Like anyone starting with something new, I made some mistakes when I just started bug bounty hunting.
Here are some of my mistakes so that you might avoid them:
1 - I Had No Confidence
At first, I only went for the new & small bounty programs.
I thought programmes offering $100k plus would attract way too many intelligent people. They'd seen too many eyeballs. There was no chance that I'd be able to find something in there.
I was wrong!
I started with these smaller projects but didn't see diminishing returns as I moved on to bigger ones. If anything, things got better. The code didn't have much fewer vulnerabilities, but the rewards were getting better and better.
Your unique perspective helps you find bugs others missed, even in projects sporting high bounties.
2 - I Got Lowballed
Some (not many) teams argue a lot about severities, impact, etc., and don't feel like paying out promised bounty awards.
So I quickly developed this useful habit: I always immediately report the first thing I find and stop actively working on the protocol. I then get to experience how the team handles the report. A lot of teams are great, and some aren't.
Do they behave dishonestly? Their loss. Move on—no need to give them more free security work.
3 - I Wrote No Proof of Concept
I didn't write a proof of concept for my first bug reports.
I thought writing them was boring. I'd already found the good stuff; this was just extra work. However, I encountered two problems:
- I made a mistake - I'd looked at the documentation and assumed it was right. Unfortunately for me, it wasn't, and a bug I thought I found wasn't exploitable.
- A developer didn't believe the report - I submitted a report, but the developers were adamant that their code wasn't vulnerable. My exploit scenario was impossible. I was right 💪, but it took a PoC to convince them.
Writing a PoC is worth every minute you spend on it.