-
It really depends and I don’t think there’s necessarily a hard and fast rule. If it’s a client engagement, there should be some kind of defined timeline or scope, so that takes care of that. But if you’re talking about open bug bounties, you’ll see some people stick to a handful of big targets and they focus on those exclusively. Others will only spend a little bit of time per target but go after more targets.
Personally, I tend to do better with targets that I’m personally interested in. Maybe it’s a product that I personally use or have used in the past, or that I know friends use. Since it’s more interesting, I might spend more time on that target even if I’m not finding anything at first.
There was one recently that I *really* wanted to find a security bug on because it’s a product that I use and have known about for a long time. I couldn’t find anything for 2 weeks. The third week, I popped a stored XSS. It could have been 4 more weeks before I found it, or I may have never found it at all. Not knowing is part of what makes this field challenging for sure.