Bug Bounty Expert Shares 2024 Journey and Successes

In this video, the content creator shares his journey in the bug bounty field, highlighting the challenges faced and successes achieved, particularly in 2024. He begins with a brief recap of his story, mentioning that he left his job as a pentester three years ago to focus on bug bounty and content creation. The first two years were not easy, but in 2024, he managed to change his approach and achieve significant results. One of the main transformations in 2024 was specializing in a specific area of hacking: authentication. By focusing on this specialty, he was able to audit hundreds of authentication flows and implement them himself multiple times. This expertise allowed him to discover 14 account takeover vulnerabilities, totaling more than $55,000. He emphasizes that these discoveries are not the result of copying existing methodologies but rather his own deep understanding of the subject. In terms of quantity, privilege escalation vulnerabilities were the second most frequent, with 13 reports. However, he specifies that these discoveries do not represent a significant part of his methodology, as he does not find them particularly interesting. He plans to delegate this task to hack bots in 2025 to automate the search for these vulnerabilities. Client-side RCEs were the second most lucrative category of bugs, with three reports totaling more than $17,000. Although he enjoys finding these vulnerabilities, he acknowledges that they are very specific and will not be a major priority in his future methodology. He also mentions finding many infrastructure-related bugs, such as SSRF, traversals, and request smuggling. He plans to focus more on these types of vulnerabilities in 2025, as he finds them interesting and impactful. In 2024, he also had the opportunity to participate in in-person hacking events, notably becoming a HackerOne ambassador for Poland and participating in live hacking events in Las Vegas and Edinburgh. These experiences allowed him to meet other renowned hackers and share his discoveries on stage, which was one of the highlights of his year. He concludes by sharing an important lesson: finding bugs is easy, but finding the right scope is difficult. He stresses the importance of persistence and exploring many programs and endpoints to succeed in bug bounty. Finally, he reveals his earnings for 2024, totaling $96,347.67, and expresses satisfaction with these results, even though he only dedicated an average of three days per week to hacking. He hopes to cross the $100,000 mark with the mediations still in progress. For more details, watch the full video: https://www.youtube.com/watch?v=K5m-tF8y27M