My First Bug Bounty: What I Learned and How You Can Start Too

How a Tiny Bug Sparked My Curiosity
It all began when a friend of mine created a portfolio website. There was a small bug — the location shown on the site was incorrect.
Curious, I decided to look into it and fix it. It wasn’t a massive technical breakthrough — but it made me feel something. Again i found an another bug not noticable but i got it.
“His words were- I didn’t expect you to solve this one. And this thing clicked in my mind.”
Those words stayed with me.
That moment planted a seed.
Could I really find and fix bugs? Could I do this with real-world applications too?
The Moment I Realized: This Is What I Want To Do
Not long after that, I checked his portfolio — and again, I spotted a bug. I fixed it.
That’s when the thought really hit me:
“If I can find bugs in portfolio sites, why not in actual websites, apps, or APIs?”
I realized that bugs are everywhere — not just in GitHub repos or student projects, but in real companies used by millions of people.
That’s when the spark turned into a flame.
Yes, my friend nudged me to explore bug bounty, but something inside me knew:
This is where I truly belong.
Taking the Leap: My First Bug Bounty Platform
I signed up on YesWeHack, a bug bounty platform that connects ethical hackers with companies looking to fix vulnerabilities.
That’s where my real journey began.
At first, it was confusing — so many companies, so many scopes, so many types of bugs. But I kept going. One recon, one endpoint, one little detail at a time.
I started reading program scopes, testing APIs, scanning subdomains, and watching for weird behavior.
Real Bugs I Found (Without Earning a Bounty)
Let me be honest: I haven’t received any bounties yet. But I did manage to find actual, valid bugs — and I’ve learned more than I ever imagined.
Here are a few types I’ve reported:
API Response Bugs
Some APIs were returning the wrong data or exposing unnecessary details. I spotted misconfigurations and shared proper PoCs.IDOR (Insecure Direct Object Reference)
I discovered endpoints where changing a user ID in the URL gave me access to other users’ data. That was a real “wow” moment.Reconnaissance Successes
Just by scanning subdomains, I found sensitive endpoints, staging environments, and some exposed tools that could have been abused.Fake Credit Card Sites
I even stumbled across sketchy payment gateways that appeared to be phishing pages. I flagged them and submitted full analysis.
Private Program Invites: My Small Wins
Even though I didn’t get paid, some companies appreciated my findings.
Two companies invited me to their private bug bounty programs — a huge confidence boost for someone just starting out.
Getting recognized like that felt like validation. It reminded me that money is not the only win — learning and building reputation matter just as much.
What I’ve Learned So Far
Here's what this journey has taught me so far:
You don’t need to be an expert to start.
You won’t get rewards every time — and that’s okay.
The goal is to learn, not just to earn.
Every winner was once a beginner.
There’s no perfect time to begin. Start now. Yes, now.
How You Can Start Bug Bounties as a Beginner
If you're a beginner, here’s your roadmap:
Practice Without Pressure
Test small websites (with permission)
Try VDPs (Vulnerability Disclosure Programs) on:
Bugcrowd VDP
HackerOne VDP
Analyze Reports
Read public writeups on HackerOne
Join communities on Discord or Telegram
Follow bug bounty hunters on Twitter/X
Final Advice: Your Time Is Now
“Don’t wait for the right time — it never comes.”
I’m saying this from experience. I could’ve waited until I was “ready,” but I would’ve still been waiting today. Instead, I jumped in, made mistakes, learned from them — and kept going.
Even if you’re not getting bounties right now, you’re building:
Experience
Confidence
Reputation
Let me say this clearly:
You don’t need permission to begin. Your time is now. This moment — this exact one — is where it starts.
Start small. Start today. Maybe your contribution will make the world a little safer.
And maybe, like me, one day you’ll look back and realize…
It all started with a tiny bug in someone’s portfolio.
You might just make the world a safer place — one bug at a time.
Want to See Screenshots or Reports?
Here are some signs to you…At last I would say-
“Cybersecurity is not a set of products – it’s a set of practices.” – Ed Amoroso
Subscribe to my newsletter
Read articles from Pallavi Kathait directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Pallavi Kathait
Pallavi Kathait
Passionate cybersecurity learner on a mission to explore, practice, and share hands-on knowledge with the community. Always eager to grow and help beginners get started in the world of cyber defense.