YouGina

As we step into 2025, it’s the perfect time to reflect on the past year’s journey in bug bounty hunting and set clear goals for the year ahead. Inspired by the "Bug Bounty Hunter Year Review" template from the Critical Thinking podcast, I’ve taken some time to assess my performance, strengths, and areas for growth.

2024 in Review: Progress and reflection

Highlights of 2024

One of my proudest moments this year was uncovering prototype pollution gadgets during a source code review. These findings showcased potential abuse cases in a framework used by many applications and underscored the power of persistence and deep dives into source code. While the bugs weren’t always critical in immediate impact, the process of identifying and understanding them felt deeply rewarding. For me, the thrill doesn't come from the bounty itself but from the discovery and the moment of realizing how a vulnerability can be exploited.

Performance metrics

Looking back, my performance has been a mix of successes and areas for improvement:

Number of bugs: I submitted 13 bugs this year—roughly one per month. While that’s a respectable number, I’d like to increase my output next year.

Bug impact: Out of those 13, five were critical or high. That’s a strong ratio, but the critical ones were primarily AI bias issues. In 2025, I want to focus more on technical, high-impact vulnerabilities.

Scope and focus: I jumped between targets too often, which weakened my efforts. Committing to a single program for an extended period could lead to more consistent results.

Report quality: I believe my reports are of high queality. Clear, thorough documentation played a key role in getting even edge-case issues like prototype pollution gadgets accepted.

Tools, automation, and organization

This year, my automation tools helped streamline data collection, but there’s room for improvement. My scripts are monolithic, requiring the entire process to run at once. Breaking these into modular components and implementing better reporting and notification systems could enhance efficiency. On the organizational front, I’ve been less disciplined than I’d like, often neglecting note-taking or switching targets too frequently.

Time commitment and motivation

One of my biggest frustrations in 2024 was the limited time I could dedicate to hacking—less than a few hours per month. This was partly due to balancing a full-time job and preparing for the OSWE exam, which consumed much of my focus. Luckily, I passed my OSWE at the end of last year, crossing it off my bucket list and freeing up more time for bug bounty hunting in 2025. Despite the challenges, my motivation remains strong, and I’m optimistic about making the most of this newfound availability.

Goals for 2025: Focus and growth

Sharpening my skills

In 2025, I aim to enhance my vulnerability detection skills, particularly in black-box engagements. Techniques like fuzzing and understanding application behavior more deeply are areas where I see significant potential for growth. Additionally, I want to explore vulnerability research in popular open-source libraries and frameworks, contributing not just to bug bounty platforms but to the broader security community.

Building automation and organization

My automation framework needs a serious overhaul. Making it modular and improving the database structure will be a top priority. Organization is another focus area—better notes, structured workflows, and sticking to a single target for extended periods will be key to maximize my efficiency.

Time management and motivation

A realistic goal for 2025 is to dedicate four hours per week to bug bounty hunting. While this might seem modest, it’s a significant increase from 2024. Participating in events like the HackerOne Ambassador World Cup has proven to be a great motivator, and I plan to engage in similar challenges next year. While an invitation to a Live Hacking Event (LHE) would be a dream, I recognize that consistent effort and impactful contributions are required.

Community and collaboration

I’d love to collaborate more with other hunters, particularly those whose skills and insights I admire, such as Prime, NisH0ck, and the Dutch team from the Ambassador World Cup. Additionally, contributing to the community through vulnerability research or creating content—like videos on creating proof-of-concepts from published CVEs — remains a long-term aspiration.

Quantifiable goals

Here’s a snapshot of my goals for 2025:

Bugs: Submit at least 24 bugs (two per month on average).

Severity distribution: Aim for 25% critical, 25% high, and 40% medium bugs, with few low-severity findings. These percentages are similar to last year, but maintaining this distribution will be challenging as I plan to double the number of bugs I find in 2025.

Earnings: Target earnings of REDACTED or more (about double from last year).

Time commitment: Maintain a steady pace of four hours per week.

Conclusion

As I reflect on my bug bounty journey, one lesson stands out: success comes from steady progress, not quick wins. Like vulnerability research and cybersecurity at large, bug bounty hunting requires persistence, patience, and a willingness to learn from setbacks.

Time remains a limiting factor for me, but I’ve learned that even incremental progress can lead to significant results. By setting achievable goals, staying organized, and focusing on high-impact bugs, I’m confident that 2025 will be a good year. To my fellow hunters: keep pushing, stay curious, and remember that every small step forward brings you closer to your goals.