How much work is enough to find a bug?

This image is a glimpse of list of test cases I check over time in my most successful bug bounty program. Captured in Sublime Text sideview. ~2500 test cases. These are only cases I write down, I estimate the test cases I did write down is 3 times this amount. So I have done 10k of test cases in this program. And I have reported 230 valid bugs on this program.

10000 / 230 = 43

So on average, I will find one bug after 43 test cases. That's the ratio on my most successful program, for other programs, the ratio is even higher.

A bug bounty beginner DM me on Reddit, say he has learned hacking for a year. But he can't find any bug on real bug bounty website. I ask ed what did he test, he listed about 20 test cases and that's it.

This is the problem with not only him, but most beginners: their expectation of how much effort it takes to find a bug is much less than the actual amount. When the amount of effort they put in exceed their expectation, they get discouraged, they think their methods is not working and stop.

The solution is simple (but not easy): be willing to do triple the amount of work than your expectation.

For examples:

- If you expect to finish a task in 4 hours. Be ready to work for 12 on this task.

- If someone hires you $100 to do a job. You expect to finish it in 5 hours. But you have worked for 10 hours and the job is not done yet. Don't get mad, instead, feel peace, keep calm and finish the job. Then tell yourself to be wiser with your estimation next time.

- Obviously, don't feel discourage if you only do 20 test cases on a bug bounty target, do 60 test cases.

You may say you "work smarter, not harder". This is an excuse for procrastinators. The time you spend thinking of a "smarter" solution, If you work instead, you have already made some progress and have a better understanding of your job by then, which leads to a smarter solution.