A quick foreword: I’m going to be fully transparent about money in this article. I’ll share real bounty amounts and my former salary to give you an honest look at what this path is like. Talking about money can be uncomfortable, but these numbers are key to understanding my journey from pentester to full-time bug bounty hunter. Consider this your heads-up for some unfiltered details. Let’s get into it.
Introduction
After seven years in pentesting, I’ve just started my full-time bug bounty adventure. This isn’t a “zero-to-hero” story, it’s a look into how a seasoned pentester can make the leap. My journey is built on years of experience, a long history with CTFs, and mastering the fundamentals with resources like the Portswigger labs. This article recounts the key moments that led to this decision, from my early attempts a decade ago to the final three years of part-time hunting that convinced me to make the jump.
The Early Days
My bug bounty journey began in 2015 at the “Nuit du Hack” conference in France where, at 19 years old, I found a few bugs on a program focus on DenyAll’s WAF.
That bounty essentially paid for my trip to Paris and even let me treat my partner to a restaurant (we’re still together ♥).
Back then, bug bounty wasn’t widespread. “Bounty Factory” (which later became “YesWeHack”) was just emerging in France, but its public programs were disappointing. I only recall two or three, with underwhelming rewards: ~€100 for client-side vulnerabilities like XSS, and even RCEs didn’t hit the €1000 mark.
A year later, during an unpaid internship with a lot of downtime, I decided to try my hand at bug bounty again to make some money.
I turned to a public program, and let me tell you, in 2016, it was full of holes. I found several stored XSS and an IDOR.
One of the XSS was a duplicate, and the other paid $150, which was honestly not bad for an XSS at the time.
They never managed to reproduce the IDOR because there was a CSRF token, and despite a video, it wasn’t enough…
In short, a mixed experience.
I then finished my studies and got a full-time job at a pentesting company. During this time, I sometimes tried to find bugs on YesWeHack or HackerOne programs but without success (more on that at the end of the post).
Upskilling and First Attempts
Fast forward to 2022. I felt I was falling behind after a series of uninteresting assignments. The inability to choose my own targets is a common frustration in pentesting and it pushed me to work on things that genuinely challenged me. I started doing the PortSwigger labs one by one and eventually completed all of them, learning many new techniques along the way.
After all, you can’t find what you don’t know.
I had just started diving into web cache poisoning, and I was hooked on the concept. To test it on real-world targets, I took a list of bug bounty domains and sprayed different cache poisoning techniques.
I got a bit lucky and managed to poison the main page of a bug bounty program on YesWeHack. Unfortunately, I ran into an unfair (now closed) program that just marked it as informative, like spam, without any explanation.
Another unconvincing experience.
A Shift in Perspective
Just as I was starting to feel discouraged with bug bounty, I was invited to the annual party of another pentest company called Synacktiv. There, I met Blaklis, who needs no introduction. He’s one of the leading figures in bug bounty in France, a top guy both technically and personally.
I had crossed paths with him during my CTF years but never really talked to him. He told me about the latest bugs he had found and their payouts: 3 XSS, 3 times $26,000.
I was stunned. Bug bounty had indeed changed, and the payouts were no longer the same. We spent a good part of the evening discussing various attack techniques we had seen in CTFs and bug bounty.
The following week, thanks to my former employer, I was lucky enough to attend agarri_fr’s Burp training, where Blaklis was also present. Great training, I learned a lot, and at the end of the week, I had only one desire: to practice!
The First Big Wins
Following my report on YesWeHack, even though it ended up as informative, I received an invitation to a private program. Luck, maybe?
I decided to focus my entire evening on that one private program, a multi-tenant SaaS. I started poking around and quickly found my first win: an admin feature accessible to users with lower privileges.
Finding that first bug felt great. I fired off the report and woke up to a €300 reward. It might not sound like much now, but back then, it was the fuel I needed. I was more motivated than ever to dive back in.
That momentum was all I needed. I dove back in, spending the next evening and night completely in the zone. The application was a multi-tenant SaaS that integrated into other client applications, so I knew a stored XSS would be critical. My intuition paid off. I found several stored XSS vulnerabilities and a critical cross-tenant IDOR.
Two days later, I woke up to three separate payout notifications: €2,000 each. That’s when it hit me. Suddenly, bug bounty felt like a real alternative to a classic pentest career. It wasn’t just the money, it was the freedom to choose my targets and the flexibility to hunt on my own schedule, a level of autonomy that pentesting couldn’t offer.
Driven by this success, I kept hunting over the next few evenings, finding another IDOR, an XSS, and a cookie leak via postMessages. Then, the program disappeared. They’d closed it because I had single-handedly exhausted their budget.
The final tally was €10,000 from one program. To put that into perspective, my annual French salary at that time was €55,000, which is a decent salary for a pentester in France. I had just made nearly 20% of it in a few nights.
Riding the Momentum
This series of reports gave me access to other invitations on the YesWeHack platform.
In particular, two programs: one that was completely broken where I found all types of bugs (SQLi, XSS, IDOR, SSRF, you name it), and another that was much more secure but had a much higher reward structure (€10k for a critical).
I found an SQLi and didn’t sleep all night. The thought of potentially hitting €10k kept me awake. The next day, I “woke up”, truly exhausted… no news on the report.
I barely slept again. But this time, when I woke up, there was news. The report was accepted as High. The reward: €7,500, my biggest bounty at the time.
I finished the month with a cumulative total of €21,000. To put that into perspective, that was 40% of my annual salary.
A quick word on SQLi: There’s a common myth that this vulnerability is dead. It isn’t. Landing my first SQLi in a bug bounty program was a major milestone, and I’ve consistently found more since, even on modern applications.
My advice to hunters who say they can’t find any is simple: you have to actively look for SQLi. You can’t find what you aren’t searching for.
It had only been 2 months since I had seriously gotten into bug bounty, armed with my new knowledge from the Burp training and the PortSwigger labs. At that moment, the idea of going full-time crossed my mind. Those who know me well know that I am a very cautious person. So I waited to see if it was a stable source of income.
The next two months were less fruitful. In retrospect, these slower months were just due to bad luck. Sometimes you look for bugs but don’t find any, it happens…
Leveling Up: The HackerOne Ambassador World Cup
Then the HackerOne Ambassador World Cup started. There were two teams that year: one with several full-time bug hunters, and ours, made up of a diverse group of profiles. Of course, we had Blaklis as team leader, as well as many other talents. We also had people who had never done bug bounty before. Despite this, we managed to get through round 1, where I only managed to find one bug. Two others were duplicates, bad luck.
The second round was an important one for me, and I’ll explain why: One of the (public) programs offered rewards of $50k for a critical. I thought to myself: let’s go for it, surely the others won’t want to go for it as it can be intimidating.
That afternoon I found my first bug. Kevin_Mizu actually made a challenge out of it with me, write-up available on his blog. I was very excited at that moment, but I admit I didn’t know if they would pay me or try to lower the reward. It seemed “too good to be true.”
The next day I found another one. I was really surprised it hadn’t been found before because it was even simpler than the first bug.
Like with my first big reports on YesWeHack, I didn’t sleep all night. But this time, it took several weeks to be validated. The first bug was paid $10k. I was super happy. The second one took longer to come through.
Two weeks after submitting the report, in the middle of the night, I was chatting with a colleague and I got a message: congratulations, you’ve won $50,000.
I was speechless. In less than two days of work, I had made $60,000… It was a life-altering amount of money. The idea of going full-time, once a distant thought, now felt incredibly real and within reach. The feeling wasn’t just happiness, it was a profound sense of freedom and opportunity.
We then continued through the rounds and ended up in the final (4 teams), where we finished 4th against some very strong teams.
The Live Hacking Event (LHE) Experience
That critical bug from the World Cup directly led to my first invitation to a Live Hacking Event organized by HackerOne: H1-65 with Salesforce in Singapore. Doomerhunter wrote a great article about LHEs, you can find it here.
H1-65 Singapore: A New World
For the occasion, I took 2 weeks of vacation to fully concentrate on the live hacking event: one week remote, and one week on-site.
I really enjoyed the remote week, hunting at my own pace. I stuck to what I knew best: my comfort zone, and had a great time finding client-side bugs like XSS and postMessage vulnerabilities.
But the on-site part was the best. I spent a week with hunters who were way better than me, and it was an incredible feeling. I also met Snorlhax and Bonsoird, two very friendly French full-time hunters who introduced me to many talented hunters.
A Pivotal Conversation
I had the opportunity to talk with shubs, one of the best hackers I know, and it’s no exaggeration to say it changed my perspective completely. I told him how I was only looking for client-side bugs. He listened, and then, he explained his view on server-side vulnerabilities. It wasn’t about the complexity, but the clarity of impact: server-side impact is often more straightforward for programs to understand. Then he added the most important part: “But you have to hunt what you enjoy hunting”. That advice has stuck with me ever since. I’m still a client-side specialist, but at live events, I now switch my focus to server-side bugs to make the biggest possible impact.
The Decision to Go Full-Time
The atmosphere at that LHE was electric. Being surrounded by so many talented hackers, all focused on the same goal, was an incredible rush. That experience, combined with my conversation with shubs, solidified everything for me. By the end of it, my mind was made up. This is what I wanted to do full-time. The appeal wasn’t just the potential earnings, but the entire model: the freedom to pursue my curiosity, work when I felt most creative, and see a direct link between skill and reward.
The event paid out $18,000. While the money was great, it was the experience that truly sealed my decision to switch careers. From that point on, my focus shifted entirely to HackerOne, which I felt offered a better path forward.
I also continued to hunt on Salesforce, which remains the best program I have hunted on so far (and the most lucrative).
Leveling Up: Collaborations and Crushing It
My new focus paid off immediately. The next invitation was to H1-702 in Las Vegas, thanks to Blaklis who brought me along as his “+1”. We decided to team up, and putting the lessons from Singapore into practice, we went all-in on thick clients and server-side vulnerabilities. The result? We found several RCEs and walked away with over $110,000 in bounties together.
Vegas was also where I first met Doomerhunter. We hit it off instantly, which turned out to be another lucky break.
When the next LHE invitation came, H1-0131 in Edinburgh, I knew exactly who to call. Doomerhunter and I teamed up, and we absolutely tore the event apart, banking over $200,000 and earning the “Most Impactful Team” award.
Hitting Cruising Speed
The momentum from Edinburgh carried me through the rest of the year. Hunting on my own, I was matching the results of the LHEs, and the beginning of the following year was even more successful. I had hit my stride.
This financial stability wasn’t just abstract; it became concrete when I bought my first house. Being naturally cautious, I refused to make the leap to full-time hunting on impulse. I waited until I had saved the equivalent of three years of my old pentester salary. With that safety net in place, all the signs were pointing in one direction.
The journey culminated in another Salesforce LHE just last month. It was an amazing experience, as I got to team up with my good friend Kevin_Mizu. In a real full-circle moment, I also had the chance to collaborate with shubs, the hacker who had made such an impact on me a year before. We found some beautiful bugs, even winning the Eradicator “Best bug of final submission window” award. While the final numbers aren’t in yet, that event was the last piece of confirmation I needed.
The puzzle was complete. It was time to go full-time.
And so, after three years of intense learning, incredible experiences, and a lot of hard work, I made the leap. My journey from pentester to full-time hunter was complete. I had found my freedom, one bug at a time. Leaving the stability of a salaried career wasn’t a decision I took lightly, but every successful report, every collaboration, and every LHE confirmed it was the right path for me.
This journey has taught me more than I could have imagined, and for those of you on a similar path, I wanted to share some of the most important lessons I’ve learned along the way.
Key Takeaways
Here are some of the most important things I’ve learned during this experience:
Breaking the Initial Barrier: The biggest hurdle in bug bounty? Landing that first paid bug. As I mentioned earlier, everything felt like a grind until I got that first taste of success. It’s the moment the game changes. Pushing through the initial frustration to find that first valid submission is everything.
Revisiting Public Programs: I built my initial confidence on private programs, but I quickly realized that many hunters overlook public ones, fearing they’re too crowded. The reality is, while there’s a lot of noise, top-tier hunters can’t cover everything. As an example, I recently found a simple XSS in the search bar of a major search engine with a public bug bounty program, the kind of bug you’d assume was found years ago.
A Deep-Dive Approach: My strategy is almost entirely manual. I don’t run scanners or fuzz subdomains endlessly. Instead, I go deep into a single, core application. I’ve found that the most impactful bugs aren’t hiding on some obscure, forgotten subdomain. They’re often in the main app, the one everyone uses but assumes is too heavily tested to have simple flaws. I prefer to pick a large scope and commit to understanding it inside and out. It’s about quality over quantity.
Strategic Program Selection: It’s also crucial to pick a program that you genuinely connect with. You’ll be spending countless hours on the application, so if it doesn’t interest you, you’ll burn out. And don’t be scared off by programs with a high number of resolved reports. While it might seem intimidating, it’s actually a good sign. It means the program is responsive and values security research. A large volume of past reports often points to a large attack surface with plenty more bugs to find.
Asserting the Value of Your Work: I’ve seen too many hunters accept a downgraded severity and a fraction of the reward they deserve. Don’t be one of them. Master the CVSS specification if the program uses it, and learn to build a rock-solid case for your bug’s impact.
The Collaborative Edge: Even when you’re competing, being connected to other talented hunters is a game-changer. They provide invaluable intel. For example, knowing which programs pay top dollar for a Stored XSS versus those that don’t is crucial. This inside knowledge, which often comes from your network, gives you a massive edge and helps you focus your efforts where they’ll pay off most.
Acknowledgements
I’ve shouted out some key people in the story itself, but many others played a huge role in this journey. I want to give a huge shout-out to:
- Adibou: My first-ever collaborator, a fellow full-time hunter, and a friend I often talk and hunt with.
- The HackerHouse crew: For three years of shared knowledge and an unforgettable time together.
- FreeSec: For giving me the push I needed to go solo and trust my gut at the Las Vegas LHE.
- All the French full-time hunters: For the insightful discussions, shared knowledge, and incredible sense of community.
- My former employer (Bsecure) and coworkers, for investing in my skills and supporting the journey that led me here.
And to everyone else I may have forgotten who has been part of this adventure: thank you!
Conclusion
I hope you enjoyed this look into my bug bounty journey. This is just the beginning of my full-time adventure, and I’m excited for what’s next. Feel free to follow my X account for updates!