First month in Bug Bounty: results, numbers, and lessons learned

Introduction

My journey into cybersecurity started from scratch - I had no work experience or education in IT in general, whether it was system administration or programming. I simply studied methodically and passed certifications. Over three years, I accumulated a certain stack: OSCP, HTB CWES, CRTP, PNPT, PJPT, PJOR, CompTIA A+, Network+, and Security+.

When it came time to look for a job as a pentester, I faced reality: there were almost no vacancies in my region, and those I found didn't even lead to interview invitations. A profile without practical experience did not attract the interest of employers. To start gaining real experience, I decided to try my hand at bug hunting.

The main goal was simple: to gain experience and test my knowledge in the field, rather than in a lab environment. And, of course, I was also interested in building a reputation as a practitioner and receiving my first payouts.

Choosing a Platform

I decided to start with the local Kazakh platform RTeam. On global platforms like HackerOne, I was intimidated by the huge competition - it seemed that there was nothing for a newcomer to do there, everything had already been found before me. I wouldn’t be able to compete with the best hackers from around the world.

On RTeam, I had a program with a small scope. At first, I was not so much looking for bugs as I was experimenting, trying to apply methods I had recently learned, and exploring new tools in bug hunting. I didn't set the task of immediately finding vulnerabilities, but instead focused on understanding how everything worked.

A Month in Numbers

Initially, my expectations were modest: I hoped to find at least one small vulnerability. In the end, after a month of active work, I managed to submit 9 reports.

The results were distributed as follows:

• 3 payouts totaling ~$400: for one High-level vulnerability, I received ~$200, for Medium - ~$100, and another High brought in ~$100. The concept of "normality" varies for everyone, but for a start, this is a decent result for me.

• The rest: 1 Low (not paid), 1 Info (not paid), and 1 report went "out of scope."

• Duplicates: 3 reports were marked as duplicates. At first, this can be very demotivating; the key is not to give up and keep “poking” away.)

A separate point is one finding. I discovered a small Medium-level vulnerability in the software and contacted the developers directly. They confirmed the existence of the bug and escalated it further within the development team. Now I'm waiting for news - hoping for a payout and, if lucky, for the assignment of a CVE number.

What this month taught me (Lessons)

During this month, I watched many educational videos and realized several obvious things:

• If you're not technically strong, you need to conduct quality reconnaissance. You should look for assets and endpoints that others simply haven't found.

• Many researchers don't want to spend time deeply studying the functionality: creating multiple accounts, testing the interaction between the "victim-attacker" roles. If you reach this stage and analyze every button down to the screws, the chance of finding a bug increases sharply.

• Don't get hung up on the Application level. Bugs are not only in the application code. Many hunters simply overlook the service level (open ports, outdated versions of software running on those ports, and misconfigurations).

• Bug hunting and learning should go hand in hand (at least for me, as I have limited skills). It's not enough just to Google when problems arise. I set aside time for systematic course completion. For example, this month I went through materials on Jason Haddix's methodology and studied new topics in PortSwigger Academy (attacks on AI and JWT tokens). It's essential to broaden your horizons.

Economics and Time

Many are interested in how much time needs to be spent to achieve results. For me, it looked like this: on weekdays, I tried to dedicate at least three hours to bug hunting after my main job (usually until 9 PM), and on weekends, I sat a little longer. In total, it averaged about 4 hours a day.

I divided the entire month into two stages:

1. The first two weeks were spent on learning. I was watching materials on Jason Haddix's methodology and going through PortSwigger Academy.

2. The next two weeks I was directly engaged in searching for bugs in the chosen program, taking into account the new knowledge and methodology.

In terms of interaction with the platform: there were no issues. The triage on RTeam worked quickly - on average 1-2 days for a report. Payments arrived within 7-10 days. There were cases of underestimating severity, but I took it calmly - the platform's reasoning was adequate, and in their position, I would probably have acted similarly.

Advice for Beginners

The main conclusion I made: certification and real bug hunting are very different things. Certificates provide about 20-30% of what is needed in practice. In training, you are usually given a stripped-down application with a couple of functions where a bug definitely exists. In bug hunting, everything is different:

• In courses, they almost never teach reconnaissance (recon), and without it, your scope will be too narrow.

• Real applications are huge. You are not taught how to deal with such a flow of information and how to prioritize - what to check first and what not to waste time on.

My recommendations for those who are starting:

• Choose one program and spend at least 50 hours on it; if the scope is large, then all 100 hours, no less. Do not jump between programs. Study every little detail in the application. Your goal at the beginning is not to "make money," but to become a researcher who understands the program better than other hunters. Bugs will be found as a side effect of such immersion.

• Live experience is priceless. I recommend channels: NahamSec, JakSec, InsiderPhD, The-magn4, BugBountyReportsExplained and the podcast Critical Thinking. They provide practical advice from real life.

• If you don't have a web foundation, the best resources are the HTB CWES courses and preparation for Burp Suite Certified Practitioner (BSCP). I also heard that cool labs are offered by PentesterLab (they focus on bugs that can be found in real life).

• If you are starting from scratch, begin with CompTIA Security+ and courses from TCM Security (PJPT, PNPT). Taking exams is not mandatory (but I highly recommend it), but you need to go through the material to understand the basics.

Conclusion and Plans

Now that I have finished working with the program on RTeam, it's time to move on. My next step is to enter foreign platforms (but this is still uncertain).

I am already looking at the Intigriti platform. I haven't chosen a specific program yet, but I plan to act according to the same scheme: not to scatter myself on everything but to find one interesting project and dive deep into it.

Today I created a Telegram channel. I will continue to post my progress on bug hunting there, as well as just thoughts on the topic, not only technical ones. The comments are open, so if you have any questions or want to discuss something - come in, let's chat.