Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post had a DM conversation with a security researcher that has proven results on multiple platforms but has been doubting their skills from a lack fo recent bounties They adapted the DMs for a wider audience and posted it for others to read. They claim the issue is one of three things: unreasonable goals, strategy in bug hunting or the execution.

If you have a goal of finding a critical in Aave (a million dollar program) with only a 10 day window then you're likely to find nothing. Another bad example is people having a goal of 6 figures per year but then joining 2 month long contests with small rewards. Your goals need to line up with your choices.

The rest of the article is posts that have a revenue goal, strategy and execution plan all in place. The first one is a goal of $100K per year. To do this, participate only in large contested, hunt on programs that offer $20K-$50K for criticals. On the execution, 1) read all previous findings to see if there's a way to bypass fixes, 2) look for low-hanging fruit and 3) only look at a codebase for 10 days. For this case, they say to only hunt on programs that push code updates more often than they get reviews.

The second example of $200K per year. First, do contests that are over $300K in prize pools. Next, hunt on bug bounty programs that offer $50K-$200K per critical with mostly DLT-blockchain protocols that haven't had much public on the auditing front. On the execution, dive into the nitty-gritty details of the codebase looking for low-hanging fruit and then obscure edge cases; only stay on a project for 2 months. From there, move onto another codebase but capitalize on knowledge from this project to do contests they do and have code update monitoring.

Having a solid plan and reasonable goals is just as important as finding the bug itself. They gave real examples of strategies in this post, which I appreciated. If your plan isn't working then come up with a new plan and try again.