- Starting from scratch and aiming to make $100,000 in your first year of bug bounty hunting might seem daunting, but with a structured approach, it’s achievable.
- Here’s a detailed roadmap based on Justin Gardner’s Twitter / X Threads to help you get there.
- https://x.com/Rhynorater/status/1699395452481769867
About Rhynorater:
- Full-time Bug Bounty Hunter
- Host of @ctbbpodcast
- Advisor @CaidoIO
- 2x HackerOne MVH
- https://rhynorater.github.io
- X @Rhynorater
Month 1-1.5: Learning the Basics
Before diving into bug hunting, it’s crucial to understand the foundational components of the web. Spend the first month or so getting a solid grasp on:
- HTTP: The protocol underlying the web.
- Browsers: Their functions, security constraints, etc.
- Web Architecture: Including APIs, reverse proxies, cloud services, etc.
- Server-Side: APIs, MVC structure, routing, and handlers.
- Client-Side: JavaScript, HTML, CSS.
This foundational knowledge is essential as it forms the bedrock of your bug hunting skills.
Months 2-3: Diving into Specific Vulnerabilities
With the basics under your belt, start focusing on specific types of vulnerabilities:
- Privilege Escalation Bugs
- Client-Side Access Control Bugs
- Insecure Direct Object References (IDORs)
- Paywall Bypasses
Use resources like PortSwigger Academy and Hacktivity reports to study these vulnerabilities. Allocate your time with a 20% hacking and 80% learning split during this phase.
Months 3-4: Initial Bug Hunting and Advanced Learning
By now, you should start applying what you’ve learned:
- Aim to find 1-5 bugs per month, potentially earning around $750 per bug, totaling approximately $2,250/month.
- Adjust your time allocation to 40% hacking and 60% learning.
- Begin focusing on learning about Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Server-Side Request Forgery (SSRF).
Months 4-6: Increasing Bug Hunting Efficiency
As you become more proficient:
- Expect to find around 7 bugs per month, each worth about $750, leading to monthly earnings of $5,250.
- This phase involves about 80 hours of work per month, averaging one bug every 10 hours.
- Complete all topics on PortSwigger Web Security Academy and continue reading HackerOne Hacktivity Reports.
- Shift your focus to 80% hacking and 20% learning, concentrating on code review and specialty subjects like postMessage.
Months 6-7: Maximizing Your Earnings
With more experience:
- You should now find at least 12 bugs per month, each yielding between $750 and $1,000, potentially increasing your monthly earnings to approximately $9,000.
- By this point, you would have already earned about $15,500 for the year.
Months 8-12: Full-Time Bug Hunting
To round off the year:
- Dedicate 100% of your time to hacking, aiming to find 15-20 bugs per month at an average of $1,000 each.
- This should result in monthly earnings of around $17,500, totaling $70,000 over these five months.
- Adding the previous earnings, your total would be around $103,000, though a more conservative estimate might be closer to $90,000 due to duplicate bugs and bounty fluctuations.