Greetings fellow bounty hunters! If you are looking for tips, tricks, insights, or otherwise helpful information related to the wonderful world of bounty-hunting with Bugcrowd, I am almost, nearly practically certain that you have come to the right place!

My name is “ZwinK”, and I started bounty hunting 6 months ago with Bugcrowd. Hacking only part-time, I’ve made over $100,000 since January, and so can you! Here’s my second tip to help you, fellow hacker, get an idea of how I found success doing this hacking thing.

Tip #6:  Deep Dive over High Volume

For me, success has come from deep-diving into a select few programs. Going deep on programs is beneficial because your mind can focus on one program and all its various elements.  Challenge yourself to stay on a program longer than you normally would because it makes you “try smarter”. Look for different injection points and methods, and try new things when you, ordinarily, would have stopped before. Working on a program for a long time also puts it into your long-term memory. You might even hack in your sleep, in the shower, or while other people are talking to you! This will allow you to mentally go back to the program when you learn a new skill or trick later. True story: I have found vulnerabilities (in my mind) while nowhere near a computer before because of this long-term memory thing. #getHackedFromTheShower

As an example, XXE was new to me – something I started messing with while working on deep-dive program #3.  This is because I cut my Portswigger academy training short (again, don’t do that). I recalled from deep diving on program #1 that they had several different endpoints which accepted XML, but I never tried XXE there. I was able to go back to program #1 and achieve XXE to read the ‘etc/passwd’ contents and get a P1. I strongly believe in deep diving to increase skills and retention, and it will ultimately be a better (mutually beneficial) relationship between you and the program.  I have been averaging about 40 reports on my program deep dives which is of tremendous value to the program, and me.  

If you stay with a specific program long enough, you may find you start receiving messages to apply for a full-time position/job with them – which happened to me recently, pretty cool! You may find your dream job, and it’s a heck of a good start to the interview process when you have come behind countless pen test organizations and bounty hunters and found many things they did not. 

Check out my previous blogs in this series!

Tip #1: Bugcrowd as an MMORPG (Real-Life Video Game)

Tip #2: Complete the Portswigger Web Security Academy and learn the VRT

Tip #3:  Get ONE valid submission

Tip #4 & #5:  Test manually, avoid duplicateville & VPN Service

About the Author

I first signed into the Bugcrowd platform in late October 2020 to see what it was all about, and I was pretty sure this was a video game disguised as work. In some ways, I was not all that far off. It’s all a little shocking, really – “What, I can just try to hack… uh… some company for money, and gain rank”? Indeed, this represents a departure from years ago when the only reward hackers may receive was a reduced prison sentence. Wow! How the world is changing!