How to Avoid Procrastinating in Bug Bounty

By

Limiting Beliefs


When thinking of doing bug bounty. Do you feel overwhelmed, heavy, stressful? If yes, then you are likely to procrastinate when doing bug bounty. Why is that? Because you are holding some limiting beliefs about bug bounty that makes you feel doing bug bounty is hard work and stressful. These limiting beliefs may be:

- Bug bounty is very hard, only top hunters success.
- Bug bounty is very hard, now is 2025, most of bugs are found already.
- Bug bounty is very hard, mass automation and AI will find most of the bugs soon.
- Bug bounty is very hard, these websites are built by top programmers, their code are very solid, I will have no chance to find bug here.
- Bug bounty is very hard, there are people spend 100+ hours in it and found nothing.
- Bug bounty is very hard, developers are using programming frameworks, they code properly now, no chance for bug.

If you hold any of the above beliefs, then you will have the tendency to wait for "perfect moment" before doing bug bounty. For examples:

- I need to watch many videos, read many articles about IDOR, before I can start hunting for IDORs.
- I need to do all easy and medium labs on PortSwigger before I can start.
- I need to do some CTFs to gain skills, before I can start.
- I need to learn web development skills, so that I understand how the target websites work, before I can start.
- I need to master Linux terminal, before I can start.
- I need to read this book about bug bounty, before I can start.
- I need to spend a month to learn Python (or Go), before I can start.

Even if you actually do all of this, there will be a good chance you will have the following thought "I have spent a lot of time learning, If I do actual bug hunting and fail, It proves that I am a loser and worthless(it's subconscious, you may not even know you have it).

The root cause of all these limiting beliefs is: you think bug bounty as something special. You think you have to do it perfectly in order to find some bugs. You think bug bounty is a way to gauge your worth, and if you fail, you are worthless.

What bug bounty really is

bug bounty is just a normal activity like others, such as cooking, gardening, exercising.

- When you cook, plant a tree, exercise, do you have to do it perfectly?. No, just do it the best you can.
- Do you need to watch a 30 hours course in cooking before you cook an egg?
- Do you need to take a botanical course before you can plant a tree?
- Do you need to read a book on human body before you can exercise?

You should have the same attitude toward bug bounty.

You may wonder "but If I treat bug bounty like cooking, gardening, exercising, I won't find any bug".

Again, bug bounty is nothing special, If you spend enough time in doing it, you will be good at it, just like with cooking, gardening, exercising.

Trust the plan

In bug hunting, you have a list of things you plan to do, then do it one by one. Such as:
- Scouting the target website.
- Checking its permission models.
- See what the target website prevents users to do, then try to do them via modifying requests.
- Testing for IDORs in featureA.
- Testing for Information Disclosure in featureA.
- Then move to featureB.

Yet again, you may wonder "How do I know following this plan will get me some bugs?". The answer is to have Faith, the most important word in every religion. Having faith means to trust something before seeing the result.

Back to cooking, how do you know boiling an egg will make it safe for you to eat?. Because that's how life works.

In gardening, how do you know putting a seed on the ground then watering it will get you a tree 7 days later?. Because that's how life works, you trust it without doubt.

In exercising, how do you know you will feel healthier if you move your body intensively?. Because that's how life worksyou trust it without doubt.

Back to bug bounty, how do you know your plan will work?. You trust it and spend your time executing it. Even if the plan doesn't work. You have accumulated experience, your future self will make a better plan accordingly, and eventually, your plan will be good enough to get you some bugs.

That's how life works, it is impossible to do something without gaining more experience out of it. For example, You watch a movie 3 times, although you really like it, your excitement is not as high as the 1st time. That means something in you have changed regarding this movie, regardless you want it or not.

Back to cooking, how do you know cutting onion will get you closer to a meal? Because you trust a recipe. And if your food tastes like shit, do you think you are a loser?. No, you just need to adjust the recipe, you just gain some experiences, you can adjust the recipe bit by bit until it tastes good.

Comments

Post a Comment

Comments are very welcome. I read all comments!

Popular posts from this blog

Be a security researcher, not a bug bounty hunter.

By
Image
  You can't control your result in bug bounty. Only effort. The word Hunter makes us feel like we need to find some bugs. Otherwise, we fail to be a hunter, our job is worthless, the process is just a mean to an end. If we think ourselves as bug hunters, we will have a lot of unnecessary thoughts, which leads to  unnecessary  stress, which leads to  unnecessary  burnout and procrastination. We have these unnecessary thoughts because we try to control the result, we think the more thoughts we put in it, the better we can control result. But in fact,  we can't control our result in bug bounty. Instead, be a security researcher. Who emphasis on the process, not the result. When testing a target, we learn how its security works, learn its features capacities, discover some quirks, and see if we can spot any security bug out of them. This leads to more enjoyment and less stress while hunting for bugs. With this small change in attitude and mindset, you will get ...
Read more

Beginner Tutorial - How to learn the Technical Skill and Hacker Mindset That Are Required to Find Your First Bug Bounty.

By
In 2023, there are so many bug bounty resources for beginners, much more than before. I believe this is a bad thing for beginners, because now, they have to deal with so much unnecessary distractions just from choosing and sticking to a learning path alone. The over-abundance of free resources also fuels procrastination, we usually see people jumping from one learning path to another, without actually touch a real target. In this article, I will show you how much learning is enough. So you can get out of your learning rabbit holes and start hunting on a real target. By the way, this article aims to help you find bugs in IDOR, Information Disclosure, Business Logics, Broken Access Control. It may not help you to find injections bugs or misconfiguration bugs. Because I don't know how hunt them myself. # Technical Skill If you can solve Practitioner labs in PortSwigger with relatively ease, you have enough technical skill to hunt bugs: - https://portswigger.net/web-security/logic-flaw...
Read more