Post cover image

June 17, 2026

I Started Bug Bounty With ₹0 Savings and a ₹15,000 Laptop. Year One Results.

The Setup

CYBER MIND SPACE

7 min read

The Setup

₹15,000 laptop. Realtek WiFi card that dropped connection every 40 minutes. 8GB RAM shared between Kali running in VirtualBox and a browser with too many tabs open.

₹0 in savings. No Burp Suite Pro. No VPN subscription. No premium course. No mentor with industry contacts.

This was not a chosen aesthetic. This was the actual situation.

I want to document year one precisely — the numbers, the failures, the specific things that moved the needle — because most bug bounty content is written by people who succeeded and want to inspire you, not by people who want to give you accurate expectations.

Accurate expectations are more useful than inspiration.

Months 1–2: The Phase Where Everyone Quits

I submitted seven reports in the first two months.

All seven were duplicates or informational findings that didn't qualify for bounty.

Not invalid findings — real issues that real programs had already received from other hunters before me. IDOR on a parameter I'd found through basic enumeration. An open redirect on a subdomain. A missing security header configuration.

The technical finding was correct. The timing was wrong. Someone had been there first.

This is the thing about bug bounty that nobody explains clearly enough at the beginning: the easy surface of every public program has been hit hundreds of times. The things you find in your first two months are almost always the things every other beginner found in their first two months. You are competing with people who ran the same scan before you.

The honest advice I eventually internalized: your first two months are not about finding bugs. They are about learning to read a target — understanding what the application is actually doing, who it serves, what its business logic is. The hunters who find P1s aren't running better scanners. They understand the application well enough to see what it's doing wrong.

I didn't understand this yet. I was running tools and hoping.

Month 3: The First Real Finding

A fintech application. Public program. Scope included a web dashboard for business accounts.

I spent three days on it before finding anything. Not scanning — reading. The user flows, the API calls behind each action, the way permissions were structured across different account types.

On day three I noticed something in the account switching flow. The application used a numeric account ID in a POST request to switch the active context. The ID wasn't validated against the authenticated user's permitted account list on the server side.

Classic IDOR. But buried in a business logic flow that a scanner would never surface — no URL parameter, no GET request, no obvious pattern. It lived inside a multi-step account management workflow that required understanding what the feature was supposed to do before you could see what it was doing wrong.

The report took four hours to write. I documented the full reproduction steps, the business impact — any user could access any other business account's financial data — and a clear remediation path.

Severity: High. Bounty: $350.

At the exchange rate that month: approximately ₹29,000.

Twice the cost of the laptop. In one finding. From a free account on a public program.

That was the moment the abstraction became real.

The Tool Stack That Cost ₹0

Because I get asked about this constantly:

Burp Suite Community Edition. Not Pro. Community doesn't have the scanner or the full Intruder speed, but the proxy, repeater, and decoder are what matter for manual testing. I used Community for the entire first year.

Kali Linux in VirtualBox. Free. The limitation was RAM — VirtualBox on 8GB meant Kali got 4GB and the host got the rest. Slow. Workable.

Amass + Subfinder + httpx. All free, all open source, all more than adequate for subdomain enumeration on public programs.

waybackurls + gau. For pulling historical URLs from the Wayback Machine and other archives. Free. Consistently produced attack surface that active scanning missed.

ffuf. Free. Faster than dirb or dirbuster. All I needed for directory and parameter fuzzing.

Google Dorking. Free and criminally underused. I found more interesting endpoints through targeted Google dorks than through any automated tool in year one.

The honest truth: the free tool stack does 90% of what Burp Pro does for the way most beginners test. Burp Pro is a meaningful upgrade — the scanner, the full Intruder, the extensions. It is not the reason people find bugs or don't find bugs at the beginner level.

Methodology is the reason. The tools are just how you execute the methodology.

Month 4–6: Volume and Calibration

After the first real finding, I made a mistake that cost me two months.

I went wide. Opened ten programs, ran surface-level testing on all of them, found nothing meaningful on any of them.

The logic felt correct: more programs equals more attack surface equals more findings.

The logic was wrong. Bug bounty rewards depth, not breadth. A hunter who spends two weeks genuinely understanding one application will consistently outperform a hunter who spends two weeks lightly touching twenty.

I returned to a narrower focus. Two programs at a time. Maximum. Enough time on each to understand the application's behavior, not just its surface.

Month 6 produced two more valid findings — a stored XSS in a comments field that persisted across user sessions (Medium, $150) and an authentication bypass in a password reset flow where the token wasn't invalidated after use (High, $400).

The password reset finding came directly from reading disclosed reports on HackerOne. Not copying — understanding the class of vulnerability, the conditions that produce it, and then going to look for those exact conditions on a different target. Pattern recognition built from other people's documented work.

Reading disclosed reports is the most underrated learning activity in bug bounty. It is free. It shows you exactly how experienced hunters think about targets. It shows you the writing standard that gets paid versus the writing standard that gets closed.

Month 7–9: The Dry Period

Three months. Two valid reports. Both informational. Combined bounty: $0.

This is the part of the bug bounty timeline that doesn't appear in YouTube success videos.

Dry periods happen to everyone. They happen to experienced hunters who have been doing this for years. The target pool gets competitive. Your skills are at a plateau before the next leap. The programs you know well have been hardened by previous reports including yours.

What I did wrong during this period: kept hunting the same programs with the same methodology and expecting different results.

What eventually broke the dry period: I picked a target in an industry I hadn't tested before — healthcare SaaS — and spent two weeks doing nothing but reading. Their documentation, their API guides, their public changelogs, their job postings, their developer community forums. I built a mental model of what the application was designed to do before I tested a single thing.

The finding that ended the dry period came from that model — a rate limiting failure on a patient record search endpoint that allowed enumeration of valid patient IDs through response timing differences. Not something any scanner would flag. Something that only makes sense if you understand what the endpoint is supposed to do and why the way it's doing it creates a problem.

Month 10–12: The Shift

By month ten I had developed something that's hard to describe and impossible to shortcut.

Pattern recognition across application types. The ability to look at a new target and have a hypothesis within an hour — not based on scanning, but based on recognizing the architectural decisions that tend to produce certain vulnerability classes.

A multi-tenant SaaS with account switching? Check the context boundary. A payment flow with multiple steps? Check whether server-side state tracks the completed steps or trusts client-side signals. An API with a mobile client? The mobile client often has broader permissions than the web client, documented in endpoints the web app never calls.

These patterns don't come from courses. They come from testing enough applications that you start seeing the same mistakes appearing in different clothes.

Year one ended with:

Total valid reports: 14 Total bounty earned: approximately $2,100 (₹1.73 lakhs at average exchange rate) Hall of Fame acknowledgments: 6 Programs that invited me to private program: 2

Not life-changing money. Not a number that would replace a salary.

But a proof of concept. A demonstration that the skill was real, that the methodology worked, and that the ceiling was determined by how much better I got — not by whether I had the right tools or the right starting position.

What Year One Actually Costs

People ask about the financial side. Honest answer:

Tools: ₹0. Free stack is sufficient for year one.

Internet: Whatever you're already paying. No upgrade needed.

Time: This is the real cost. Conservative estimate: 15–20 hours per week for twelve months. That's roughly 800 hours of year one.

Mental cost: High and underreported. Duplicate reports when you were certain you had something. Programs that go silent for weeks. Findings that get triaged as informational when you know they're exploitable. The psychological weight of unpredictable income on zero financial runway is real and it compounds.

If you're starting from zero savings, the financial pressure of a slow month in bug bounty hits differently than it hits someone with a salary as a safety net. I don't want to romanticize that. It is harder, and the difficulty is real.

What it is not — is impossible.

The One Thing I'd Tell Myself at Month One

Stop scanning. Start reading.

Pick one application. Understand it like a developer who built it — the user flows, the permission model, the API design, the business logic. Build a model of what it's supposed to do.

Then ask: where does the application trust something it shouldn't trust? Where does it assume something it can't verify? Where does the state on the client side diverge from the state on the server side?

The answers to those questions are where the bugs live. Not in scanner output. Not in checklist completion.

Every P1 someone found this year was hiding in plain sight. It was hiding behind an assumption the developer made that nobody had tested.

Your job is to find the untested assumptions.

That's it. That's the whole job.

Key Takeaways

  • The free tool stack is sufficient for year one — methodology determines results, not tools
  • The first two months will produce duplicates — this is calibration, not failure
  • Depth on two programs beats breadth on twenty — bug bounty rewards genuine application understanding
  • Read disclosed reports obsessively — it's the closest thing to free mentorship the ecosystem offers
  • Dry periods are universal — the correct response is changing your approach, not your effort level
  • Pattern recognition across application types develops slowly and cannot be shortcut
  • Year one at ₹0 starting capital produced ₹1.73L — not a salary, but a proof of concept
  • The real cost is time (800+ hours) and mental resilience — plan for both