Competition and is it worth even starting


#1

Hi guys (and gals)… I’ve been in security for 20 years now and have been doing penetration testing for a few years. I never got into bug hunting but I’m now interested. My question is if it’s really even worth getting into it. There seems to be so much competition that I would think finding a bug would be a long shot… I was looking at some lesser popular companies here and on hackerone and like each one had 100-200+ people in the program. How can someone late to the party even get close to competing with that many people?

That kinda de-motivates me right there… LOL.

Thoughts?


#2

Hi feralninja,

Let me start by saying, I have no technical background whatsoever ( I am an Oral Pathologist!) and have been never so motivated to start with bug bounty hunting. Its just been 3 months, and am learning and in fact participating in programs at the same time. It is extremely frustrating when I keep poking things around for hours together to find nothing. Competition is in every field, and I think we should give ourselves sufficient time to learn and practice without giving up. With time and sufficient expertise, given you have put in some solid hours of work and practice, competition would not be in your mind. Also, given the fact that you have been in the security field for so many years, please don’t be demotivated. Of course, this is my opinion and hopefully would withstand the test of time and would abide by this opinion I have given you today. Cheers and all the very best! Start hacking!


#3

Hi,

I am in similar position as you are - a few years in application security including pentesting.
I have decided to try bug hunting. I started off by being very enthusiastic, but quickly became demotivated. If you are ok with spending a lot of time and effort to do research, find bug, compile report just to be told that that bug has been already found by someone else but not yet fixed (which you kinda have to take their word for it) - then sure go for it. For me the experience has been pretty frustrating. This might be a good value for the companies to have a crowd hacking their sites - however I find it very unfair and disrespectful for researchers’ time to have to chase something - which has already been found - and you don’t know that!

Yes, there is an OPTIONAL program that bugcrowd has where companies may choose to adopt where they have the option to disclose some of the bugs that were fixed. I think it is a good step forward, however its optional and so not many choose to adopt. And even if adopted companies would not disclose bugs unless they’ve been been fixed - and in many cases that can drag on based on their business priorities - so you are still in the dark.

So, if you have a lot of time on your hands which you don’t mind wasting, go ahead. I suppose this can be beneficial to learn and practice ethical hacking. But since you are already a seasoned professional - I don’t know if that would be of any value to you. If you still decide to try - my advice is to forget about the low hanging fruit and concentrate on more difficult to find bugs and keep your fingers crossed you are the first one :slight_smile:

For me - I decided that I just cannot be motivated to look for bugs when I don’t know if they were already found or not.

Good luck!


#4

Hi @feralninja,

It depends of your expectations and your goals. If you want to make money, but you already have a salary above USD 100k per year, maybe bug bounties are a waste of time.

About the competition: ignore it.

The previous two responses are on point, I think.

Best.


#5

It seems worth it to me. I’m new to bug bounties too and all you can do is keep trying.