This is the first time I’m writing a blog like this.
No authority badge. No “security researcher at age 12” origin story. No CVE count flex.
Just someone who once trusted user input — and has been paying for it ever since.
Starting Without Root Privileges
I didn’t start writing because I felt ready.
I started because I realized: waiting for “expert mode” is just analysis paralysis with better branding.
Security doesn’t reward confidence. It rewards curiosity, patience, and asking: “Why does this even exist?”
So this is me starting without sudo.
Why Bug Bounty, Specifically?
Because bug bounty removes excuses.
You can’t blame the lab being unrealistic, the scope being fake, or the vulnerability being “theoretical.”
Production doesn’t care about your feelings.
If it breaks, it breaks. And if it doesn’t — you still learn why it didn’t.
My Hunting Style
I don’t spray payloads and pray.
I read. I trace flows. I follow trust boundaries like a creep.
I ask questions like:
- “Why is this endpoint authenticated… but also not?”
- “Who told the frontend this was safe?”
- “Why does this JWT look emotionally expired?”
Most of the time, the answer is: “Because it worked in staging.”
Early Findings Are Mostly 404s (Emotionally)
Your first months in bug bounty are humbling.
You’ll find “almost vulnerabilities,” things that are “interesting but not exploitable,” and valid issues that are out of scope.
You’ll also write reports that die quietly in triage.
That’s fine.
Understanding why something isn’t a bug is a skill no one screenshots — but it’s what builds intuition.
Writing Because Memory Is Volatile
This blog exists because my brain has no persistence layer.
If I don’t write things down: I forget edge cases, I repeat mistakes, I re-test the same dead endpoints like it’s new content.
Writing is my log file.
Messy. Verbose. Occasionally useful.
No “Expert” Headers Here
I’m not pretending I know everything.
Anyone who claims that in security either hasn’t tested enough or hasn’t read enough incident reports.
Some posts here will be half-formed, overly cautious, or later proven wrong.
That’s not failure. That’s how threat models evolve.
What You’ll Actually See Here
Expect posts about broken assumptions, misplaced trust, auth flows held together by hope, and things that shouldn’t be public — but here we are.
Less “how to hack X”. More “why this broke in the first place.”
Compounding, But Make It Technical
One bug doesn’t change much.
But consistent recon, consistent note-taking, and consistently asking “why?” instead of “where’s the payload?” — that compounds.
Quietly. Like technical debt — but in your favor.
Ending Thought
This blog won’t make me famous.
It might not even rank.
But over time, it will do something better: it will sharpen how I think.
And in security, thinking clearly is the real exploit.
Everything else is just tooling.