Everything about full-time bug bounty - Justin “rhynorater” Gardner from ‪@criticalthinkingpodcast‬

key pieces of advice, insights, and takeaways:

Bug bounty hunting, especially full-time, can look easy based on reports, but it is a challenging life.
Preparing to quit a traditional job involved being risk-averse and saving up significant money to ensure enough "runway" to live without earning from bug bounty initially (e.g., saving enough for a year in Japan).
To manage unpredictable income, a strategy is to build up funds in a business account while doing bug bounty part-time, then pay yourself a consistent "salary" from that account. Having several months' worth of expenses saved (e.g., $30,000 for a $5k/month salary) provides stability.
A challenge of being self-employed is the difficulty in truly resting and setting work boundaries. The feeling of anxiety or needing to work can persist even during downtime.
Strategies for setting boundaries include physical cues, such as using a sign (like one in Japanese meaning "open for business" or "closed/planned days off") to mentally segregate work time from rest time.
Finding ways to relax, such as through sports, is important, although highly competitive activities might not provide full mental rest.
Justin's hacking style prioritizes deeply understanding the application and how users interact with it. The initial phase involves using the application like a regular user, often minimizing hacking tools, before looking at requests in tools like Burp or Kaido. This phase typically lasts less than an hour depending on the application's size.
Reading documentation is also a valuable way to understand the application, even during downtime like commuting or waiting at appointments. The goal is to get "intimate with the application".
During initial assessment, look for specific patterns: IDs in requests for IDORs, data reflected in responses (especially in JavaScript blocks) for XSS, places where URLs are parsed, tokens/signed data, structured language parsing (like XML), and interactions with other services or SDKs.
Favorite bug types are irregular, complex vulnerabilities (like chaining issues or finding weird endpoints) rather than common types like IDOR or SSRF. PostMessage vulnerabilities are also a recent favorite due to untapped attack surface.
Useful Burp Suite extensions include Param Miner, Copy as Python Requests, Request Minimizer (to identify necessary request components), and Authorize (for automated authorization testing).
JavaScript files are crucial for understanding an application's functionality and finding hidden endpoints. Look for source maps with webpack, identify how requests are initiated (fetch, AJAX), and search for similar code patterns across files.
Dynamic analysis using browser breakpoints while reviewing JS files is beneficial. Tools like JS Weasel can aid in JS analysis.
It's important not to give up easily on a target; Justin prefers to keep digging until a bug is found, especially on programs with good bounty tables (mediums > $750, crits > $7500, ideally >$10k).
Spending more time on one application tends to result in finding fewer bugs overall, but more critical and higher-impact ones.
Don't shy away from complex or difficult-to-understand areas of an application, as these are often overlooked by other hackers and pen testers and can contain valuable bugs.
Program selection factors include live hacking event invites, familiarity with the application, bounty amounts, and response statistics. Private programs are prioritized.
Acceptable platform response time for bounties has become more lax, aiming for within a month.
When returning to a program, check release notes for changes. An advanced technique is to automate monitoring of dynamically generated JavaScript files for new endpoints, GraphQL queries, or feature flags by diffing current extracts against older versions.