Bug bounty: the unglamorous reality nobody puts in the thumbnail

The genre is built on payout screenshots. Five figures, a celebratory tweet, "how I made $20k in a weekend." What you don't see is the 200 hours across the previous three months that returned a stack of duplicates and informatives. The screenshots are real. They're also survivorship bias with a dollar sign on it.

Bug bounty works. It's a legitimate path into appsec and a real income for some people. But the version sold on YouTube is the highlight reel of a brutally efficient market, and walking in expecting the highlight reel is how most people quit in month two.

Duplicate hell is the default, not the exception

Here's the thing the beginner content underplays: you are competing against a global field of full-time hunters with automation that never sleeps. The moment a popular program expands scope or a new asset appears, it gets swept within hours. The low-hanging fruit, the reflected XSS, the obvious IDOR, the exposed .git, is gone before you've finished reading the policy.

So you submit your first real finding, you're proud of it, and it comes back "duplicate." Then again. Then a third time. This isn't bad luck and it isn't the triagers being unfair. It's the structural reality of hunting the same well-lit targets as ten thousand other people. The market for obvious bugs on famous programs is efficient, which is just economics-speak for "you're too late."

The people making money have usually solved this in one of two ways. They go deep on a single complex target until they understand it better than the casual hunters, finding bugs that require actually understanding the application's logic. Or they go where the crowd isn't, newer programs, less glamorous assets, the stuff that doesn't get a thousand eyes the day it launches. Both are slower and less fun than the videos suggest, which is exactly why they still pay.

Reading scope is a skill, and it's the boring one

Half the failed reports I've seen die on scope. Someone finds a genuine bug on a subdomain that's explicitly out of scope, or on a third-party service the program doesn't own, or it's a known-and-accepted risk listed in the policy they didn't read. The bug is real. It pays nothing, because it's not in bounds.

Read the policy like a contract, because it is one. What's in scope, what's explicitly excluded, what severity ratings they use, what they consider out of bounds entirely (often: anything DoS, anything involving social engineering, anything that touches a real user's data). The hunters who get paid treat the scope document as the most important page on the program, not the thing they skim to get to the targets.

And test like someone is watching, because they are. Automated scanning against a target that prohibits it gets you banned. Pulling more user data than you need to prove the bug turns a clean report into a privacy incident. "I demonstrated impact" is not a defense if the way you demonstrated it violated the rules of engagement. The fastest way to torch a reputation on a platform is to be the person who can't stay in bounds.

The economics are harsher than the screenshots

Run the numbers honestly. Total your hours over a few months, total your payouts, divide. For most people starting out the hourly rate is grim, often below what the same hours would earn doing literally anything else in tech. The distribution is brutally top-heavy: a small number of elite hunters take a huge share of the total bounty pool, and the long tail earns occasional small payouts between long dry spells.

That doesn't make it pointless. The skills are real and they transfer directly to a salaried appsec job that pays steadily and doesn't depend on winning a race against automation. A solid bug bounty profile is a genuine portfolio. Just be honest with yourself about which game you're playing. If you need rent money, a job is the answer and bounty is the side project. If you're building skills and can absorb the variance, hunt, but track your real hourly rate and don't let the payout screenshots set your expectations.

The hunters worth learning from are usually upfront about all of this. They show the duplicates, they talk about the dry months, they explain why a finding got downgraded. That honesty is the signal. Anyone whose content is wall-to-wall five-figure payouts is selling the lottery, not teaching the work.