Other Posts

Kevin Cui


blog

Feb 22, 2025 • on bug bounty • 1000 words 5 min. read

One Year of Bug Bounty Hunting

coverimage

It’s been a year since I started bug bounty hunting as a hobby, and overall, I’m happy to have it as my passion. Not only it is a blast to discover new vulnerability, but I’ve also learned a ton from it.

Let’s start with some stats to sum up my first year of my bug bounty journey:

  • Report accepted: 150
  • Bounty rewarded: 20k Euros
  • Total time spent: around 300 hours, give or take

Next, I’d like to share some thoughts from my first-year experience. I’m not here to promote any tools or methodologies. I just want to talk about what I felt, observed, and the decisions I made during that time. If you choose to follow any of it, take it with a grain of salt, since my experiences and choices might not fit your situation.

Choose hunting style

You might already know this, but there are two main approaches to bug bounty hunting: automation and manual. It’s a lot like software testing:

  • Manual hunting takes time and effort. Yyou have to dig deep into your target. No work, no reward, plain and simple. It may deliver consistent results, but how much you get out of it depends on how much you put in.
  • On the other hand, automated hunting sounds more appealing. It does require some upfront time investment and regular maintenance to get it running smoothly, though. Sure, the tools and scanners are impressive, but there are only a handful of top-tier automation tools out there. And every other hacker can use them too. Relying on the same tools as everyone else won’t set you apart. In the bug bounty world, if you’re not the first to report a vulnerability, you’re just the last in line, stuck with a Duplicate and no bounty payout.

At first, I spent a few weeks setting up automation tools, scanning subdomains, fuzzing file directories, and so on. I had a rough idea of what to look for, but I didn’t really uncover anything worthwhile. Some findings were low impact issues on out-of-scope assets, while others had already been reported and marked as duplicates.

I wasn’t really motivated and interested in improving my automation setup, so I dove into manual hunting instead. As a seasoned software tester, exploratory testing is my strong suit. I can usually spot obscure BAC and business logic vulnerabilities pretty quickly. It’s great to have a solid number of vulnerabilities to report, but the downside is that BAC/IDOR vulnerabilities don’t typically earn big bounties. They’re usually rated Medium severity, sometimes High, and only rarely Critical.

Looking back now, I think I made the right call switching up my hunting style. Sure, sticking with automation might’ve landed me a couple of critical ones, but there’s is a huge chance they’d have all been duplicates. Something small is better than nothing. Besides, I don’t worry too much about the bounty. The dopamine hit I get from finding vulnerabilities is a bigger reward.

For this year, I’ll keep going with manual hunting since it’s working well for me. I also plan to spend some time on recon automation to uncover more assets to hunt.

Choose platform

When it comes to bug bounty, HackerOne is hands-down the most popular platform. But with a bigger platform comes more hackers, and more hackers means tougher competition and more duplicate submissions. The same applies to Bugcrowd. Both platforms work great for seasoned pros, but they might not be the best fit for a beginner like me.

On the other hand, most programs on Intigriti are run by European companies, and my family and I use many of their products every day. Joining their bug bounty programs gives me a chance to test their product’s security and help uncover vulnerabilities, which ultimately benefits users like me and my family.

That’s why I choose Intigriti as the platform to kick off my bug bounty journey.

After a year of submitting reports on Intigriti, my overall experience has been pretty good. My biggest complaint is the communication with their triagers. Once traigers close reports, they never respond to my follow-up messages. Even in most cases, they’ve made mistakes or misunderstood things while reviewing the reports. On the flip side, their support team is responsive. They respond quickly and actually addresses my issues and requests.

Choose program

Depending on your hunting style, if you lean toward automation, you might prefer a program with more wildcard assets. If you’re like me and enjoy a hands-on approach, you might opt for a program with complex features, offering different roles and permissions.

No matter what style to choose, I’ll evaluate 2 criteria to decide which program to hack:

  1. Program statistics and maturity: How long has this program been around? How frequently are the program policies updated? How well are the program and its products documented? What’s the average response time and bounty payout?
  2. Hunting style compatibility: Do they have the assets or the products that match my hunting style?

Some important things I’ve picked up along the way:

  1. Choosing the right program is key. The only thing worse than not finding any bugs is having my report go unreviewed or unrewarded.
  2. Figuring out when I’ll get a bounty is like dealing with Schrödinger’s cat problem. I won’t know when I get bounty until the moment I get it. Be ready for it to take anywhere from a week to a year, though hopefully not longer.
  3. Having fun is what matters most in a hobby. I love it when I can dive into hacking and try out new techniques. As for the outcome, I shouldn’t really stress about it too much.

This year, as long as I have time to mess around with hacking, I’ll keep bug bounty as a hobby. Let’s see how far I can take it down this path.