From Confusion to First Bountyđ¸
đ A Big Shoutout to the Mentors and Fellow Raiders
Before I dive into the story, I want to take a moment to acknowledge the amazing people who helped shape my journey :
Mentors : Shreyansh , XXSRAT , Kandarp , Tehan , Hemantsolo â Always ready to guide, explain and even jump on a call when I was stuck.
Fellow Raiders : b3ludan , Soura â from late-night hunts to sharing logic and payloads, hunting with them became a routine full of learning.
Where It All Began
It started with a spark â a vague curiosity about hacking and bug bounty programs. I didnât have any knowledge, no roadmap ⌠just the Internet and an itch to learn.
Self-Learning and Chaos
The early days were a mess. Every new term felt like a puzzle : XSS? SSRF? What even is HTTP parameter pollution?
Doubts? Hundreds. But I didnât stop there â I let my doubts fuel deep dives into âWhy does this happen?â and âHow does this even work?â
âYou donât really learn to swim until youâre in the deep end.â
I was learning slowly and figuring things out on my own⌠until I came across a tweet by Het Mehta about bug bounty training. That tweet connected me with Shreyansh â someone who became more than just a guide. A GURU, he patiently broke down not just âwhatâ but the âhowâ and âwhyâ behind every vulnerability. His guidance helped transform my scattered curiosity into structured learning.
Hemantsoloâs guidance gave me deep insight into core web vulnerabilities like Broken Authentication, Injection Methodologies and CSRF. Heâs someone who truly stands out for his practical teaching style â breaking down complex concepts into real-world scenarios. His ability to teach through real application logic and not just theory played a huge role in how I approach bugs today.
Community Is Everything
I started actively hunting and engaging in XXSRATâs Discord server (https://discord.gg/n3jyM99W) â a space buzzing with real hunters who were consistently reporting bugs, sharing insights, and discussing live targets. I had live hunting sessions with XXSRAT where I got to observe and learn practical exploitation techniques, especially around IDOR and BAC workflows and even reported bugs with him and b3ludan. Thatâs where the thrill began!
To top it off, Cyber Crusade sessions on BAC and IDOR really helped solidify those concepts â and they paid off in the field.
XXSRAT is a phenomenal mentor â always ready to share, explain, and lead by example. Our long hunting sessions and late-night hangouts werenât just educational â they were pure adrenaline. Watching him break things down in real-time, testing edge cases and thinking creatively gave me a whole new perspective on bug hunting.
During one such session with b3ludan, we were testing a common program and stumbled upon a classic IDOR and BAC issue. We cross-checked IDs, tested different access levels â and boom! I finally understood IDOR and BAC at a core level.
The coordination with b3ludan kept growing â we started hunting regularly together, discussing logic, learning from each other, bouncing ideas, testing, verifying.
Along with b3ludan & Soura, we submitted several bugs. Things started feeling easier⌠until triage hit us hard đ .
During one of our most intense streaks â a so-called âraidâ 10 hours a day for 13 straight days â we submitted 13 reports in a single run.
The outcome?
đ˘ 6 Accepted
đĄ 2 Duplicates
đ´ 4 Rejected
đľ 1 Informative Bounties We Earned in Raid : $6k++ in 2 weeks
Lessons? Countless. Not every report was a win, but each one deepened our understanding, sharpened our instincts, and made us better hunters.
The Push for Validation
Two of our reports got marked N/A (Not Applicable).
We didnât accept it.
With solid proof, deeper explanations, and additional PoCs, we argued our case professionally. And guess what?
Both bugs were updated to HIGH severity â and received
first bounty : 2x$300
One of our most satisfying wins came just a few days ago.
A report we submitted was initially marked as âOut of Scope.â Instead of letting it go, referred the triage team to their own documentation, highlighting the exact section that validated our finding.
The triagers reconsidered â and the report was accepted with a $472 bounty.
That day, we didnât just win a bounty, We learned the real game :
âFinding bugs is half the battle. Proving their impact is the real test.â
Tips from the Battlefield
- Donât give up when reports are marked N/A. Learn to communicate impact.
- Always keep a clear PoC.
- Be polite but persistent with triagers.
- Have deep knowledge of your finding. Itâll help in defending it confidently.
Be confident, but reasonable. Know your exploit well, explain it clearly, and be prepared to prove the impact.
Donât Just Read â DO It!
Every time I had doubts, I forced myself to practically explore that exact bug or vulnerability â again and again â until it made sense. Thatâs when I noticed real improvement.
More doubts? More practice. More confusion? More testing. More clarity.
The more you hunt, the more those concepts sink in. You donât just memorize â you understand.
Things didnât truly click until I actually started applying them.
- Read about XSS? Try it on a lab.
- Saw a video on IDOR? Go hunt for it on a real program.
- Confused about SSRF? Build a local vulnerable lab or test it live (ethically).
One of the biggest level-ups in my learning came when I started building my own stuff â even if it was super basic.
To understand how APIs work, I created a simple API lab https://tarkash.surapura.in â nothing fancy, just endpoints, token generation and protected routes and that changed everything.
I finally began to see the flow :
- How tokens (JWTs or random) are generated post-login and validated on each request.
- What happens when you send an
Authorization: Bearer <token>â how the server checks and grants access. - Common dev mistakes: missing auth checks, expired tokens still working, leaking tokens in logs, and broken role validations.
If you want to go deep, donât just test â build, break and understand.
https://github.com/ikajakam/learn-api-testing
đ Hacking Tips + IRL Support
Always have someone in your circle whoâs willing to listen, guide, or jump on a quick call. For me, that has always been Shreyansh â a to-go support system for all my doubts, logic checks, and motivational push.
From âBro, is this a bug?â to âBro, this got accepted!â â he was just a call away.
A Big Kudos to b3ludan & Soura
A massive shoutout to b3ludan and Soura for their continuous dedication, sleepless nights and lethal hunting skills.
From deep logic analysis to testing edge cases at odd hours â theyâve been absolute beasts on the field. Hunting alongside them wasnât just productive â it was next-level fun and full of adrenaline.