Greetings fellow bounty hunters! If you are looking for tips, tricks, insights, or otherwise helpful information related to the wonderful world of bounty-hunting with Bugcrowd, I am almost, nearly practically certain that you have come to the right place!

My name is “ZwinK”, and I started bounty hunting 6 months ago with Bugcrowd. Hacking only part-time, I’ve made over $100,000 since January, and so can you! Here’s my second tip to help you, fellow hacker, get an idea of how I found success doing this hacking thing.

Tip #3:  Get ONE valid submission

When you are first starting, stay away from the carrots. You may be thinking: “ZwinK, I like carrots, and they are high in vitamin Orange”. The carrot I’m speaking of isn’t edible (unless you eat money), rather, it is the massive $20,000 to $100,000 payout dangling in your face with behemoth public programs. Listen, mates, you are just starting! We don’t chunk toddlers in a swimming pool and ask them to do “the Michael Phelps” do we? No! We are happy if they keep their little toddler heads above the water and look cute. When starting, we are little hacker babies and we need to nurture our skills and learn to swim in this new, intimidating, environment. Get a P4 and smile about it- you are amazing!

When you start out, you have 0 ‘points’, meaning you are only eligible to hack a very small percentage of the otherwise plethora of private or joinable programs. The first thing you need to do is get your first valid submission. When you get your first it’s a massive achievement! You have left about 170,000+ researchers in the dust. Understand fellow hack-masters, earning your first valid submission may take weeks – mine did. When I got my first valid, my rank jumped from 188,000 to something around 16,000. 

Go after EASY targets initially! Building momentum can be difficult, but the momentum is logarithmic and will snowball (refresher: logarithmic is that X/Y graph from 6th grade that looks like a fighter jet took off straight up but that you couldn’t figure out how to put into your calculator). So what is an easy target? Well, that may be subjective, but I used the Bugcrowd platform to sort available programs from newest to oldest first, then I started drilling into them. WHY? Because newer programs have been hacked the least! I have operated under the assumption that non-paid programs are also hacked less (because most people, despite what they say, do this to get paid). So I started with the newest, likely “least-popular” programs to get a few valid subs under my belt. This worked – finding bugs was way easier. Get your charitable deed done and get some valid subs under your belt, then make money. 

Check out my previous blogs in this series!

Tip #1: Bugcrowd as an MMORPG (Real-Life Video Game)

Tip #2: Complete the Portswigger Web Security Academy and learn the VRT

About the Author

I first signed into the Bugcrowd platform in late October 2020 to see what it was all about, and I was pretty sure this was a video game disguised as work. In some ways, I was not all that far off. It’s all a little shocking, really – “What, I can just try to hack… uh… some company for money, and gain rank”? Indeed, this represents a departure from years ago when the only reward hackers may receive was a reduced prison sentence. Wow! How the world is changing!