Skip to main content
WorkInitiatives

Bug-Bounty Operator Practice

A single-operator offensive-security practice, run with an operating system around it.

draft
View raw

I am starting a bug-bounty operator practice. Not a job hunt. A practice. The kind you run for years, on your own terms, with an operating system around it so the work continues whether I feel like it or not.

This page is the public face of that practice. The research, the writeups, the shipped tools, the CVEs — as they land, they land here. The operating doc that governs what I do each week lives elsewhere on the site, linked at the bottom.

The axiom

Research is the product. Content is the distribution. Skills are the features. Reputation is the asset.

If a decision in this practice routes content ahead of research, or influencer moves ahead of capability, or short-term attention ahead of long-term legibility, it is wrong regardless of short-term metrics. This rule overrides every tactical preference below.

Why this, why now

The bug-bounty market is splitting in half. On one side, autonomous AI pentest platforms (XBOW, RunSybil, others) are absorbing commodity web-vulnerability volume. On the other, vendor-direct payouts have gone vertical — Apple to $5M+, Google +40% year over year, the top Chrome VRP hunter cleared $811K in 2025 alone — and platforms have hardened against AI-slop submissions.

In that market, a generic "bug-bounty hunter" is a losing product. A research-grade human operator, AI-leveraged but human-verified, concentrated on surfaces autonomous agents demonstrably underperform on, shipping a writeup per disclosed bounty and a tool per quarter, is winning.

The practice is positioned for that bifurcation. It runs three product lines in parallel, not sequentially.

The three tracks

Track A — web bounties. HackerOne, Bugcrowd, Intigriti, YesWeHack in rotation, sector-niched by Month 2 (fintech, devtools, infrastructure), vendor-direct submissions by Month 4. Immunefi, Code4rena, Sherlock, and Cantina audit contests layered in by Month 3 as a variance hedge. Income-side of the practice. Means, not identity — Track A revenue on its own without Track B and Track C progress is a failed year.

Track B — 0-day operator. pwn.college CSE 466 Orange Belt from Week 2. V8 and kernel source-reading routine by Month 4. First fuzzing campaign by Month 12. First 0-day CVE target on the Month 24–30 horizon. Weekend-marathon cadence, not daily drips. This is the compounding identity track.

Track C — public shell. A one-page manifesto live Week 1. One public writeup within fourteen days of every disclosed bounty. One OSS security tool shipped per quarter, pointed at AI-adjacent gaps that autonomous platforms don't cover — not head-on autonomous pentest, which venture-funded platforms already own. A BSides talk by Month 8, gated on at least one disclosed bounty and published writeup already existing.

The moat is the intersection

Each track alone is commodity. The combination is defensible.

Against autonomous AI agents, the practice concentrates on surfaces they measurably struggle on — DOM XSS, blind SQLi, business-logic chains, multi-step authorization, binary exploitation, Web3 logic bugs, indirect prompt injection. Chain hunting rather than point-finding. Vendor-direct rather than public-program commodity.

Against influencer-first security creators, the practice routes research first. Content is distribution, never the reason for the work. Nicholas Carlini's Claude-assisted kernel CVE credits and Sam Curry's writeup arc are the reference shape.

Against employed security engineers, the practice preserves an unbroken causal chain from skill to outcome. Legible output — CVEs, repos, talks, PoCs — exists independent of any employer. The day job is the subsidy that funds the real work, not the destination.

How I will know this worked

The practice is governed by kill-switch-gated review checkpoints, not revenue-maximized targets. At Month 3, at least one disclosed bounty plus a published writeup within fourteen days, or surface switched before strategy. At Month 6, the Claude Code workstation demonstrably removes at least half the recon and triage grind while staying platform-policy-compliant, and zero strikes across any platform. At Month 12, the year's artifacts are legibly mine and continue to exist regardless of any employer.

What does not count: volume alone, commodity-only earnings, conference talks without shipped work behind them, broker sales of any kind, and unverified AI submissions on any platform. Those are hard failure modes, enforced against every sprint.

The north-star metric is not income. It is freedom capital — runway stacked per quarter. The day job is the subsidy, not the enemy.

Where the operating doc lives

The detailed PRD — weekly and monthly targets, risk register, kill-switch criteria, Sprint 0 day-by-day — lives at the operating doc. It is unlisted rather than hidden, so it won't show up in search or nav, but anyone with the URL can read along.

The site's docs landing also renders a live dashboard of where the practice stands this week — Sprint 0 progress, next gate, active risks. That is the accountability mechanism: I feel it every time I open the front door.

Artifacts, as they ship

  • Writeups land at /docs/craft/writeups, fourteen days from resolution.
  • CVEs, OSS tools, BSides talks: nothing disclosed yet.

This section stays honest about the absence of shipped artifacts. That is the point. Infrastructure exists before output — the writeup template is already live — but the shipped list is empty until the work lands.

Initiatives

Multi-year operator practices — each one runs with a cadence, a risk register, and kill-switch gates.

Tiny Thoughts

Replaced $3,000/mo Rethink BA

On this page

The axiomWhy this, why nowThe three tracksThe moat is the intersectionHow I will know this workedWhere the operating doc livesArtifacts, as they ship