---
title: Bug-Bounty Operator Practice
description: A single-operator offensive-security practice, run with an operating system around it.
section: craft
tags: [initiative, security, bug-bounty, offensive-security, operator-practice]
genre: reference
stability: draft
lastUpdated: 2026-04-21
url: https://fardiniqbal.com/docs/craft/initiatives/bug-bounty
---


I am starting a bug-bounty operator practice. Not a job hunt. A practice. The
kind you run for years, on your own terms, with an operating system around it
so the work continues whether I feel like it or not.

This page is the public face of that practice. The research, the writeups, the
shipped tools, the CVEs — as they land, they land here. The operating doc that
governs what I do each week lives elsewhere on the site, linked at the bottom.

## The axiom [#the-axiom]

> Research is the product. Content is the distribution. Skills are the features. Reputation is the asset.

If a decision in this practice routes content ahead of research, or influencer
moves ahead of capability, or short-term attention ahead of long-term
legibility, it is wrong regardless of short-term metrics. This rule overrides
every tactical preference below.

## Why this, why now [#why-this-why-now]

The bug-bounty market is splitting in half. On one side, autonomous AI pentest
platforms (XBOW, RunSybil, others) are absorbing commodity web-vulnerability
volume. On the other, vendor-direct payouts have gone vertical — Apple to
$5M+, Google +40% year over year, the top Chrome VRP hunter cleared $811K in
2025 alone — and platforms have hardened against AI-slop submissions.

In that market, a generic "bug-bounty hunter" is a losing product. A
research-grade human operator, AI-leveraged but human-verified, concentrated
on surfaces autonomous agents demonstrably underperform on, shipping a
writeup per disclosed bounty and a tool per quarter, is winning.

The practice is positioned for that bifurcation. It runs three product lines
in parallel, not sequentially.

## The three tracks [#the-three-tracks]

**Track A — web bounties.** HackerOne, Bugcrowd, Intigriti, YesWeHack in
rotation, sector-niched by Month 2 (fintech, devtools, infrastructure),
vendor-direct submissions by Month 4. Immunefi, Code4rena, Sherlock, and
Cantina audit contests layered in by Month 3 as a variance hedge. Income-side
of the practice. Means, not identity — Track A revenue on its own without
Track B and Track C progress is a failed year.

**Track B — 0-day operator.** pwn.college CSE 466 Orange Belt from Week 2. V8
and kernel source-reading routine by Month 4. First fuzzing campaign by Month
12\. First 0-day CVE target on the Month 24–30 horizon. Weekend-marathon
cadence, not daily drips. This is the compounding identity track.

**Track C — public shell.** A one-page manifesto live Week 1. One public
writeup within fourteen days of every disclosed bounty. One OSS security tool
shipped per quarter, pointed at AI-adjacent gaps that autonomous platforms
don't cover — not head-on autonomous pentest, which venture-funded platforms
already own. A BSides talk by Month 8, gated on at least one disclosed bounty
and published writeup already existing.

## The moat is the intersection [#the-moat-is-the-intersection]

Each track alone is commodity. The combination is defensible.

Against autonomous AI agents, the practice concentrates on surfaces they
measurably struggle on — DOM XSS, blind SQLi, business-logic chains,
multi-step authorization, binary exploitation, Web3 logic bugs, indirect
prompt injection. Chain hunting rather than point-finding. Vendor-direct
rather than public-program commodity.

Against influencer-first security creators, the practice routes research
first. Content is distribution, never the reason for the work. Nicholas
Carlini's Claude-assisted kernel CVE credits and Sam Curry's writeup arc are
the reference shape.

Against employed security engineers, the practice preserves an unbroken
causal chain from skill to outcome. Legible output — CVEs, repos, talks, PoCs
— exists independent of any employer. The day job is the subsidy that funds
the real work, not the destination.

## How I will know this worked [#how-i-will-know-this-worked]

The practice is governed by kill-switch-gated review checkpoints, not
revenue-maximized targets. At Month 3, at least one disclosed bounty plus a
published writeup within fourteen days, or surface switched before strategy.
At Month 6, the Claude Code workstation demonstrably removes at least half
the recon and triage grind while staying platform-policy-compliant, and zero
strikes across any platform. At Month 12, the year's artifacts are legibly
mine and continue to exist regardless of any employer.

What does not count: volume alone, commodity-only earnings, conference talks
without shipped work behind them, broker sales of any kind, and unverified AI
submissions on any platform. Those are hard failure modes, enforced against
every sprint.

The north-star metric is not income. It is freedom capital — runway stacked
per quarter. The day job is the subsidy, not the enemy.

## Where the operating doc lives [#where-the-operating-doc-lives]

The detailed PRD — weekly and monthly targets, risk register, kill-switch
criteria, Sprint 0 day-by-day — lives at [the operating
doc](/docs/vault/initiatives/bug-bounty-prd). It is unlisted rather than
hidden, so it won't show up in search or nav, but anyone with the URL can
read along.

The site's docs landing also renders a live dashboard of where the practice
stands this week — Sprint 0 progress, next gate, active risks. That is the
accountability mechanism: I feel it every time I open the front door.

## Artifacts, as they ship [#artifacts-as-they-ship]

* **Writeups** land at [/docs/craft/writeups](/docs/craft/writeups), fourteen days from resolution.
* **CVEs, OSS tools, BSides talks:** nothing disclosed yet.

This section stays honest about the absence of shipped artifacts. That is
the point. Infrastructure exists before output — the writeup template is
already live — but the shipped list is empty until the work lands.