I started my career as a penetration tester a few years ago and fell hard for web application hacking. It was all I wanted to do. I started seeing all of these tweets - “Yay, I was awarded a $X, XXX bounty on @Hacker0x01!” It almost felt predestined, like a sign I couldn't ignore, and so I dived head-first into bug bounty hunting.

The start was not great. Of my first 30 submissions, 28 were dismissed as Duplicate or Not Applicable, and I chose to engage in emotionally draining debates with triage staff and program owners. When that didn't get me anywhere, I evolved my approach. Across my next 50+ submissions, fewer than five were closed as Duplicate or Not Applicable.

My breakthrough came from the quiet lessons that never make it into blogs or conference talks - the insights found in the space between failure and headline wins. I aim to shine a light on that middle ground, walking through my accepted and rejected submissions so you can see the road I took around the wall of disappointing outcomes.

This talk is for anyone who feels stuck in their bug bounty journey, or wants a clear view of what breaking into bug bounty hunting really looks like. You’ll learn how dodging early missteps can avoid grief and frustration for you, the platform, and the organisations you report bugs to. You’ll walk away with a head start, and techniques you can put to work on your very next target.