BugBounty?OnlyBug!NoBounty!

From CTF to bug bounty, what’s different, what stays the same?

Here’s my experience so far.

At first, I was just trying to move from the “CTF intended environment” into the real world.

So I started with GitHub PRs.

Luckily, I found 2 security issues in a 2.9k-star project and submitted 2 PRs.

The maintainer patiently reviewed my code, we went back and forth a few times, and eventually both got merged!

I got the cute Pull Shark badge.

Well… I am a furry after all. 🦈

Honestly, it was such a great open-source collaboration experience.

But then came the real question:

How do I actually make money from this? 😭

So I jumped into Hacker0x01 programs and Google OSS VRP.

(At the time I ignored domestic SRC platforms because I thought the payouts were too low. Looking back… yeah, that was probably stupid.)

I mainly focused on open-source projects because LLMs can genuinely give a huge advantage there.

Unfortunately, 6 reports on Hacker0x01:

• 2 informative

• 4 duplicate

And 2 reports for Google OSS VRP:

• 1 duplicate

• 1 “intended behavior”

That part really hit me hard.

At that moment I could only say:

what the fuck! 😭

Still, even without rewards, I learned a lot.

Here are the 3 biggest lessons I’ve learned so far:

1.Understand the security boundary. Bugs usually live at the edges, not in the middle.

2.Check GitHub issues first. Duplicate reports are soul-crushing!

3.Make sure the bug actually has impact. Some vulnerabilities only work in super specific configs… or only survive in theory.

Anyway, bye.

Back to my own journey.