Greetings fellow bounty hunters! If you are looking for tips, tricks, insights, or otherwise helpful information related to the wonderful world of bounty-hunting with Bugcrowd, I am almost, nearly practically certain that you have come to the right place!

My name is “ZwinK”, and I started bounty hunting 6 months ago with Bugcrowd. Hacking only part-time, I’ve made over $100,000 since January, and so can you! Here’s my second tip to help you, fellow hacker, get an idea of how I found success doing this hacking thing.

Tip #7: Program selection

You don’t have to work on a program just because you got invited to it. The program should match your interests, skill sets, and be something you are passionate about working on. I have logged the vast majority of my bugs on 3-4 programs since I started, solely because these programs interest me. Being interested leads to higher focus, which leads to more bugs. I tend to select programs that are largely web or API, pay pretty well, deal with customer information such as PII/PFI, and have a FAST triage time.

Despite having 20 pending private invitations in my inbox, the most recent program I picked to work on is public. I selected it because they pay extremely well, had a 1-day average triage time, have relatively few bugs reported, and the work they do interests me. For me, program selection starts with triage time, then bounty payouts, then what the company does, then the scope. My time is valuable to me, so I try to maximize ROI.

  • Triage Time: It is hard to get momentum on programs and deep dive when they have a 15 day, 30 day, or multiple-month response time. It’s like slaying a raid boss and then you get to roll on the loot drop 3 months later only to find out it was a duplicate. Long triage time also increases the likelihood of duplicates. Therefore, I only test programs that have a 5-day or less response time and I try to find programs closer to a 1-day if at all possible. This keeps the snowball growing, and keeps me interested and engaged. I don’t want to come back to a bug I logged 3 months earlier.
  • Bounty Payouts: When a program’s [P3] pays as much as another program’s [P1], noting P3s are pretty easy to find, why would you not try the higher paying program first? If you can’t find anything, then move on. This has proven to be a great idea in my latest program selection.
  • The Company: For me, I generally have to like what the company does and what it is they are trying to secure/protect. I like systems that protect high-value information because it increases the importance of cybersecurity and the likelihood most bugs will have a greater impact. Additionally, the work protects real-world people in a significant way.
  • Scope: If 90% of the bugs I like to find are out-of-scope for the program, I don’t touch it. For instance, if I see a program that marks XSS, CSRF, and rate-limiting out of scope; I move on. Programs that tie our hands behind our back are not interesting, and real-world attackers/APTs don’t have these limitations.

Check out my previous blogs in this series!

Tip #1: Bugcrowd as an MMORPG (Real-Life Video Game)

Tip #2: Complete the Portswigger Web Security Academy and learn the VRT

Tip #3:  Get ONE valid submission

Tip #4 & #5:  Test manually, avoid duplicateville & VPN Service

Tip #6:  Deep Dive over High Volume

About the Author

I first signed into the Bugcrowd platform in late October 2020 to see what it was all about, and I was pretty sure this was a video game disguised as work. In some ways, I was not all that far off. It’s all a little shocking, really – “What, I can just try to hack… uh… some company for money, and gain rank”? Indeed, this represents a departure from years ago when the only reward hackers may receive was a reduced prison sentence. Wow! How the world is changing!