Before college starts again, I wanted to document what I worked on during my vacation.
This is the first post in a series where I'll share everything I learned over the past few months—from bug bounty hunting to AI security, GenAI engineering, and the projects I built.
Getting Started
Until recently, most of my security experience came from CTFs and intentionally vulnerable labs.
While they taught me a lot about exploitation techniques, I wanted to understand how security works in real production applications.
So I decided to spend my vacation participating in private bug bounty programs.
The Results
By the end of my vacation, I had submitted 10 bug reports across multiple private programs.
The findings ranged from Low to High and Expert severity.
One of the most impactful reports involved an unauthenticated API exposure that, if abused, could have exposed information related to approximately 39,070 investors and employees.
Some of the vulnerability classes I encountered included:
- CORS Misconfigurations
- GraphQL User Enumeration
- Subdomain Takeovers
- GitHub Actions Supply Chain Risks
- Excessive CI/CD Permissions
- CSP Misconfigurations
- OAuth & Authentication Issues
- Information Disclosure
What Bug Bounty Actually Taught Me
Before starting, I thought bug bounty was mainly about finding vulnerabilities.
I quickly realized I was wrong.
Finding a bug is usually the final step.
Most of the work happens long before that.
I spent hours:
- Reading thousands of lines of JavaScript
- Tracing API requests
- Mapping authentication flows
- Understanding business logic
- Following how different services communicate
- Learning why applications were built the way they were
Some days I wouldn't find a single vulnerability.
Other days I'd spend hours chasing something that turned out to be intended behavior.
But every investigation improved the way I think about application security.
Rejections Are Part of the Process
One thing I learned early is that not every report will be accepted.
Not every report deserves a bounty.
Sometimes the issue is already known.
Sometimes it's out of scope.
Sometimes the impact isn't high enough.
That's part of bug bounty.
Every report—accepted or not—teaches you something new.
What's Next?
This vacation wasn't just about bug bounty.
I also spent time learning AI security, RAG systems, LLM evaluations, observability, and building GenAI projects.
Over the next few posts, I'll share those experiences as well.
If you're a student thinking about getting into bug bounty, my biggest advice is this:
Don't chase bounties. Chase understanding.
The vulnerabilities come naturally once you truly understand how applications work.
Thanks for reading, and I'd love to hear what you've been working on this summer.
Happy hacking! 🚀
Top comments (0)