You made $10k from a finding .. so what

An old man's rant, new to the bug bounty hunting community

Pablo Vergara

~4 min read · February 21, 2026 (Updated: February 21, 2026) · Free: Yes

Hola Friends,

How are you all doing?

Allow me the small indulgence to rant a little about the things I, an older gentleman, have come across in my day-to-day, while as a new Security Researcher learning the art of bug bounty hunting. And that thing would be content that feature the amount of money paid out after a finding. I'm not singling any one person out, but this is a pattern I keep seeing a lot and would like for it to change.

Why it bothers me

I often find myself comparing bug bounty programs to the gold rush of 1849 in California (United States). Back in those days, word spread quickly that a prospector found "gold in them thar hills!" and people would come from all over hoping to reap the same benefits. Over time, that gold vein would be saturated with miners and the findings would dry up. This cycle would repeat itself over and over again, with other precious metals as well. Few made wealth, most barely got a few ounces. Towns would boom then bust.

Bug Bounties feel a little like that. A few elite professionals would find some solid vulnerabilities and keep their earnings to themselves. I like those people. They are humble quiet professionals that get things done. These are the people I'm trying to model myself after.

Then you have others who have this propensity to publish their findings, along with how much they've earned. My consternation for these folks comes from the "why" associated with the need to publicize how much they've earned. You'll see titles like, "How I found a p1 IDOR while drinking coffee that earned me a $10k payout" .. ugh!!

What the messaging says (and doesn't)

When I read blog posts that boast earnings, the takeaway is never a good one. As someone starting out, I genuinely love to learn the approach taken to find the aforementioned vulnerability. What I don't need to know is that you were rewarded handsomely.

Consider the following: If on an engagement, you were paid in swag, would you still brag about the payout for the finding? If the answer is no, consider what the messaging behind the post is really saying, even when it is not being communicated.

Someone else starting their journey might read a post like this, try the same steps on a different engagement, and feel like they've failed because they didn't experience the same outcome. I'm generalizing a teeny bit, but the point I'm making is valid.

What I would like from the community

In an age where AI is becoming a larger part of our daily workflows, I'm seeing instances where people are turning to these automation bots to help with finding vulnerabilities. These "bot kiddies" (my word, patent pending 😃) are leveraging the latest automation tools to perform the act of finding the vulnerability then writing the report for it. Minimal to no effort, yet immediately run and brag about it.

I recent had a chat with a BBH Triager who mentioned the amount of AI slop they have to reject is staggering. Most issues filed are rejected due to misreporting the issue, deviating from scope, or simply failing to demonstrate impact. The reports generated by AI have a higher rejection rate as they might not acutely capture the proper context of issue being tested. This exchange will frustrate bounty hunters thinking their findings were legitimate, whereas triagers prove otherwise (a completely separate topic for sure).

And don't even get me started on the posts on social media. Be it discord or reddit, I keep seeing posts every .. single .. day about wanting "tips" or "strategies" or "roadmaps" on getting started. Zero effort to try and take the initiative and look up the information for themselves. Zero self-reliance and learning the craft. Just lazy requests to have information handed to them so they may go out digging for the gold everyone else is bragging about.

Conclusion

I'm closing this mini-rant to ask for humility. Be humble, or get humbled.

You've found a P1! awesome .. show me how you did it.
It paid you a fortune! not awesome .. I don't care. And it doesn't give you clout. It doesn't give you "hacker" cred.

Anyway .. that's all I have for the moment. Needed to vent a little as I keep seeing way too many instances of this and it needs to change.

Let me know what you think? Agree, or am I just an old man yelling at the clouds?

ciao for now