Like anyone starting with something new, I made some mistakes when I just started bug bounty hunting.

Here are some of my mistakes so that you might avoid them:

1 - I Had No Confidence

At first, I only went for the new & small bounty programs.

I thought programmes offering $100k plus would attract way too many intelligent people. They’d seen too many eyeballs. There was no chance that I’d be able to find something in there.

I was wrong!

I started with these smaller projects but didn’t see diminishing returns as I moved on to bigger ones. If anything, things got better. The code didn’t have much fewer vulnerabilities, but the rewards were getting better and better.

Your **unique perspective **helps you find bugs others missed, even in projects sporting high bounties.

2 - I Got Lowballed

Some (not many) teams argue a lot about severities, impact, etc., and don’t feel like paying out promised bounty awards.

So I quickly developed this useful habit: I always immediately report the first thing I find and stop actively working on the protocol. I then get to experience how the team handles the report. A lot of teams are great, and some aren’t.

Do they behave dishonestly? Their loss. Move on—no need to give them more free security work.

3 - I Wrote No Proof of Concept

I didn’t write a proof of concept for my first bug reports.

I thought writing them was boring. I’d already found the good stuff; this was just extra work. However, I encountered two problems:

  1. **I made a mistake - **I’d looked at the documentation and assumed it was right. Unfortunately for me, it wasn’t, and a bug I thought I found wasn’t exploitable.
  2. **A developer didn’t believe the report - **I submitted a report, but the developers were adamant that their code wasn’t vulnerable. My exploit scenario was impossible. I was right 💪, but it took a PoC to convince them.

Writing a PoC is worth every minute you spend on it.