How much money I made in my 1st year of bug bounty Bounty vlog #4

Introduction

Over a year ago, I quit my job in cybersecurity to pursue bug bounty hunting and creating content full-time. While I had only one bounty to my name prior to this decision, I was confident that my experience finding bugs during penetration tests would translate well into the bug bounty space. I imagined that after a year, I would have accumulated five-digit bounties and possibly even a six-figure income. However, reality proved to be quite different.

In this article, I'll be sharing the actual numbers of the reports I submitted and the money I earned. Transparency is essential to me because I know many of you are in the same boat I was in when I first learned about bug bounty programs. The bragging on platforms like Twitter often leads to unrealistic expectations, and many write-ups seem simple yet reward thousands of dollars. By sharing my journey, I aim to help others navigate the world of bug bounties more realistically.

First Steps: Testing My Methodology

Initially, I challenged myself to spend 100 hours on a public program on HackerOne. I chose the Tribe program and adopted a methodology focused on understanding how things work rather than extensive reconnaissance. In this period, I managed to find two exploits, an SSRF, and a bypass, earning a total of $ 7,200. While this was a good start, it wasn't life-changing money, but it showed me that I could potentially make bug bounty hunting a career.

The next challenge was to participate in an Elastic bug bounty program with the same 100-hour commitment. Unfortunately, I could only find one bug, netting $ 584. This amount was less than what I would have earned at a minimum wage job. This experience led me to question my methodology and pushed me to start doing reconnaissance, even though I didn’t enjoy it.

Later, I participated in a private program for an application I use daily and care about, where I found four bugs in 37 hours and earned $ 2,500. This experience greatly motivated me, but I soon struggled to find programs I was excited to work on.

A Year Full of Lessons

Fast-forward to a year later, and I realized my expectations did not align with my reality. I had anticipated more confidence and a greater number of bugs, but procrastination and a loss of motivation hindered my productivity. My initial goal was to equally split my time between bug bounty hunting and content creation. However, I found myself focusing more on content creation and facing challenges with time management.

Despite the setbacks, my personal life improved significantly after quitting my job. I had more time to meet friends, travel, and pursue hobbies such as bouldering, which I’ve grown to love. However, the summer brought a lapse in motivation due to personal issues, prompting me to seek changes to rekindle my drive.

Regaining Motivation

A turning point came when I decided to hack with David Church in Budapest. We focused on Facebook, and to our surprise, we found a bug, earning $ 5,000. This experience reignited my motivation. After returning home, I began implementing small changes in my daily routine and prioritized bug bounty work over content creation.

Focusing on what I enjoyed, especially open-source projects, I found good success. I submitted a report on a self-hosted program that resulted in finding a serious vulnerability. My motivation further increased when I found a new bug in Stripe that was worth $ 2,000.

Continuing to focus on projects that sparked my interest, I turned my attention to Google and quickly found a bug that earned me $ 3,000, with another pending potentially being more rewarding.

Final Thoughts

In total, I logged 441 hours over my first year in bug bounty hunting, earning $ 19,500, with pending payouts yet to be finalized. While I could have potentially earned more through traditional employment or freelance pen testing, I've seen personal growth and improvement in my skills.

The most significant lesson I've learned is to remain disciplined and consistent, allowing time for learning and self-improvement outside of immediate financial pressures. Bug bounty hunting is not merely about the money; it's about the journey, growth, and passion for what you do.

If you're wondering about your potential in bug bounties, know that success doesn't come overnight. Don't compare yourself to others; focus on your journey, and ensure you're enjoying the process.