• Starting from scratch and aiming to make $100,000 in your first year of bug bounty hunting might seem daunting, but with a structured approach, it’s achievable.
  • Here’s a detailed roadmap based on Justin Gardner’s Twitter / X Threads to help you get there.
  • https://x.com/Rhynorater/status/1699395452481769867

About Rhynorater:

Month 1-1.5: Learning the Basics

Before diving into bug hunting, it’s crucial to understand the foundational components of the web. Spend the first month or so getting a solid grasp on:

  • HTTP: The protocol underlying the web.
  • Browsers: Their functions, security constraints, etc.
  • Web Architecture: Including APIs, reverse proxies, cloud services, etc.
  • Server-Side: APIs, MVC structure, routing, and handlers.
  • Client-Side: JavaScript, HTML, CSS.

This foundational knowledge is essential as it forms the bedrock of your bug hunting skills.

Months 2-3: Diving into Specific Vulnerabilities

With the basics under your belt, start focusing on specific types of vulnerabilities:

  • Privilege Escalation Bugs
  • Client-Side Access Control Bugs
  • Insecure Direct Object References (IDORs)
  • Paywall Bypasses

Use resources like PortSwigger Academy and Hacktivity reports to study these vulnerabilities. Allocate your time with a 20% hacking and 80% learning split during this phase.

Months 3-4: Initial Bug Hunting and Advanced Learning

By now, you should start applying what you’ve learned:

  • Aim to find 1-5 bugs per month, potentially earning around $750 per bug, totaling approximately $2,250/month.
  • Adjust your time allocation to 40% hacking and 60% learning.
  • Begin focusing on learning about Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Server-Side Request Forgery (SSRF).

Months 4-6: Increasing Bug Hunting Efficiency

As you become more proficient:

  • Expect to find around 7 bugs per month, each worth about $750, leading to monthly earnings of $5,250.
  • This phase involves about 80 hours of work per month, averaging one bug every 10 hours.
  • Complete all topics on PortSwigger Web Security Academy and continue reading HackerOne Hacktivity Reports.
  • Shift your focus to 80% hacking and 20% learning, concentrating on code review and specialty subjects like postMessage.

Months 6-7: Maximizing Your Earnings

With more experience:

  • You should now find at least 12 bugs per month, each yielding between $750 and $1,000, potentially increasing your monthly earnings to approximately $9,000.
  • By this point, you would have already earned about $15,500 for the year.

Months 8-12: Full-Time Bug Hunting

To round off the year:

  • Dedicate 100% of your time to hacking, aiming to find 15-20 bugs per month at an average of $1,000 each.
  • This should result in monthly earnings of around $17,500, totaling $70,000 over these five months.
  • Adding the previous earnings, your total would be around $103,000, though a more conservative estimate might be closer to $90,000 due to duplicate bugs and bounty fluctuations.