Greetings fellow bounty hunters! If you are looking for tips, tricks, insights, or otherwise helpful information related to the wonderful world of bounty-hunting with Bugcrowd, I am almost, nearly practically certain that you have come to the right place!

My name is “ZwinK”, and I started bounty hunting 6 months ago with Bugcrowd. Hacking only part-time, I’ve made over $100,000 since January, and so can you! Here’s my eighth tip to help you, fellow hacker, get an idea of how I found success doing this hacking thing.

Tip #8:  A P4 a Day…

Don’t get your head stuck in an P1-g0dl1k3 bubble. Using basic arithmetic, establish in your mind that a P4[$200] * 365 days = $73,000. This is more than the annual median household income in the USA. If you are too good to log P4s and only want to go after P1s or P2s for the esteem or fame of it, you are shooting yourself in the foot financially. A high volume of valid, non-dupe P3s and P4s can net you a small fortune a year without ever logging a single P1 or P2. 

All of that to say, find and report absolutely anything you can. I have reported about 300 bugs since I started logging bugs in November 2020. Only half of those were accepted and paid out, noting the rest were not-applicable or duplicates. Why do I mention this?  You won’t get paid for it if you don’t log it. I have logged bugs that I thought were probably P5 (informational) that turned out to be P2s in terms of impact to the client, and I’ve logged others I thought were P1s that were “not-applicable” for a large variety of reasons. Just make sure the bug you are logging is reproducible, in scope, follows the rules, and you should be good to go. 

Check out my previous blogs in this series!

Tip #1: Bugcrowd as an MMORPG (Real-Life Video Game)

Tip #2: Complete the Portswigger Web Security Academy and learn the VRT

Tip #3:  Get ONE valid submission

Tip #4 & #5:  Test manually, avoid duplicateville & VPN Service

Tip #6:  Deep Dive over High Volume

Tip #7: Program selection

About the Author

I first signed into the Bugcrowd platform in late October 2020 to see what it was all about, and I was pretty sure this was a video game disguised as work. In some ways, I was not all that far off. It’s all a little shocking, really – “What, I can just try to hack… uh… some company for money, and gain rank”? Indeed, this represents a departure from years ago when the only reward hackers may receive was a reduced prison sentence. Wow! How the world is changing!