The Ugly Truth about Bug Bounty Hunting

Recon in Cybersecurity course: bit.ly/cybersecrecon
Python for Pentesters course: bit.ly/2I0sRkm
Python Basics course: bit.ly/37cmhlx
Hands-On Training with PentesterLab PRO: bit.ly/awesomepentester
For coaching in pentesting and bug bounty: dgtsec.com/cybersec-pentesting-training/

Probably the only HONEST TH-cam about bug bounty advice I ever saw..

"The never ending beginner courses"- The most truth you've told. Internet is full of beginner things, because those instructors don't know above beginner level. The pro levels are busy with their work, they don't show off

"Become someone unlike everyone" damn that hit hard

I recently decided to stop reproducing steps from tweets or hacktivities on random targets and start studying android app development and thus go into android app hacking. On watching this video I'm more motivated. Thank u

This is the actual Truth about Bug bounty, Many peoples Mostly teens join this field because it is low barrier and think they can also find bugs like that person on Twitter who said "RCE in 10 min", "P1 in 5 min" all these guys show there Reward like they got xxxx$ bounty but never reveal how much they worked for that 5 min finding how much time they spend for that 10 min RCE, i don't know but many people mostly popular hackers on social media Represent this field as something Fancy rather than showing how hard it is................

So true, me as someone that owns a software company and writes code every day, working with different languages and tools. I feel like finding out many details and problems about the things you are hacking, such as reading and fully understanding how things work at a low level is so valuable. Its true, the experts are busy working, be it hackers or programmers, this industry needs people that are ever evolving towards being better and thats why so many dont make it.

I'm studying to become a fullstack developer to get just enough to pay for my rent and live by myself. Then I will keep learning to become something better. Your advice is so much true. The more boring is the content that we are currently studying, the less people will do it, and the more we might get payed for it. Don't ever give up.

I like honesty. Refreshing to hear someone like you. You covered it a way others don't. I might consider subscribing but will look for more first.

So true. I think this applies for a lot of things on social media that promise big payouts fast. We are so used to instant gratification, we see a bug bounty video and think "Hey I could do that too!". People don't realize the time and effort (and expertise) it takes to find even one bug. I admire people who do this and put the work in, I am a programmer myself. But I have realized that I don't have the motivation and dedication to be one of these guys. I have other projects and skills that interest me, which are easier for me to work on in the long run.
Great video!

Realest vid on bounties ever. Too many people watching the regular type of vids expecting to become millionaires overnight. Well done for adding perspective 👏

I am so happy I found this video. Actually I recently stopped spending time on the mentioned programs and instead started learning the languages js, python, php. And listening it from expert makes me happy to be in right direction. Thanks🌹

This is something I've been having in the back of my mind for quite some time... When it comes to Web App bug bounty hunting the secret lies in being a full stack web dev and dominating multiple popular stacks. Thanks for that.

Oh good someone finally said it. Honestly I have several years as a pentester and thus can focus on lesser known bugs/quirks, and write my own custom recon scripts and wordlists and still sometimes struggle a bit to find a bug. The idea you can learn how XSS works and then run a 3 line bash script to find a bunch of XSS bugs stopped being viable in like 2012

Those advices are precious! To be honest I tried to reject them to encourage my self but now I need to be more determine

To be honest this video make me wake up

Good gosh, what an eye opener video. Thanks for making it and then subsequently sharing it with everyone to see. I appreciate it.

I am learning and very much engaged in security for about 6 months, and i fell in love with it, i now know my passion, but again i am struggling cause there is no straight path, i am practising from these beginners platform but your video made sense, i will try things now differently, i will do whatever it takes to reach that level, cause i love hacking.

You are absolutely right. Although, I am a newbie but I have this same goal to find bugs (like business logics error, idor etc) for a specific amount of time and then instead of being sticking to this loop, move on to learn new technologies, tools, programming languages. The idea behind learning all of this is to find some big peice of meat, to automate repeatitive tasks, to build something and so on.

Ive found some leaks and ended up getting a P2 on bugcrowd, which allowed me to find more bugs using the same long hanging fruit technique, and i was unable to find something more technical since the findings were made using google dorks, then tried to find more "advanced" bugs however, the lack of technical knowledge was like a brickwall, now im doing a fullstack course, to understand from the dev side and learn new skills.
And theres also another big important side, which is time, usually i preffer working on upwork for example, than waste hours on bug bounty with no pay.

ALL that has been said in this video is 1000% correct. I can vouch for that. BBH is apparently HARD. From my experience as a person who has started doing it quite some time ago, it requires LOTS of up-skilling. Those who say that BBHing does NOT require programming knowledge, then I will tell you that they are LYING. This is a very-well put together video of some hard facts to digest. Thanks for making it. Keep'em coming. Cheers!!

Yup this is the explanation I was looking for. I started learning the basics of programming as well as Linux. I also used and Kali Linux and messed around with it by watching a lot of TH-cam tutorials. This was all done in the past 2 years during my side job. But I gotta say right now I am nowhere near where I want to be in this field. I'm considering switching my goals but I will give it one last go by studying for the oscp cert which definitely is a real one. I'm glad you made this video, cyber security is a maze in which you need to match the pieces. Just takes time but if it don't match then then it's not worth wasting time.

Thank you for the wake up call. I appreciate the honesty. It's going to take real work to that level. Was happy to hear that 'Time is on your side'.

The most honest video, there was a teacher from a US university who mentioned what you've said during a talk and one of his slowest student ended up becoming a key player because he was writing down on paper to visualise all of his attacks/defense code to be executed before putting them into practice, correcting them and fine tuning them which has paid off because his knowledge is invaluable now.

Thanks, this was needed to be said!

This is was so accurate and well worded. I've seen a huge amount of posts in various communities of people following the path of x, y, z. to get into bug bounty with a goal of pursuing it full time and it's just not realistic for most people.

this is true for almost every position related to software engineering, as a self taught web dev myself I know the road is long and lonely. At first I obsessed over the latest "best practices" like it was the words of RNGsus himself but in doing so I took a back seat in the development of my own applications which always made me feel like a beginner. I'm glad to say I broke out of that loop by creating something on my own, it's like removing the stabilisers on your bike for the first time as a child, you almost don't even realise how fast you're going until you turn a sharp corner and crash... That's the moment that defines you, do you get your hands back on the handlebars? or just lie there crying on the roadside?

A great saying I once heard and tried to apply that to every aspect of life: "To live like no one else, you have to start living like no one else"

Dude.. You are sooo underrated!!
I salute ya buddy! Keep going!

Thank you for this video, I'm just starting out, but there is soooo much beginner stuff out there, someone like me doesn't really know where to go to get some proper learning tools to get into the industry. I will make it to the top, so it's nice to know that if someone can go alone, become competent and get to the top without following the crowd.

I'm building it knowledge in prep not there yet but the info was Def appreciated man

Finally someone who has the right morals! You made my day man! Seriously. You a HBH member

OMG! one of the greatest advice that I could ever received. thank you so much mate. I am currently a web developer so as you said, maybe its good for me to start on security source code reviewer since that is what I do most everyday staring at the source code of my team doing code review but not on security aspect. honestly, I am really weak at doing black box testing. so maybe focusing on my strength first will do the job? cheers

You are an amazing human being for putting this out like that.

Thanks man! You are truly an honest man. As u said You need to be different from others that hit me differently. 💯🥂

Finally the best advice ever, at least I think for us beginners who are lurking in Cybersecurity world ! Thanks ! And glad I discovered you!

Damn i knew this but not found anyone telling about this, you told it and you are my Hero now. But surely you have saved the time of over 19k viewers, you are definitely going to heaven.

Pretty comprehensive and honest opinions on your vids. Felicitări! 😎

Thanks for the honest advice, now i get a clear path about where should i start i want to be a webapp pentester so im going to master web development and js first ✌️

please answer me
what is the meaning of focusing code aspect of bounty program or security research ???????????

Been thinking the same thing lately. I got to have a unique look at the scenario to strike out.

Thank you so much bro for helping me out....!!!
Appreciate your honesty!!!!

"CRAFT YOUR UNIQUE APROACHE!" this is a golden advice! Thanks

I see this video 3 month ago and I really upset about my inadequacy it was sound really hard to me starting coding. finally I start 2 months ago and I learned html and css (I know its design language) in this time I realize coding was fun and that motivate me and I am still learning javascript (once I stop learning programming because it was really boring) and soon I will learn nodejs. I am still didn't quit because of learning new things hard and boring. Infact I want to full-stack javascript developer then start bug bounty. I found my way and I am really happy about it I can even spend years programming maybe I will forget starting hacking. thank you Cristi Vlad this video was really helpfull to me I hope the others will start programming. BY the way sorry for my language English is not my native language and I am learning it too :)

thank you for making this video as a students who is interested and passionate about these topics, this video gave a good insite and direction that i need to follow

Just found out your channel and you definitely have my attention.

i gave up after 3 years just trying to get an entry-level SOC analyst job.

Deeply thinking about this lately, but then a question rises, where to start, cuz there are somuch to learn then, from dev side from security side and also to keep up with the latest vulnerability

Hey Cristi can you tell me how much networking knowledge is needed for bug bounty...though I know networking a little more but I'm interested in that area too..
Nice video👍❤️

The one liners beginner courses ugh
So many are in just for the views and are misleading people like me :(

The most Realistic video about bug bounty or cyber sec... appreciate your calm boldness👍👍❤

and also there is that everyone that we all kinda competing with. and guys doing most work auto, bruh..

Very nice and well put! So true. =D

Very well put!

Hi, i wanted to know if a job in IT first is good, i'm at the lvl 2 support in an company and i think understanding all the networking first is good, i'm learning programming and i learn on try hack me, hack the box/Root me, any advices ?

Hey awesome video bro, thanks!!

A hard truth, thanks for this video!

Thank you, that's what I needed to hear

We are all gonna make it brothers,never give up!!

One of the most honest videos on youtube i've ever seen

Good video, telling the truth without demotivating and disrespecting someone.
Learn! Apply! Learn Apply!

What do u think bout certifications like Ceh?

I don't know which person disliked it but if I could, I would give this video a 1000 likes. Very well said. I have been doing hunting for 2 years but I have always felt that I am not improving. Time to deep dive on each topic and make our own hunting style

Totally agree with you. Someone I found whom i can relate more - otherwise most of the people who got in security are mainly driven by the money. Interest is the first thing which require in bug bounty. I am pretty sure, people who have interest should have found this true and informative.

I still think the thing I'm struggling with the most is understanding how to get into hacking. Me and a team of my friends want to start bug bountys however we need to learn more, and knowing all the terminology and functions and stuff is so hard.

I needed that😍

holy shit dude, u just said what i was thinking for like months , i just didnt had the correct words , thanks for clearing it up for me and everyone else

So true. I never completed a single lab or ctf but i still manage to find bugs every month and im happy with it. I just dont want to spend my time doing what everybody does. Why have to learn same thing that everyone is learning when i can learn alot more from google.

The way you demotivated now i am sure i will make it to the top thanks.

what makes me happy is i've already been doing everything he mentioned for a few years now

Basically become a web app developer(no need to be as good as a pro dev. Just know OOP and basics of software design) to become a web app hacker. You never know what mistakes devs can make unless you think like one.
Learn system languages and programming plus some assembly and hardware if you want to write your own malware or crack/reverse engineer software
Learn networking as much as at least CCNA/network+ but the more you know the better since most security breaches are exploited remotely thus networking knowledge is key. If you had to choose one field to master i guess better chose this one.
Learn how CCTV cameras work to come up with a way to hack them.
All the available exploits and hackme tricks are public knowledge and patched already, companies need people who can come up with their own exploits so following online tuts gives you the basics but that's it.
You can't possible live long enough to master all those topics so pick 1 or two to master and learn the basics of the rest.
Do you guys agree?

You are a God-sent ! Really needed that....

Its not as hard it appears but I see a few points, but with a little picture here not a whole lotta people work with the security aspect or even know what opensource software is

Really great video....

I was almost givin up from that. so something make me watching a last video from a unsubscribed channel and here I am... fullcharged of dopamine again, but genuine dopamine this time like that one what made gohan become super sayajin 2. Thank you bro!

What a lot of people don't understand, is that you need to start by knowing programming in various languages AND be able to make any kind of program you want, to THEN try to use that knowledge to find vulnerabilities. If you don't know how to program and what are the best practices of programming / most common design patterns, you'll never be able to do anything.

Hello sir. Which is the best laptop for bug bounty with prosseror and ram???? Plz Suggest me. Sir

Just love it man

I thought this was going to be about finding rare insects

TBH, I started getting seriously in information security about a year ago, as a university student. I've found my interest in penetration testing and have basic skills to jump into these things. But, every time I learn something new, more I don't know about it. Deep down, I still feel like a noob in terms of knowledge and skill even though I learn many things for the past 7 years little by little. I'm glad you make this video and speak about the ugly truth in cybersecurity.

I think reading about vulnabilities helps. I gives you an inside whats possible and how it was achived.
And it keeps you up to date to the latest vulns.
But tbh im more a security awareness / SysAdmin, maybe thats why I see it that way.

this is all i wanted to hear.. after months of failed attempts to learn bug bounty hunting, i know where to focus on. those people who says coding isn't important to start, thats a hoax. those people themselves are good coders.

Foarte buna argumentarea, Cristi! Poate cel mai tare aspect al acestui videoclip este ca se aplica multor domenii, nu numai securitatii cibernetice! Like & Subscribe din partea mea! Esti tare, keep going!

A lot of people are driven into bugbounty feeling like its some short of free dollars coupons

Thanks for showing me the way🙏

Great video!!!!

How to do it ? Im really stuck right now . I mastered metasploit, kali linux, nmap, almost half of the tools in the industry, it took me 4 hrs everyday for a year, im afraid I'll fail, waste time, how to really start ?!!

I'm not understand some line because my english week but your awesome you open my mind thanks you big bro

Well said and true.
The best write their own hacks.

Yes it is this vision that a master must have, always looking at all and new elements. The $ bug is much more than just using scripts passively and waiting for some result, or paths already taken by other secs. Ever ever is work hard!

thx you opened my mind about the idea to master js!!!!

Hi I love cyber security stuff and sth like this and I wanted to learn but i don't know how much can I make from it I don't know what I have to do and I have to make a decision and my friends are telling me to learn AI and start to learn AI and i don't know what to do heart says learn cyber security but brain says learn AI

My favorites when a vetted black hat puts an 0day up for sale on forum somewhere on the net, then before being archived all traces deleted then hackerone has some "Magical out of nowhere person who gets a nice payout for s bounty that was never even posted to begin with but it's the same 0day you randomly ran into on that random forum" priceless. Brings a tear to my eye. They grow up so fast. So proud

3:36
a yes i see you using hacker typer like an intellectual on the right screen

great vid sir >>>

ONE THING TO UNDERSTAND the reason why many people don't do that because of errors not hard working

A lot of fake bugbounty tips in twitter make the beginner keep busy with their oneliner thing and the elite doing the real thing on a bugbounty target and harvest bounty 😂.
i love this video

Hey Cristi. I’ve been watching this video religiously for a week to motivate me in my studying of webapp hacking. This video made me feel sane after seeing friends make an extra $10k a month in bug bounties seemingly with low effort. I was wondering if you wouldn’t mind elaborating on developing a skillset. You gave 3 good examples in your video but I was wondering if you could provide some more? What kinds of skills does someone try to improve unlike everyone? For example, in getting great at SQLi? Does it really help to create your own database and use it like you were a developer, so you can then understand how to break it? Or is your time better spent elsewhere? Sorry it’s a long question. Thanks brotha.

‘Be uncommon in a group of uncommon people...’
-David Goggins.

Fear of miss out is real ...