'Hacker Wife' Mariah Gardner on Bug Bounty Mentality and Relationships (Ep. 87) :

• Understand the core concepts behind bugs: Pay close attention to presentations (Show and Tells at LHEs) or potentially public writeups. Learn about different types of vulnerabilities (IDOR, XSS, password resets, content injection, memory leaks) and understand the core concepts behind them, even simple ones that didn't require complex tools. Focus on how the bug worked (like the timestamp IDOR or the password reset email change).
• Dry spells are common: Understand that there will be periods where you find nothing, followed by bursts of success ("three days not finding any bugs... then around day four, he finds like seven"). Persistence through the dry spells is key.
• Be adaptable with time: Learn to manage hacking & relationship time. Both are important. Do not compromise one for other.
• Understand diverse bug types: Exposure to different presentations shows the variety of bugs that exist and how different hackers find them.
• Significant emotional ups and downs are common and should be considered normal.
• When feeling down, analyze efforts - not output: When feeling down, honestly assess your actual effort and circumstances ("Are you actually working 40 hours a week?"). Don't re-evaluate your fundamental decision based on temporary "garbage facts" or periods of lower output caused by external factors (vacation, family needs, etc.). Check your metrics honestly.
• Do not tie self-worth to bug bounty income or success.
• Bug bounty is not sustainable if it's purely a grind. Find ways to stay motivated and enjoy the process. The "goal system" tying success to tiered rewards (experiences, items, investments, charitable giving) is one way to gamify and incentivize progress positively.
• Convert uncertain large income into long-term financial security: Use income spikes to reward yourself (and others) through a planned system. Also, convert large spikes into long-term financial security (savings, investments like real estate) rather than just enabling lifestyle creep.
• If you feel like quitting, ask yourself: "Am I even putting in full effort?"

@0xacb talks about getting RCE on Shopify and Valve, CTF, reverse engineering and bug bounties:

• Playing CTF competitions significantly benefits bug bounty hunting: Playing Capture the Flag (CTF) competitions is a crucial tool for learning hacking techniques and developing a hacker's mindset. CTFs provide practical experience in identifying and exploiting vulnerabilities, fostering persistence, problem-solving, and teaching oneself new skills. This foundation significantly benefits bug bounty hunting.
• 💡 Collaboration is a powerful multiplier: Sharing knowledge, tools, processes, and especially ideas with other hackers with different skillsets offers multiple perspectives and increases the chances of finding and exploiting vulnerabilities successfully. Don't be afraid to reach out and work with others.
• Prove them wrong: Attempt to bypass filters or limitations rather than accepting them at face value.
• See difficult and “locked down” targets like Shopify as opportunities to step up your game and learn new things.
• Weird stuff & Unintended states: Instead of following rigid checklists, focus on exploring how application respond to “weird stuff” and try to push them into “unintended states”.
• Ask the fundamental questions about how features “actually” work behind the scenes.