Rhynorater's $100k Roadmap

• Starting from scratch and aiming to make $100,000 in your first year of bug bounty hunting might seem daunting, but with a structured approach, it’s achievable.
• Here’s a detailed roadmap based on Justin Gardner’s Twitter / X Threads to help you get there.

About Rhynorater:

• Full-time Bug Bounty Hunter
• Host of @ctbbpodcast
• Advisor @CaidoIO
• 2x HackerOne MVH
• https://rhynorater.github.io
• X @Rhynorater

Rhynorater Post (AI Summarized)

• https://x.com/Rhynorater/status/1699395452481769867

Month 1-1.5: Learning the Basics

Before diving into bug hunting, it’s crucial to understand the foundational components of the web. Spend the first month or so getting a solid grasp on:

• HTTP: The protocol underlying the web.
• Browsers: Their functions, security constraints, etc.
• Web Architecture: Including APIs, reverse proxies, cloud services, etc.
• Server-Side: APIs, MVC structure, routing, and handlers.
• Client-Side: JavaScript, HTML, CSS.

This foundational knowledge is essential as it forms the bedrock of your bug hunting skills.

Months 2-3: Diving into Specific Vulnerabilities

With the basics under your belt, start focusing on specific types of vulnerabilities:

• Privilege Escalation Bugs
• Client-Side Access Control Bugs
• Insecure Direct Object References (IDORs)
• Paywall Bypasses

Use resources like PortSwigger Academy and Hacktivity reports to study these vulnerabilities. Allocate your time with a 20% hacking and 80% learning split during this phase.

Months 3-4: Initial Bug Hunting and Advanced Learning

By now, you should start applying what you’ve learned:

• Aim to find 1-5 bugs per month, potentially earning around $750 per bug, totaling approximately $2,250/month.
• Adjust your time allocation to 40% hacking and 60% learning.
• Begin focusing on learning about Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Server-Side Request Forgery (SSRF).

Months 4-6: Increasing Bug Hunting Efficiency

As you become more proficient:

• Expect to find around 7 bugs per month, each worth about $750, leading to monthly earnings of $5,250.
• This phase involves about 80 hours of work per month, averaging one bug every 10 hours.
• Complete all topics on PortSwigger Web Security Academy and continue reading HackerOne Hacktivity Reports.
• Shift your focus to 80% hacking and 20% learning, concentrating on code review and specialty subjects like postMessage.

Months 6-7: Maximizing Your Earnings

With more experience:

• You should now find at least 12 bugs per month, each yielding between $750 and $1,000, potentially increasing your monthly earnings to approximately $9,000.
• By this point, you would have already earned about $15,500 for the year.

Months 8-12: Full-Time Bug Hunting

To round off the year:

• Dedicate 100% of your time to hacking, aiming to find 15-20 bugs per month at an average of $1,000 each.
• This should result in monthly earnings of around $17,500, totaling $70,000 over these five months.
• Adding the previous earnings, your total would be around $103,000, though a more conservative estimate might be closer to $90,000 due to duplicate bugs and bounty fluctuations.

Critical Thinking Post

• https://x.com/ctbbpodcast/status/1868313892041929085

Web Fundamentals (Month 1 & 2)

• HTTP, browsers + web architecture (APIs, reverse proxies, cloud setups).
• Server-side concepts like MVC structure, routing
• Client-side basics (JavaScript, HTML, CSS).
• Dedicate 4-6 weeks to full-time study.

Foundational Bugs (Months 3 & 4)

• Focus on AC bugs, IDORs, and paywall bypasses
• Use PortSwigger Academy and Hacktivity reports.
• Begin hacking part-time: 20% hacking, 80% learning.
• Target 1-5 bugs per month at ~$750 each to earn $2,250/month.

Intermediate Vulnerabilities (Months 5 & 6)

• 40/60 hacking-to-learning split.
• XSS, CSRF, and SSRF while maintaining a
• Target 7 bugs/month, avg $5,250/month with increasing skill and speed.
• Example: Spend 80 hours/month hacking, finding one bug every ~10 hours.

Hacking + Code Review + Speciality (Months 6-8)

• Dedicate 80% of your time to hacking, focusing on impactful bugs.
• Learn advanced topics like postMessage, code review, and niche vulns.
• Expect to find 12+ bugs/month, earning $9k/month.

Hardcore Hacking (Months 8-12)

• Transition to 100% hacking, targeting 15-20 bugs/month at $1k each.
• Congrats you just made $100k!