
Hacking on Bug Bounties for Four Years - infosecau
https://blog.assetnote.io/2020/09/15/hacking-on-bug-bounties-for-four-years/
======
drsh0
I've got to respect the transparency and spirit of this post. Major props.
What I really love is seeing all the partnerships that have gone into some of
his work over the years. Didn't realize how mammoth of a task some of these
reports must have been that were only made possible via collaboration.

------
mellosouls
Very informative and admirably transparent article.

From the other side (bounty program manager -this was linked to in another
article on the assetnote blog):

[https://medium.com/@collingreene/bug-bounty-5-years-
in-c95cd...](https://medium.com/@collingreene/bug-bounty-5-years-
in-c95cda604365)

------
melvinroest
A friend of mine looked at the feasibility of getting into bug bounty as a
professional career. He mentioned that if you're not specialized on a specific
attack, you have no chance.

I think it's quite refreshing to see that Shubham Shah is a strong counter
example.

~~~
Hitton
Is he really strong counter example? If you actually count bounties he got
this year so far, it's less than $50,000. I think he could easily earn more
working as some kind of security engineer (with way less flexibility though).

~~~
infosecau
Author of the blog post here. I want to make it clear that I had multiple
full-time jobs along the way that paid over 200k AUD/year and it required a
lot of effort to do both bug hunting and work full time. I only did bug bounty
hunting full time for around a year while I was traveling around Europe. I
just really love hacking. Bug bounties landed me my first job in the industry
and have led to countless opportunities in my career so far.

~~~
deadcat
Contractor? You are making bank.

~~~
infosecau
Paid in USD, worked remotely (conversion rates)

------
pakwa
Hey Shubham, nice report and write up.

Do you see much demand on the mobile security side, either as a specialist or
focussing on mobile bounties?

