Stuck in the loop of trying to land my first bounty
I’m currently struggling to build a solid methodology and workflow to earn my first bounty. I’ve been in the field for about 3 months now and have tested numerous programs. I rely on AI to analyze applications, HTTP requests, and JS files, but I haven't been able to find a clear vulnerability with a high enough impact to meet the requirements of most bug bounty programs. I did submit one report, but it was closed as a "Duplicate."
My current methodology starts with reconnaissance, but some scopes provide such a massive amount of data that it leads to "rabbit holes" and distraction; I honestly lose track of exactly what I should be focusing on. I usually end up just running Burp Suite and analyzing history logs to find Business Logic flaws or IDORs. However, I’m not finding anything in modern programs. The vulnerabilities I see in YouTube walkthroughs seem so much easier to spot than what I encounter on real-world targets.
Is the issue in my approach? Or is it about the professional skill of picking the right program that is worth the time and effort invested?
I spend 10 hours a day on this, yet I feel like I'm doing something wrong. If there are any tips from fellow researchers, I would deeply appreciate it—I’m open to any advice, no matter how small. I avoid submitting low-quality or "Informational" reports, which is why I spend so much time searching for valid, impactful vulnerabilities.