Over one year, ago I quit my job as a pentester
to live of bug bounty and creating content, even though before that, I only had one bounty
to my name. So by no means, it was a safe bet. But I thought that I was finding bugs every
single week during pentests so I expected that it bug bounty, I can also find that many
bugs. I imagined that after one year, I would have
some 5-digit bounties to my name and maybe a 6-digit sum. Unfortunately, it's not how it went... But in this video, I'm showing you exact numbers
of how many reports I submitted and how much money I made. Why? Why is the transparency so important to me? Because I know that a lot of you are just
like me when I was first hearing about bug bounty. Seeing a lot of bragging on Twitter which
most of the time we can't even verify. Seeing many write-ups that seem simple, seem
like nothing extraordinary yet they are awarded thousands of dollars of bounties. This leads to unrealistic expectations and
I want to do my best to help as many of you out there as possible by simply being transparent
myself, not only when it's time to celebrate. I started off by challenging myself to spend
100 hours on a public program on Hackerone. I chose Stripe. I didn't do any recon - my methodology was
to understand how stuff works and this led me to finding two XSSes, an SSRF, an auth bypass
or even being able to purchase my own BBRE Premium subscription at a lower price. I earned $7,200 which was a very good start. It wasn't a life-changing money but to be
honest, I didn't think this methodology would work at all. Especially, that this was just a public bug
bounty program on the most popular platform out there. This just showed me that I can do bug bounty
for a living. Especially, that it was the beginning and
I only expected it to get better with the future projects. But from there, it went worse. The next challenge was Elastic bug bounty
program where I also wanted to spend 100 hours. However, I only found one bug for which I
got $584. 100 hours for me means a full month if I only did that so this amount of money
is less than I would earn by going to any job with a minimum wage. I did regret publicly obliging myself to spend
the time because I didn't really enjoy it. t led to a lot of procrastination. But integrity has always been very important
for me so I did complete the 100 hours. This challenge made me question my methodology
of not doing any recon. I also started hacking on some private programs
that I knew nothing about and I didn't care about. I also started doing recon even though I do
not like doing recon. And most of the time, nothing of this worked. In that period, there was only one private
program with an application that I use daily and I care about and I really enjoyed hacking
there. In 37 hours, I found four bugs and made $2,500
but most importantly, it was a really, really good time for me. But after that, I struggled to find another
one that I would really like. I'm not even going to count how many of them
there were. And just like that, I realized that a year
has passed by. I thought that after a year, I would have
much more confidence and much more bugs. But to be honest, it's not the return on investment
that was my biggest problem. I saw that pretty much every program that
I dedicated more time into, I was finding bugs. I mean everyone apart from Elastic. But it was the time spent that was the biggest
problem. Often, I was procrastinating when I was just
trying to complete hours for the challenge or I just couldn't find a target that I would
enjoy hacking daily and I would be motivated. Some of it is justified because I am not a
full-time bug bounty hunter. The other half of my business also takes a
lot of time: creating videos, writing the newsletter but also BBRE Premium. There, people pay me to learn web security
so it's a completely different thing. In this first year, I had to familiarize myself
with things like marketing, creating a website, taking payments and many, many more that you
don't normally see. My plan was to spend roughly 50% of the time
on bug bounty and 50% on the other stuff but in reality, the balance was shifted much more
towards the other stuff. But to be honest, the lack of time wasn't
the issue here. I had the time. I just didn't use it to work. And I have a love-hate relationship with personal
growth but I consider myself an organized person and I thought that even without having
a boss, I would not have issues with time management. But the truth is that over the months, I got
less and less disciplined and simply said, lazy. I started spending less time working overall. And make no mistake, it was one of my goals
when quitting my job. I was tired of working part-time and studying
daily. Then working full-time and creating content
after hours. And there were huge positives in my life after
quitting. I finally had the time to meet with my friends. I finally had the time to travel. I could spend more time on hobbies and sports. This year I found my new passion of bouldering
which I absolutely love. I also got into the best shape of my life. All these things are awesome and I'm so privileged
to live a life like that but I feel in the long term, it's the work that gives me the
satisfaction. It's still something that I need to be happy. But this summer, I hit the low point of motivation. Some personal issues at the same time didn't
help either. I realized that if I didn't improve, I would
have to change something. Maybe even come back to employment. So things had to change. The initial surge of motivation came from
outside. When I was in Budapest in the beginning of
August, I texted David Shütz, the author of a few bugs covered on my channel and the first
guest of my podcast. He's from Hungary so I thought it would be
cool to meet with him. I ended up staying in Budapest two more days
and we rented an Airbnb to hack something together. We decided to hack Facebook and it was my
first conventional collab. But to be honest, I didn't believe that we
can find a bug in Facebook in one day. I was still happy to just hack with David,
spend time with him and simply learn. But to my surprise, we did find a bug for
which Facebook later paid us $5,000. I was really happy about it, especially that
Facebook is just one of these companies that you want to hack at some point of your career. And I came home motivated. I started to make some changes in my life
to get my productivity back. I started with small and simple things like
keeping my apartment clean. I think it's a really good way to create the
discipline. I also decided to make bug bounty my priority
over creating content which, of course, resulted in fewer videos. I will probably never find the equilibrium
but I will always be looking for the balance. I also removed some apps from my phone to
decrease my screen time. And I started to wake up at 5:30. I just love working in the morning and it
also really helped. Most importantly, I stopped trying to hack
the way I think other people hack but I started focusing on what I like to be doing which
is getting deep into the application, preferably an open-source target. I wanted to hack something that I use myself
and I care about. I chose Todoist. The app I use for checklists, even though
their self-hosted bug bounty program only pays up to $1,000. After only two hours on the program, I found
an Oauth account takeover which further boosted my motivation. It was a really nice sequence because only
two weeks before, I created a video about an Oauth account takeover and a week before,
I created an article in BBRE Premium about it and then, I found one myself. Later, turned out that the experience with
this self-hosted program was absolutely horrendous. They took months to process the bug and then,
they wanted to pay for it as a medium because it's a CSRF. I'm still arguing about it. But then, I didn't know about it and I was
just motivated because of finding such a serious vulnerability. Then, I continued to Stripe and I found a
$2,000 bug. The write-up of this is already published
on my channel. Next, I went to what I love the most - the
open-source target. I chose Discourse and in a few days, I found
3 bugs. One of them was a duplicate from about a year
ago, the other one is still being triaged but one is already fixed and I got $1,024
for it. Did I change anything significant in my methodology? No I didn't. I still only wanted to understand the app
using Burp, by reading the code and by thinking about what can I mess up here and there. Those bugs weren't the result of a single
magical tool or a single magical trick. It was a result of me continuously learning,
evolving, making mistakes and getting experienced. I describe things I learn in BBRE Premium. If you're interested in joining, on Black
Friday there will be a promotion. One of very few I make. To not miss that, join my mailing list. But coming back to the methodology, I think
this should be one of the most important takeaways from this video. Do not try to force yourself into doing something
you don't like, into using other people's methodologies. Bug bounty is not a pentest - you don't have
to do everything. Here, we have a lot of freedom and you can
choose your hacking style. You can adjust your hacking style to what
you like to do and do what you're good at. Now, I'm telling you bounties for all these
bugs but, of course, at that time, they took weeks or months to be processed so I didn't
know the responses straight away. When I was waiting for those decisions, I
decided to switch things up. I think the period after reporting a series
of bugs is the best time to try out something new and learn new stuff. Not the time when you're not finding bugs
and you feel like you should have changed your methodology yesterday but the time after
you have some payouts coming, you know you did a good job. Then, you can dedicate some time into learning
something new and even if it doesn't work, even if you don't monetize this period, nothing
bad will happen. I decided that I will dedicate time to submit
my first CodeQL query. It's something that I spoke about for a long
time and I covered it in multiple articles in BBRE newsletter. It's not like any other bug bounty program
and it's quite complex so I thought it would take me a long time before I can finally submit
a new query. But within 16 hours, I found a CVE that wasn't
detected by CodeQL scanner so I made an improvement to the code so similar bugs are not missed
in the future. My pull request was accepted so my code is
already running in CodeQL. However, I am still waiting for CVE numbers
which I need to be eligible for a bounty. But most importantly, I'm really happy to
check this off my list. I know I'm speaking about a lot of bugs that
are not disclosed here so let me know in the comment section down below which bugs should
I cover first. Which ones are you most interested in? After CodeQL, I came back to more regular
hunting and I chose Google. Another company that I wanted to hack for
a long time. I got really lucky because in two hours I
found a bug for which Google later paid me $3,133.7. Later, I found another one in the same asset
and very similar bug but more impactful. It's still triaged and I don't know how it
will go but to be honest, I expect it to be my highest bounty. The sum of bounties for this period is $19,501.7
with potentially pending payouts from Todoist CodeQL and Google. The time I logged for those bugs is 441 hours. To be honest, I think I could make more by
being employed or by focusing on freelance pentests which I may actually do in Q4 when
everyone is busy. But it's not how I look at it. I know that one year ago, odds weren't on
my side and now I see that I am improving and I am finding bugs whenever I put the time
in. I am better than I was one year ago and this
is the benchmark for me and not my Twitter feed. I know that when people make earning bounties
look easy, probably they just spent a lot of time working hard before. I'm just happy I can continue living my life
this way - being my own boss and creating my own rules. I won't buy a home but I have to rent one
or I won't buy a sports car but if these are my biggest life problems at 24, then I take it. Next year I'm going to try the digital nomad
lifestyle so maybe I won't need these things anyway So whatever you want to achieve in life, be
disciplined. Putting in the time consistently is the most
important thing. Don't be afraid to fail, don't compare yourself
to others, don't be afraid to make mistakes and these things will give you the courage
to make the risky decision and then make it work.
