Like anyone starting with something new, I made some mistakes when I just started bug bounty hunting.
Here are some of my mistakes so that you might avoid them:
1 - I Had No Confidence
At first, I only went for the new & small bounty programs.
I thought programmes offering $100k plus would attract way too many intelligent people. They’d seen too many eyeballs. There was no chance that I’d be able to find something in there.
I was wrong!
I started with these smaller projects but didn’t see diminishing returns as I moved on to bigger ones. If anything, things got better. The code didn’t have much fewer vulnerabilities, but the rewards were getting better and better.
Your **unique perspective **helps you find bugs others missed, even in projects sporting high bounties.
2 - I Got Lowballed
Some (not many) teams argue a lot about severities, impact, etc., and don’t feel like paying out promised bounty awards.
So I quickly developed this useful habit: I always immediately report the first thing I find and stop actively working on the protocol. I then get to experience how the team handles the report. A lot of teams are great, and some aren’t.
Do they behave dishonestly? Their loss. Move on—no need to give them more free security work.
3 - I Wrote No Proof of Concept
I didn’t write a proof of concept for my first bug reports.
I thought writing them was boring. I’d already found the good stuff; this was just extra work. However, I encountered two problems:
- **I made a mistake - **I’d looked at the documentation and assumed it was right. Unfortunately for me, it wasn’t, and a bug I thought I found wasn’t exploitable.
- **A developer didn’t believe the report - **I submitted a report, but the developers were adamant that their code wasn’t vulnerable. My exploit scenario was impossible. I was right 💪, but it took a PoC to convince them.
Writing a PoC is worth every minute you spend on it.