June 8, 2026

I Got Rejected 12 Times Before My First Bounty

Here’s what I was doing wrong and how I fixed it.

Decline

1 min read

Twelve reports. All rejected.

"Informative." "Duplicate." "Not a security issue."

I almost quit. Thought maybe I wasn't cut out for this.

Then I looked back at my reports and realized something painful. I wasn't finding bad bugs. I was writing bad reports.

Here's what I changed.

– -

The First Few Rejections Were My Fault

I was rushing. Finding something weird and immediately reporting it without understanding if it was actually a bug.

A custom 404 page isn't a bug. A parameter that reflects but doesn't execute isn't a bug. A missing security header on a static file isn't a bug.

I was wasting triager time. They were right to reject me.

What I learned: Just because something is weird doesn't mean it's a vulnerability. Prove impact before you report.

– -

The Middle Rejections Were Different

I had real bugs. But my reports were garbage.

No clear steps. No proof. Rambling explanations.

One triager actually replied nicely: "I can't reproduce this. Can you send clearer steps?"

I got annoyed. Then I read my own report and realized I wouldn't be able to follow it either.

What I learned: Write like the triager has never seen the app before. Assume nothing.

– -

What I Changed

I stopped reporting same day.

Found something. Sat on it for 24 hours. Tested it again with fresh eyes. Made sure it was real.

Half the time I realized it wasn't a bug and saved myself the embarrassment.

I started using a template.

Title. Description. Steps. Proof. Impact.

Same order every time. Nothing fancy. Just clear.

I added screenshots with red boxes.

Not just text. Show them exactly where to click and what to look for.

Triagers love this. Less work for them. Faster approvals for you.

I stopped arguing.

If they rejected something I believed in, I asked politely why. Sometimes I was wrong. Sometimes they were. Being rude never helped.

– -

The Report That Finally Got Accepted

It wasn't a critical bug. Just an IDOR that leaked user emails.

But my report was clean. Steps were numbered. Screenshot had a red circle. Impact was clear.

Triager confirmed in 10 minutes. Paid in 3 days.

That first acceptance felt better than any bounty since.

– -

What I Wish Someone Told Me

Rejections aren't failure. They're feedback.

Every "informative" taught me something. Every "duplicate" showed me I was too slow. Every "not a security issue" made me rethink what a bug actually is.

The hunters who last aren't the ones who never get rejected. They're the ones who learn from it and come back sharper.

– -

Your Turn

If you're getting rejected, don't quit. Fix your reports.

One small change in how you write can turn an "informative" into a "paid."

– -

Been rejected before? We all have. Drop your worst rejection story in the comments. Let's laugh about it together.

If this helped you not give up, clap and follow.

Want more daily bug hunting content? Connect with me on LinkedIn: https://www.linkedin.com/in/bughunter