Everyone starts somewhere. Here's the honest roadmap nobody gives you.
Step 1: Learn the Fundamentals (Weeks 1-4)
Master OWASP Top 10 before touching real targets. PortSwigger Web Security Academy is free and world-class. Learn XSS, SQLi, IDOR, and auth bypass hands-on.
Step 2: Set Up Your Toolkit
Burp Suite Community (free) + Kali Linux + SecLists wordlists. That's all you need to start. Don't spend money on tools yet.
Step 3: Choose Your First Program Carefully
Avoid Google and Apple — you're competing with elite researchers. Look for newly launched programs on Intigriti or YesWeHack with wide scope and less competition.
Step 4: Hunt for IDOR First
IDOR is the most common first bug. Find any URL with a numeric ID: /user/12345/profile. Change the number. Can you see someone else's data? That's a valid bug.
Realistic Timeline
Month 1-2: Learning + first submission
Month 3-4: First valid payout ($50-$200)
Month 6: $500-$2,000/month consistently
Year 1: $12K-$30K treating it as part-time
Need your app tested? Get a pentest from us.