How I Got My First Bug Bounty

What if I told you that hacking could be legal, ethical, and even profitable? Sounds good right?

And that’s exactly what bug bounty programs offer — you find security flaws, report them to companies, and get paid for your skills.

They’re a way for ethical hackers to help companies find security vulnerabilities before cybercriminals do, and get paid handsomely for their help.

Up to $50k for finding a critical issue!

Not bad right? Especially as you can do this in your spare time or even while still learning Cyber Security.

In fact, while hanging out on the ZTM Discord recently, I saw one of our students managed to get their first bug bounty.

I figured I would reach out and ask them their experience and background, so you can see how it went - and possibly try some bug bounties for yourself!

These are their answers.

Meet Ebenz

Hey, I’m Ebenz! You might’ve seen me around the ZTM Discord. I’m currently in my sixth semester, majoring in Computer Science with a focus on Cyber Security.

I’ve always been fascinated by the idea of ethical hacking - outsmarting potential threats and uncovering hidden vulnerabilities before the bad guys do. It’s like a never-ending puzzle, and I love the challenge. But beyond that, I’m drawn to the bigger picture: protecting digital spaces and understanding how different systems work under the hood.

When I first heard about bug bounty programs, I saw them as the perfect way to test my skills in real-world scenarios. Not only could I practice what I was learning, but I could also push my penetration testing abilities to see just how far I could go.

If you’re thinking, “I’m not experienced enough for this”, I get it. I felt the same way. But the truth is, you don’t need to be an expert to start. You just need to be curious, persistent, and willing to learn.

Oh, and maybe add some specific tools to your skillset…

Pen testing with ZTM

Even though I’m studying cybersecurity in college, I knew that real-world experience was just as important as theory. That’s why, about three weeks ago, I decided to take one of the cybersecurity courses at ZTM Academy.

I picked this course because it focused on website penetration testing which is exactly what I needed for bug bounty hunting.

Also, it wasn’t just a list of concepts. It actually walked me through practical strategies for identifying security vulnerabilities, thinking like an attacker, and systematically testing for weaknesses. So for the first time, I wasn’t just reading about penetration testing — I was actually doing it in a controlled environment.

The course also helped me understand how hackers approach security flaws, how different attack techniques work, and how to uncover vulnerabilities that others might miss.

Armed with this new knowledge, I felt ready to take the leap into bug bounty hunting. So, I signed up for a few bug bounty programs and started testing real websites.

Important: If you’re testing for security vulnerabilities, always make sure you’re doing it on platforms that explicitly allow testing, like bug bounty programs or security research sites.

Hacking a website without permission — even with good intentions — is illegal and could land you in serious trouble.

How I found my first bug bounty

My first bug discovery happened on a financial transaction website — exactly the kind of platform that needs top-tier security. Companies like this often run bug bounty programs to stay ahead of potential threats, so I figured it was a great place to start.

At first, I tried a cross-site scripting (XSS) attack, but the site had strong filtering in place, or maybe my knowledge wasn’t deep enough yet. Either way, that attempt didn’t work. But instead of giving up, I kept testing different methods.

Editor’s note: Cross-site scripting (XSS) is an attack that injects malicious scripts into web pages viewed by other users. Attackers use XSS to steal cookies, session tokens, or even take control of accounts.

That’s when I discovered a vulnerability through IDOR (Insecure Direct Object References).

Editor’s note: IDOR (Insecure Direct Object References) happens when a website doesn’t properly verify whether a user should have access to certain data. If a website exposes unique IDs without proper checks, an attacker can manipulate them to view or modify other users' data.

I found that the site used a snap token to identify users during transactions, so I experimented by swapping my token with a friend’s.

The result? I gained access to their sensitive details, including:

• Item details
• Prices
• Full names
• Addresses

That was a serious security risk. An attacker could use this exploit for man-in-the-middle attacks, account takeovers, or even identity theft.

I reported the issue immediately. While I didn’t receive formal recognition, the company thanked me and quickly patched the vulnerability.

The craziest part? I had only been learning penetration testing for three weeks before I found it!

Should you try bug bounties yourself? Yes!

Looking back, this experience taught me a lot. I realized that attention to detail and persistence are key in Cyber Security, because sometimes, the first approach won’t work, but that doesn’t mean you won’t find something valuable if you keep digging!

Also, bug bounty hunting isn’t just about making extra money. It’s an intellectual challenge, a way to apply what you’ve learned in real-world scenarios, and a chance to contribute to a safer digital world.

If you’re thinking about getting started, my advice? Learn, practice, and test your skills ethically.

Online courses like the one I took here are a great way to build a solid foundation, but nothing beats hands-on experience and applying what you’ve learned. The more you practice, the better you’ll get at spotting vulnerabilities that others miss.

So, if Cyber Security excites you, why not give bug bounty hunting a try? You never know what you might find.