I know it's hard but by comparing you with others it will be harder and harder to think that you can find bugs.
And that's why a lot of people try bug hunting and then stop because they don't find any bugs. Without persistence and confidence, it's impossible. And a lot of time, it's more about confidence than knowledge. I know plenty of people who are afraid of doing bug bounty but they can be first at the hardest CTF.
I always was quite bad at CTF. I don't know why, that's not my thing I think. But I understand why people prefer that, simply because you know that there is a bug somewhere. But at Bug Bounty, it looks like there are no bugs, but a lot of time, after spending one week or more on one functionality, I was able to find something just because I knew the app better than at first.
As I told you, I was getting into bug hunting thanks to my mates during my internship, and they gave me the confidence to start and to find bugs. Before that, I tried bug hunting and I was not able to find anything. But one week after they told me, I found something, not a critical, but a bug, and I was rewarded.
What was changed? My knowledge? No, I had the same background stuff. It's simply because they convince me that it's possible to find something anywhere. And now that I know that, it's easier to find bugs.
That's the same with public programs. So many people avoid looking at them because they think everyone is on it. But in the end, just a bunch of people are still on it. And there are still bugs because every day, they push new lines of code.
Bad Programs
When you manage to do bug bounty every day, you need to find the right programs for you. It depends on your mindset and what you like. If you prefer client-side vulnerabilities let's look at a big react or angular app with plenty of JS. I like big apps with a lot of different roles and privileges. You can always find the little edge case with an IDOR on it.
Sometimes you have a program with only an up-to-date Drupal on it and it's pretty boring ( it happens a lot of time ) and sometimes you get YOUR program, the one that you will stick for months. And I hope for you that you will find this program.
But one of the biggest problems is the responsiveness of the programs. A lot of times, they are not very responsive with you and you can wait so long before getting an answer or being paid.
It's my case, I reported a lot of reports and sometimes it can take up to 6 months or one year to be paid. And when you try to make a living with that, it's quite impossible to wait for that time.
But you can avoid that, and I'll give you my advice on not getting that. First, when you get a new program, go on it and find one bug, only one, and report it. It will help you to see the responsiveness of the program and how they handle it. And then, if it's good for you, continue on that program. Don't push a lot of reports at the beginning to avoid being mad at this.
Choose the right platform and program. For instance, in Hackerone you can see the responsibility at the beginning, so avoid going to programs that don't pay and who respond in 1 month. And choose a platform with triagers that can understand you and replicate the bug. I had the best experience of triaging in YesWeHack. You can get a reported triaged in less than 10 mins, that's crazy compared to some other platforms.
So that was when it's the fault of the program or the platform, but it's also a lot because of you. I you can find more impactful bugs, they will handle it quickly and fix them at the same time. I know it's hard and I'm not at this point, but by trying to find the most impacted bug, it will be handled quickly.
That is the same for the report. The more you explain and give details, the more they will be able to replicate it, understand it, and fix it. So try to write as well as possible to be well understood.
Cash Flow
When you want to be a full-time hunter, you need cash flow to handle all of these problems. Because, for some time, it's possible to don't find anything. And it's very frustrating for you and your ego. But if you don't have money and cash flow in backup it will be even more hard.
That happens to me. I left France with enough to sustain myself for 4/5 months in south-east Asia. But finally, I had to spend more because I didn't think about some stuff. During the first 2 months, I was able to find some bugs, but the programs took 2 months to pay me. So I arrived at a point with not have enough money to sustain myself. I was like maybe I can stop and go back to France and live at my home house for a few months.
But finally, the bounties arrived, and I'm now able to sustain for more months. But it's not sustainable to be like that. So please, don't be like me and get some cash flow before doing that. The more you have in backup the less you will be stressed. It was a stressful experience to feel that your dream job was finally not made for you. But now that I am getting paid, I will be more focused on my finances and how I spend my money to save more.
And try to always have reports under review to know that you will get bounties at some times. Always have a flow of reports and money to get sustainable.
I know it's easy to tell and not to do it, and I experimented with it so now I can say that having a backup is good.
That's also why I wanted to start that blog. To show you the reality of Bug Bounty and not only the best parts and the big amounts of money you can make. So if you're interested to know more about me you can follow this blog and my newsletter to give me the confidence to continue it!
If you have any questions or if you have better answers to my problems, you can tell them in the comments below or directly on Twitter!
See you next time.