AdministratorApril 21, 2021 at 4:52 pm
Hey Anthony, first things first, I want to welcome you to the community! You’ve come to the right place and we’re glad to have you here 😀
Second, I want you to know that you’re definitely not the only person who’s feeling that way. I know sometimes it can seem like everybody is crushing it on social media, but you don’t get to see the behind-the-scenes struggles that they’re going through. Most of the people who are getting nice bounties have been doing it for years or have an extensive background. Just like you though, they had to start from zero at some point in their lives :-). So try not to let that get you down too much! Let it motivate you though!!
It’s definitely not too late – all the bugs are not gone. If they were, we’d all be out of a job. The other thing to keep in mind is that bug bounty hunting isn’t the only thing you can go after in this field. There are many other options, and sometimes you can start off with a different entry point. So even if bug hunting isn’t working out right now, don’t quit cybersec! Not saying you’re necessarily there yet, just saying that so you know there are different avenues.
Now to more actionable tips:
1- Most beginner hunters that I talk to who are struggling don’t spend enough time on, or don’t have a solid process for, information gathering. Instead, they jump right into the application and start throwing random payloads at the target to see what sticks and what doesn’t. Or they’ll fire up an automated tool right away and point it at all the input fields they can find. Then, when nothing happens, they say that there are no security bugs and they move on to a different target.
I’m not saying that’s necessarily what you’re doing, but I have to ask: what does your reconnaissance process look like right now? How much do you know about your target before you try and attack it?
2- Next, I’m glad to see that you’re focusing on 3 classes of vulnerabilities only because sometimes people try to cover everything under the sun. It might be beneficial to narrow your focus down even further to 1 vulnerability class (maybe 2). That way you’re really focusing all of your energy on finding one type of vulnerability and you’re learning that class super well.
3- Try to find a mentor in the space. Someone who’s doing bug bounties right now or who has in the recent past, and who’s ahead of your skillset. You’re asking for help so that’s a great first start.
I’m actually putting together an invite-only group for bug bounties right now. We’re still in the early stages, but the idea is to start beginners off by going after realistic test environments (ie: a copy of Cybr’s platform) to practice without worrying about making a mistake, and also solving certain challenges that I’ve put together in order to gauge where you are at. Then, moving on to real bounty programs (HackerOne, Bugcrowd, etc) and having the group collaborate & share discoveries, ideas, feedback, etc along the way. Let me know if this is something you’d be interested in and we can chat to make sure you’d be a good fit for the program!
Hope this helps, and I look forward to your thoughts,