The Truth About Bug Bounties

00:03 Bug bounties offer opportunities despite saturation. 01:38 Newer generation of bug bounty hunters require time and dedication 03:01 Success in bug bounties requires consistency and realistic goals 04:23 Bug bounties require impact to be successful. 05:53 Bug bounties require effort and perseverance. 07:22 Bug bounty hunting requires patience and perseverance. 08:46 Passion is key in bug bounties 10:08 Bug bounty programs are on the rise

I believe the issue lies in the way all channels discuss Bug Bounty programs, portraying it as if a Senior Software Developer with 20 years of experience is telling a Junior how easy it is to find a job and earn a lot of money. However, the reality is quite different. Engaging in Bug Bounty programs could be likened to pursuing it as a hobby when you already have a steady income from your primary work. Otherwise, there's a 98% chance of being left with no money.

As someone who started hacking in 2019, I think it's important to highlight certain aspects of this industry that most beginners don't see or think about. Getting in to bug bounties in 2024 is HARD. I started with an intermediate understanding of programming and web applications, which made the journey easier, but I barely made $3000 in my first TWO years of hacking. Two years later, I found my first real vulnerability that made me fall in love with cybersecurity. It was the rush of adrenaline I got at 3 a.m submitting my polished report with a working PoC. I've felt that rush countless times, while finding potential vulnerabilities and submitting reports to top companies. That feeling hasn't diminished, it's only intensified. That's how I know cyber is one of my true passions. It takes PASSION to get "really good" at this, and it's substantially easier to pour effort into something you're passionate about. For me, it took 2 years. For others it takes 5. Some people take months to start earning real cash. Realistically the only people getting bounties after a few months are advanced developers or naturally adept teens passionate about cyber. But for some, it's important to acknowledge that bug bounties might not be the right fit for you. To put it into perspective, during my first 2 years I was focused on the money. I was thinking how do I get from this payout to the next. The last 3 years of bug bounty hunting have been the most fun I've ever had with technology, and I don't care about the money. Fuck the money, hack the world. My first 2 years of hacking had me hunched over reading infinite informational outputs from my automated scanners. Sifting through thousands of subdomains, looking for the juiciest hanging fruits. My sleepless nights and frustration were rewarded with scattered bounties ranging from $50 to $500. This isn't what bug bounty hunting is about. This is the why the industry looks so oversaturated, and it's dominating the perspective beginners have. Your bug bounty competency directly correlates with your technical skill and cybersecurity comprehension. The biggest trap for beginners is letting automated scanning dictate how you perceive security and risk! It wasn't until I landed my first job in tech/security that I finally developed the mindset and passion bug bounties require. In the span of a year, I was able to submit over 15 CVSS 7+ bugs for a total of $31k. The most incredible part of that journey was that it didn't require me to down red bulls at 3 a.m or over-reliance on the use of automated scanners. I had found my place in the security world, and was able to identify the ways of working that was best for me. My learning and knowledge was finally starting to consolidate. In my opinion, the only people who are able to transition to bug bounties midway through their career are senior software engineers and people who already work in cyber security. Otherwise, it's important you look at bug bounties as a skill you can learn while progressing your current career path. It's incredibly gratifying that this 5+ years of hard work is rewarded by the fact that I can sit down at a cafe, open up Burp and hack away. No supervillain tools arsenal and no automated mass scanning, just me and the target. The effort and learning pays off, you just have to stay consistent for as long as you can. Read, learn, play, and hack as much as you can! Sorry for this silly little essay. I love your content to death, as one of my idols you're an important part of how me and countless others have become successful hunters, and you will forever have my thanks. But I think the beginners community as a whole would benefit from more transparency on how long it might take them to develop the autonomous skills to be great and efficient at this. 97% of people don't make money because they're doing the exact same thing as the person before them. p.s don't let these bs comments about being a "scammy course seller" get to you. "get rich quick" has caused some irreparable damage to communities like ours. It hurts to think about the teachers and content creators getting this treatment when all they want to do is give back to the community. Much love brother ❤

Story!! I can't tell you how many people I have talked to that want to get into Cyber Security in general to make money. I do my best to get them to understand that you have to have a passion for it. Like you said, money is a secondary goal. I also ask them if they are willing to spend 1 month focusing on one topic to understand it. I also lay out just how broad of a filed it is. People just see the dollar signs and want to chase them.

Exactly as you said Ben, We all deal with higher highs and lower lows, But if you're passionate about it when the downs come -and they will-. You will at least have a good aspect about it. And I never forget zwink words, when it comes to the dark side about Bug Hunting, And I quote from him "Bug bounties is like playing slot machines, One program will take 6 months to respond, down grade all your issues, mark them all N/A or weasel out of paying, While others will respond in 15 minutes, pay in 30 minutes, and fix the issue in 45, Pull the lever, see if you win." I wish you all a successful journey ❤✌

Where there is a will, there will ALWAYS be a way! The question is: how much time, effort, and devotion is it worth to you? You can sit all day thinking of reasons why you can’t do it, or you can redirect all that energy toward making it happen! What I have learned: people My reason for all the time and effort: when I am 90, all I will have to do in 2070 to make money is sit down to a laptop. All I will need is my laptops, WiFi, my fingers and my brain.

Yes! Please do your origin story and how you started and how you found your first bug 😊

Number one thing to have to succeed in something that's not easy and competitive is the motivation, motivation that comes from passion... If you get into something for the money but you struggle and have to force yourself to even get started, well, maybe do something else...

Your videos are consistently valuable @NahamSec. First, we must learn to identify and fix software issues. Secondly, wealth follows as you build your knowledge. It demands dedication and time, yet with passion and clear goals, attaining wealth becomes increasingly achievable. Thank you!

Challange Accepted ; "MORE" ... Thanks for the Motivation NahamSec

Would love to hear your story Ben!

Your videos inspired me to study Hack The Box academy and work towards a career starting as a Junior Penetration Tester. I'm still studying but I just started applying for jobs. I'm almost 50% the way through CPTS path and I'm feeling comfortable doing machines on Hack The Box. All of this with 0 experience in hacking and I owe a lot of thanks to you for the inspiration.

Thanks for the video! It's been informative! what are the books behind you?

Hi, @NahamSec! Please, tell us how do you orgonise your notes? Which tools do you use?

Hii Ben i just enjoy bug hunting. That's why I don't give up it's like game for me with curiosity.

all you said is true i am making a little money from it.. But it is really difficult consistency and patients is key

All the comments about passion and motivation are 100% correct. I would also like to add that having a background in networking and full stack development is critical. Choose your stack wisely,... in other words don't just focus on Python and think you are a full stack developer. You need to know about all of the 'moving' parts. Also, every upgrade cycle is a chance to find new bugs and vulnerabilities. May the force be with you.

Thank you and I will go back to my laptop and do continue learning spring boot

Thanks naham another useful video from you . really appreciate it .

You’re only sharing the good parts of your experience and not the negative ones. That’s what people complain about