How It Started

Around 2.5 years ago, I had no idea what to do with my life. I was just a normal guy trying to figure things out. I'm only a 10th pass student, not from any tech or computer science background — but I had curiosity and a dream to do something big.

None

I started watching tons of YouTube videos about bug bounty — honestly, 90% of them weren't very helpful. But I didn't give up. I kept searching for genuine learning material and found a few golden resources that truly helped me build a foundation:

  • 🎥 NahamSec YouTube channel
  • 🎓 Bugcrowd University
  • 🧠 PortSwigger Labs
  • 🧾 HackerOne Hacktivity and Writeups
None

If you're new to bug bounty, start from these. Learn from real writeups, practise labs, and understand how real applications behave.

🧑‍💻 For Complete Beginners (Like I Was)

If you're just starting out — here's some honest advice:

  • If you're non-technical (like me), look for programs with multiple user-level functions such as sharing, roles, or team features. These often lead to IDOR or Broken Access Control (BAC) issues — beginner-friendly but powerful.
  • If you're technical, explore what excites you — web, API, or mobile.
  • Avoid relying on automation early. Many experienced hunters already run massive automation setups. You'll mostly get duplicates.
  • Be a manual hunter. Make Burp Suite your best friend. Inspect every single request carefully — headers, parameters, IDs. Think critically and test creatively.

💼 My Story — Before & After Bug Bounty

In 2023, I was 19 years old, working as a packing boy at an e-commerce company, earning ₹15,000 per month. My father worked as a driver. Life wasn't easy — but I had a dream.

After a 12-hour workday, I'd come home, study, and hunt bugs for 4–6 hours, sleeping only 5–6 hours a night. It was exhausting, but I never stopped believing.

At the end of 2023, I got my first ever bounty — an IDOR vulnerability, worth $50. That moment changed everything. It wasn't about the money — it was about confidence.

Within just two months, I earned around ₹1.5 lakh, quit my job, and went full-time into bug hunting.

🚀 Fast Forward to 2024

  • Bought my MacBook M3 Pro (worth ₹2 lakh)
  • Upgraded to a better phone
  • Bought my dream adventure bike — Triumph Scrambler 400X
  • Helped my father retire from work
  • Reported 300+ valid vulnerabilities
  • Ranked under 500 on Bugcrowd
  • Recently started hunting on HackerOne, already achieving country rank 7 (Oct–Dec)

From earning ₹15k a month to living fully on my own terms — bug bounty gave me the life I dreamed of, all while being just a 10th pass guy with no degree, no connections, and no shortcuts.

💡 Tips That Worked for Me

If you're starting your journey, here's what I've learned the hard way:

  1. Stick to one or two programs — know them deeply.
  2. Focus on beginner-friendly issues: IDOR, BAC, CSRF, XSS.
  3. Stay manual and creative. Don't chase automation early on.
  4. Read writeups and replicate vulnerabilities — that's real learning.
  5. Be consistent. Even 2 hours daily can build mastery over time.

❤️ Final Thoughts

Bug bounty didn't just change my income — it changed who I am.

I started with no technical background, no degree, and a simple education — just a 10th pass kid with a passion to learn. Today, I'm a full-time security researcher, a freelancer, and someone who built a new life through persistence and curiosity.

If you're reading this and thinking of starting — do it. Learn, fail, repeat — and one day, your story will inspire someone else too.

Written by: Ferdus (aka Bebe / HackBebe1) Security Researcher | Bug Hunter | Freelancer