The happiest moment for any hunter. What I did, a few strategies and resources to start with

Note

Before starting with my story I want to clarify a couple of things:

• I barely know how to code
• No computer/cyber security background
• I’m not a native English speaker, it’s a second language for me(I speak 3 languages)
• I suck at math

It was the beginning of 2018. I remember being broke, no money at all, and needed it fast. I started searching for a new way of income, I knew online was my only option. I just didn’t know where to start. While on Facebook I saw a post about the top 10 hunters of 2018. Opened the list and saw a crazy among of money being pay to these people for doing ‘something' online.

Even though I didn’t know what that was, I started searching online “how to be a Bug Hunter”. I discovered a new world, a ton of information that needed to be processed. Also, I will be very honest, I wasted a lot of time watching Youtube videos of people that do this only to get views off guys like me and you but in the end, never teach you the real stuff. You will need to be very smart and understand the difference between a good teacher and one that acts like one.

Best places to Learn with hands on

• https://portswigger.net
• Twitter (use hashtags to search)
• Facebook hacking groups (Not pages)
• YouTube(even though in my case wasn’t much of help)

I made the same mistake we all make when we are learning something. We want to learn everything and fast. This is a big mistake. Take baby steps. Try to become familiar with only one/three vulnerabilities at a time. Don’t just rush your learning, doing so will just hurt your performance and opportunities to catch a good report. It did happen to me, many times. Once I started learning how XSS, Redirect, Subdomain, CSRF, and other vulnerabilities, really work two beautiful things happened. First of all, It didn’t take me 8 to 4 hours to find a vulnerability, and I understood how to go about finding a good exploit to report.

Some of the myths you will hear as soon you enter this year crazy world.

• You will become rich
• Is never too late to start
• You don’t need to know how to code
• Just ask others for help.

Let me break it down for you. The only way you will become rich off this is if you are good at it, and most of your findings are p1/p2 reports. Even though I started in 2018 most of the time I think it was just too late, why? Because if you had been here long enough, you will notice how most of the reports that once were paid, now days don’t even get you points and are closed as N/A, not to even mention duplicates. Is not too late only when you know what you are doing. When you have a background in this field. The first year will be like a blind person getting used to his new condition. Meaning, it will be only getting the basic.

Barely knowing how to code, before diving into Bug Bounty I used to write basic projects in Python. And even though this hubby of mine, most of the time I look at certain codes and don’t even know what I’m looking at, especially when it comes to Javascript. Try getting your head wrapped around Javascript, PHP, CSS, HTML, and everything back-end related. This will take you a step ahead of the game.

I joined every forum, Facebook, Discord, Telegram room/group online. Every time I found something of interest, I tried to ask for help in all these places only to realize that no one wants to help you. In fact, they will just mock you for asking “stupid” questions, and if they feel you have a good report at hand even worst, just a waste of time waiting for someone else to help you out. The only person that will help you is Google. Use it wisely there you will find most if not all the answers to your questions.

Let’s get to the point. First of all, let me be honest. It was not just one but 3, all in the same week within three days, for a total of 2k dollars. This came after almost 2 years!
Being a hunter is not easy, too many sleepless nights, and many days where you will think this is just a waste of time. That you need to move on and try something easier and better. But with determination, anything can be done. Just try as hard as you can and you will finally get it. Many will even get their first vulnerability within 1 month or even weeks, but not every situation is the same. This is why you have to be very strong and don’t let anything stop you from being the person you want to be.

• Subdomain Take Over
• Stored Cross-site scripting
• DOM Cross-site scripting