How to earn over $15,000 on bug bounty in 8 months

26.03.2025 11 minutes Author: Lady Liberty

Learn how Shreyas Chavhan earned over $15,000 in his first 8 months of participating in bug bounty programs, starting from scratch. A detailed roadmap and tips for aspiring security researchers.

Why am I writing this?

I’ll try to be as direct as possible. It’s been almost 8 months since I started and I have already surpassed the 15,000$ in bounties mark with no prior experience in bug bounties*. A lot of you kind people were reaching me out on various different platforms to congratulate me (I’m very grateful for that!) and with that I have also been receiving a variation of this question a lot from you people:

and 100+ more similar DMs, and since it’s impossible to answer each one of you with the same question – I decided to answer it publicly.

Umm, I also wanted to say that I really appreciate all of your DMs and I’ll always be happy to help. I’m gonna answer all of your FAQs one by one publicly as soon as I can. Also, please don’t DM me with “Hi”, “Hello”, “Hey”, “How are you?” – be direct, ask what you want to ask, if you reach me out with “Hi”, “hello”, “hey” – you probably ain’t gonna receive a response.

So, let me answer everything Roadmap related step by step:

Do I have prior experience In Bug Bounties?

That’s a bit of a difficult question to answer to be very honest. I would say that I had almost 0 experience when I got started in August 2023 (oops! everyone has 0 experience when they get started 🤦🏻 – what am i saying) but I would say that I had a pretty solid technical background. Not an expert level – just enough to understand the basics. I was reporting very basic bugs like hyperlink injection in email, no rate limit, session not expiring, etc when I first started.

I passed out of college in May/June 2023 and I have a CS Degree, if that helps.

Short Timeline about my background

2019-2022: Explored a lot of different technical fields/skills such as front-end development, UI/UX development, freelancing, competitive programming, 100 days of code, etc. Could code a little bit in C++, python, etc – just basic stuff.

You can check my GitHub profile to get an Idea coz I used to document everything on GitHub

2022-2023: Decided that I’ll choose cybersecurity as my career.

March:

Decided that I’ll go for OSCP and collected all the resources. Made a plan for the preparation but gave up immediately after practicing linux basics coz I thought I wanted to master web and I realized OSCP was more general. You can find my plan here (note: I didn’t follow my own plan):

https://github.com/shreyaschavhan/oscp-pre-preparation-plan-and-notes

March – September:

Wasted a lot of time in college doing nothing significant.

September:

Decided that I’ll now prepare for OSWE coz I wanna master web application. I prepared a plan to learn pre-requisites in short but gave up very soon bcz of college and stuff.

https://github.com/shreyaschavhan/oswe-awae-pre-preperation-plan-and-notes

The things I learned before giving up on that:

2023-2024: College life, final year project, fun

Most of my final year in college was spent watching movies, reading productivity books, preparing for exams, writing assignments, final year project, college events and all so didn’t got any time to focus on one thing.

Our final year project was based on Blockchain security, and I also landed a job offer in Web3 security because of it but I somehow had to deny the offer.

May 2023: College ended

June 2023: Took rest

July 2023: Started preparing myself to get started doing bug bounties.

Aug 2023: Actually started hunting and prioritizing bug bounties.

and rest you probably know.

My Progression/Stats So Far (Since July 2023)

Days worked:

Total Time Worked:

Bounty Progression Graph:

Time Spent Studying

Note: I’m not counting July mostly coz I spent most of my time learning in July 2023 and counted it as Bug Bounties and hence the data is kind of skewed in July.

The Road Map

So, finally on the section answering the main question you wanted to get answered, pheww:

What RoadMap did you follow to progress faster and what would you suggest to other beginners?

Listen people, as much as I know – most of you already know what to do but you choose to not do it coz you are wasting your time looking for the most efficient way or you are learning stuff more than you require without executing them. It was true for me and it’s probably gonna be true for you guys too.

Now, what exact steps I took and I would suggest you guys?

Step 1: (Optional)

Master Linux Basic Commands (Create, Delete, Update, Read files and directories) & basic bash scripting. Why? coz even though it’s not required – it’ll act as a base to how efficiently you handle your OS as well as the tools you’ll use.

Resources: You can use my notes to study directly from: https://github.com/shreyaschavhan/linux-commands-cheatsheet

Or else I’ll highly recommend this book:

  1. The Linux Command Line: A Complete Introduction

  2. Shell Scripting: How to Automate Command Line Tasks Using Bash Scripting

Step 2: Practice:

Note: You don’t have to solve everything, just practice until you’re confident you can handle the basics correctly.

Step 3:

Start Reading “Web Application Hackers Handbook”

  • Once done with everything above, start reading “Web Application Hackers Handbook”

  • Assuming we are complete beginner, focus more on the chapter on “Web Application Technologies”. A few of the topics are outdated but everything else is mostly relevant. If you feel you ain’t good at reading stuff – search each topic mentioned in the book on YouTube and watch/read as much content on the internet as possible until you understand the basics.

  • Also, you don’t need to know everything in depth, you just need to understand that these concepts exist.

  • The above chapter will create a base for your understanding of web services and web architecture, etc.

Step 4:

Finishing “Web Application Hackers Handbook”

  • Once done with your web tech basics, focus on finishing the entire book from start to finish even if you won’t understand anything. Just force through it.

  • The major aim of this step is to familiarize ourselves with the concepts that exist even if you won’t be able to recall much in the end. It’ll will help us with – “Ohh, yeah, I think I have read it somewhere. Let me check that again.” when you hunt on real targets.

  • Also, while you are reading – write down the name of each bug you came across (a few of them are deprecated & old but it’s okay). By the end of the book you’ll feel confident about your web security basics. It’ll also create a base for your hacker mindset & you won’t find most of the things on the internet as extremely complicated or new when you are reading stuff online. You also won’t struggle learning new topics as much.

Note: It took me 7 full days to finish Step 3 & 4. Your mileage may vary but don’t let it take more than that or else you’ll get bored and might give up. Also, if you feel like giving up while you are reading – you can do step 3 & 4 simultaneously while you are doing step 5.

Step 5:

One bug (skill) at a time

  • I assume you have noted down bugs and bug types in step 4, you can also collect a list of bugs from the internet.

  • Now, since we are beginners, we need to choose one easy bug that’s very common and we are capable of finding, for example: IDOR – is everywhere and is easy to find (choose your own but if you’d ask me I’d say start with IDOR). Collect every single blog, every single H1 report and every single YouTube videos you can find on IDORs and start reading/watching them one by one until you feel familiar with the concepts enough to start looking for them in real world targets.

  • 100% of your time should go into learning IDOR until you are familiar with the concepts.

Step 6:

Divide your time to 60% hunting and 40% learning (more execution less theory) and adding bugs to our skillset

  • We still ain’t done with our theory but we need to start hunting to familiarize ourselves with real world proxy requests passing through our proxy history.
  • Divide your time to 60% hunting and 40% learning. You don’t need to know any bugs, just learn to read proxy requests and familiarize yourself with them. Also, start executing whatever you learned about your first bug i.e. IDOR or XSS – whatever you choose.
  • During 60%:
    • Spend time finding the one bug you choose first.
  • During 40% time:
    • Choose next bug that you think you should learn next and repeat step 5 but while simultaneously hunting 60% of the time.

Step 7:

Keep adding bugs to your skillset during 40% of your time and execute them 60% of your execution time.

  • Keep adding bugs to your skillset until you know that you understand enough bugs or once you have learned about all the bugs you wanna learn about.

  • You’ll also start getting valid bugs at this step coz you are already executing 60% of your time.

  • A few things to note:

    • Don’t feel bad when you get duplicates or informative. Our aim is to gain experience and duplicates are valid bugs. Informative will teach you to focus on impact. Don’t report any bug that you might think will get you NA (Not Applicable).

    • Choose a good program with good security team. This field will cause a lot of burnouts and demotivation – a bad program contributes most to it.

    • I have written a tweet about what mistakes I made and what correction I did, you should read that:

https://x.com/shreyas_chavhan/status/1753668854989951209

Step 8:

Focus on mastering these few bugs until you achieve your first financial goal

  • Now that you have added most of the bugs you wanted to learn to your skillset, focus 100% of your time mastering them and practicing them on real world targets until you achieve your first financial goal.
  • Everyone should have their first financial goal (don’t give it a time limit or else it’ll demotivate you instead of motivating you when you ain’t getting any bounties.). Mine was 15,000$ in bug bounties and I have achieved it.

Step 9 (Optional):

Spent time reading minimum of 1000 H1 reports

  • I read 5000 and I would suggest reading atleast 1000 so that you understand what kind of impact are programs expecting and what not.

Step 10:

Dividing our time to 80% hunting and 20% learning indefinitely.

  • Now that you have achieved your financial goals and also have practiced finding most of the bugs on real world bug bounty targets, you should divide your time to 80% hunting and 20% learning so that you keep getting better and better indefinitely forever. Learn new stuff, practice them. Add complex skills to your skillset.

  • I’m at this step now.

Note: I didn’t mention any labs, ctfs, hackthebox or tryhackme coz I honestly didn’t do any of them except a few labs on portswigger. They might be helpful, but I just didn’t want to spend my time on stuff that won’t lead to bounty. If I’m spending so much time learning and executing, it better be on a real target that pays. I only referred to labs on a few topic that I felt it’s hard to recognize in real world – and for that I would suggest portswigger labs.**

Apart from that, I also consider these 2 things as the ultimate truths and ultimate differentiators for how fast you’ll progress:

  • It’s not how much you know, it’s how much you implement that counts.

  • Measurement drives the execution process. If you ain’t measuring & analyzing where you are putting in your efforts you won’t progress as fast as you should coz you won’t understand what actions are providing you with the results and what actions you need to stop taking. What feeling causes you to procrastinate and what feeling causes execution, etc.

I think that’s all about it.

Subscribe
Notify of
0 Коментарі
Oldest
Newest Most Voted
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.