Before jumping into bug bounties and security testing, I want to rewind a bit and talk about where this journey actually began.
I had just come off a frustrating period of trying to land a better job. It didn’t work out immediately. So I pivoted.
I decided to try out web development and started with HTML and CSS, but I never made it to JavaScript.
This video helped me get started:
https://youtu.be/HGTJBPNC-Gw?si=hzwug6HZvEsBx-ag
I discovered Bug Bounty from The Network Chuck on Youtube, he was talking to a bug bounty hunter, and I thought this is my oppurtunity no certifications, no interview, only skill required.
I wasn’t new to Linux. I had already built my own Ubuntu server and even set up a Pi-hole DNS server. That gave me some comfort in the terminal. So I was convinced I could be a bug bounty hunter.
After some research, I discovered platforms that host bug bounty programs names like: HackerOne, Bugcrowd, Intigriti kept coming up. For some reason, I chose HackerOne. Maybe I liked the name. Maybe I just didn’t want to overthink it. I signed up and started browsing.
That’s when reality hit.
The Knowledge Gap
I tried some CTF challenges on Hacker101 and quickly realised something — I had a huge knowledge gap.
I didn’t really understand how to intercept traffic properly. I knew I needed to use Burp Suite to capture and forward requests, but knowing that and actually doing it are two different things.
Eventually I found PortSwigger and joined their Web Security Academy. I started with SQL injection. And here’s something important I realised: You can stay on learning platforms forever.
You’ll feel productive. You’ll complete labs. You’ll get dopamine hits. But you won’t grow the same way you grow when you pick a real target and apply what you learned.
Fast forward to 3 years later and 4 reports submitted and zero payouts. Now to be fair — I haven’t been consistent. I’ve pivoted between certifications, homelab builds, and focusing on growing my IT career. I’ve started, stopped, restarted and repeated the cycle.
What’s Next?
I’m still early in this journey. I’m still figuring things out. But the goal now is simple:
- Learn one vulnerability.
- Apply it.
- Submit.
- Improve.
- Repeat.
This blog isn’t about teaching. It’s about documenting the process. The wins. The confusion. The trial and error.
Because if you’re starting out like I am — you should know that feeling lost at the beginning is completely normal.