Bug Bounty 101 — First Report, First Reward
How a "small" finding earned my first bounty
For months, I devoured epic bug bounty writeups on Medium — tales of RCEs, four-digit rewards, and elite operators. Inspiring? Yes. Intimidating? Absolutely. This is the story of how I earned my first bounty anyway.
The start
As a beginner, I spent hours scanning targets, understanding stack footprints, and figuring out what platforms really wanted. On one program, I spotted an outdated WordPress plugin and reported it. Days later, I received the dreaded response: “WordPress vulnerabilities fall under Things We Are Not Looking For.” Not exactly the dream reply.
The unexpected twist
Even though the plugin version wasn’t vulnerable, my report highlighted a blind spot in their internal tracking system. The security team thanked me — and rewarded me with their LOW tier bounty. Not huge, but priceless for momentum.
What I learned
- Small matters: You don’t need a zero-day; any security-improving insight has value.
- Accuracy + honesty: My initial assumption was off, but transparent reporting still earned trust.
- Document everything: Versions, screenshots, reproduction steps — detail wins.
Final thoughts
If you’re at the starting line, wondering if your skills are “enough,” this story is for you. Start small. Be curious. Report responsibly. You never know which “small issue” might earn your first bounty — or change how a company secures its users. This is just the start of my journey.