Skip to main content
HashnodePallavi's Blog

Command Palette

Search for a command to run...

My First Bug Bounty: What I Learned and How You Can Start Too

"Cybersecurity is not just about protecting devices; it's about protecting yourself."

Updated
4 min read
My First Bug Bounty: What I Learned and How You Can Start Too
P
Pallavi Kathait

Passionate cybersecurity learner on a mission to explore, practice, and share hands-on knowledge with the community. Always eager to grow and help beginners get started in the world of cyber defense.

How a Tiny Bug Sparked My Curiosity

It all began when a friend of mine created a portfolio website. There was a small bug — the location shown on the site was incorrect.
Curious, I decided to look into it and fix it. It wasn’t a massive technical breakthrough — but it made me feel something. Again i found an another bug not noticable but i got it.

“His words were- I didn’t expect you to solve this one. And this thing clicked in my mind.”

Those words stayed with me.

That moment planted a seed.
Could I really find and fix bugs? Could I do this with real-world applications too?

The Moment I Realized: This Is What I Want To Do

Not long after that, I checked his portfolio — and again, I spotted a bug. I fixed it.

That’s when the thought really hit me:

“If I can find bugs in portfolio sites, why not in actual websites, apps, or APIs?”

I realized that bugs are everywhere — not just in GitHub repos or student projects, but in real companies used by millions of people.

That’s when the spark turned into a flame.
Yes, my friend nudged me to explore bug bounty, but something inside me knew:
This is where I truly belong.

Taking the Leap: My First Bug Bounty Platform

I signed up on YesWeHack, a bug bounty platform that connects ethical hackers with companies looking to fix vulnerabilities.

That’s where my real journey began.

At first, it was confusing — so many companies, so many scopes, so many types of bugs. But I kept going. One recon, one endpoint, one little detail at a time.

I started reading program scopes, testing APIs, scanning subdomains, and watching for weird behavior.

Real Bugs I Found (Without Earning a Bounty)

Let me be honest: I haven’t received any bounties yet. But I did manage to find actual, valid bugs — and I’ve learned more than I ever imagined.

Here are a few types I’ve reported:

  • API Response Bugs
    Some APIs were returning the wrong data or exposing unnecessary details. I spotted misconfigurations and shared proper PoCs.

  • IDOR (Insecure Direct Object Reference)
    I discovered endpoints where changing a user ID in the URL gave me access to other users’ data. That was a real “wow” moment.

  • Reconnaissance Successes
    Just by scanning subdomains, I found sensitive endpoints, staging environments, and some exposed tools that could have been abused.

  • Fake Credit Card Sites
    I even stumbled across sketchy payment gateways that appeared to be phishing pages. I flagged them and submitted full analysis.

Private Program Invites: My Small Wins

Even though I didn’t get paid, some companies appreciated my findings.

Two companies invited me to their private bug bounty programs — a huge confidence boost for someone just starting out.

Getting recognized like that felt like validation. It reminded me that money is not the only win — learning and building reputation matter just as much.

What I’ve Learned So Far

Here's what this journey has taught me so far:

  • You don’t need to be an expert to start.

  • You won’t get rewards every time — and that’s okay.

  • The goal is to learn, not just to earn.

  • Every winner was once a beginner.

  • There’s no perfect time to begin. Start now. Yes, now.

How You Can Start Bug Bounties as a Beginner

If you're a beginner, here’s your roadmap:

Practice Without Pressure

  • Test small websites (with permission)

  • Try VDPs (Vulnerability Disclosure Programs) on:

    • Bugcrowd VDP

    • HackerOne VDP

Analyze Reports

  • Read public writeups on HackerOne

  • Join communities on Discord or Telegram

  • Follow bug bounty hunters on Twitter/X

Final Advice: Your Time Is Now

“Don’t wait for the right time — it never comes.”

I’m saying this from experience. I could’ve waited until I was “ready,” but I would’ve still been waiting today. Instead, I jumped in, made mistakes, learned from them — and kept going.

Even if you’re not getting bounties right now, you’re building:

  • Experience

  • Confidence

  • Reputation

Let me say this clearly:

You don’t need permission to begin. Your time is now. This moment — this exact one — is where it starts.

Start small. Start today. Maybe your contribution will make the world a little safer.

And maybe, like me, one day you’ll look back and realize…
It all started with a tiny bug in someone’s portfolio.

You might just make the world a safer place — one bug at a time.

Want to See Screenshots or Reports?

Here are some signs to you…At last I would say-

“Cybersecurity is not a set of products – it’s a set of practices.” – Ed Amoroso

#cybersecurity-1#cybersec#bugs-and-errors#bug-bounty#tryhackme#iwritecode

Comments (1)

Join the discussion
W
Wasi11mo ago

Amazing start, Pallavi Super helpful and motivating for beginners in bug bounty. 🐞

More from this blog

Pallavi's Blog

4 posts

A passionate Cybersecurity learner