--- title: Bug-Bounty Operator — Product Requirements Document description: Full operating PRD for the bug-bounty operator practice. Unlisted — routable by URL, but not in search, nav, feeds, llms.txt, or MCP. section: vault tags: [initiative, prd, bug-bounty, operating-doc, internal] genre: reference stability: stable lastUpdated: 2026-04-21 url: https://fardiniqbal.com/docs/vault/initiatives/bug-bounty-prd --- This page is the full operating PRD for the bug-bounty operator practice, mirrored verbatim from `_bmad-output/planning-artifacts/prd.md`. It is unlisted — routable by URL, but excluded from search, nav, feeds, the llms.txt surfaces, and the MCP tool inventory. The live operating view — current sprint, next gate, active risks, streak — renders first, below. > **Supersession note (2026-04-21).** The PRD below references `fardin.sh` > as the public research brand. After shipping, that decision was reversed: > fardiniqbal.com is the canonical surface, and the bug-bounty practice > lives at `/docs/craft/initiatives/bug-bounty` with writeups under > `/docs/craft/writeups`. A second site would split the queryable > single-source-of-truth the portfolio is built to be. The live operating > data in `src/data/initiatives/bug-bounty.ts` reflects this; wherever the > PRD prose below says `fardin.sh`, read it as `fardiniqbal.com` on the > current surface. *** ## Product Requirements Document — bug-bounty [#product-requirements-document--bug-bounty] **Author:** Fardiniqbal **Date:** 2026-04-19 ### Executive Summary [#executive-summary] Fardin Iqbal is being built as a single-operator offensive-security practice positioned for the 2026 bug-bounty market bifurcation. Autonomous AI pentest platforms (XBOW $1B+, RunSybil $40M Series A) are absorbing commodity web-bug volume while vendor-direct payouts have gone vertical (Apple $5M+, Google +40% YoY, top Chrome VRP hunter $811K in 2025) and platforms have hardened against AI-slop submissions (Bugcrowd 10-strikes → permanent ban; HackerOne IBB pause; curl shut its program Feb 1, 2026). In this market a generic "bug bounty hunter" is a losing product; a research-grade human operator — AI-leveraged, vendor-direct, chain-hunting, writeup-compounding, surface-niched — is winning. **Target state (Y3):** quiet-primary 0-Day Operator with loud-secondary public surface. Published CVE portfolio (≥1 vendor-direct high-severity + ≥1 0-day target initiated). \~$60K+/yr bounty floor with realistic path to $100K–$300K across vendor-direct + audit-contest + AI-security surfaces. Public research brand at `fardin.sh`. ≥1 OSS security tool with meaningful adoption. Paid product / course as secondary income. Day job optional. BSides talk delivered. **V1 horizon (the real commitment gated by this PRD): Month 12.** Y2 / Y3 are stretch directional targets. Y1 is the product's V1. Success is kill-switch-gated at M3 / M6 / M12 — not revenue-maximized. **North star:** freedom capital in months-of-runway stacked per quarter. Not income replacement. Day job is the subsidy, not the enemy. No quit until $300K banked or 18 months runway. **Three parallel product lines (not sequential):** * **Track A — Fear-Killer (M1–M12).** Web bounties on H1 + Bugcrowd + Intigriti + YesWeHack rotation. Sector-niched by M2. Vendor-direct submission hygiene M2, first real vendor-direct submission M4. Immunefi + Code4rena + Sherlock audit-contest layer by M3. Target run-rate \~$60K/yr; kill-switch floor $15K at M12. **Track A is means, not identity** — $60K at M12 with no Track B or Track C progress is a failed V1. * **Track B — 0-Day Operator (M1–M36, compounding identity).** pwn.college CSE 466 Orange Belt from Week 2. V8 / kernel source-reading by M4. First fuzzing campaign M12. First 0-day CVE target M24–30. Weekend-marathon cadence. * **Track C — Loud Secondary (M1–∞, reputation compounding).** `fardin.sh` + X live Week 1. Public writeup within 14 days of every disclosed bounty. One OSS security tool per quarter (AI-adjacent gap only; not head-on autonomous-pentest). BSides talk M8. Paid product / course M18+. **Primary buyers:** vendor-direct programs (MSRC / Google VRP / Chrome VRP / Android / Apple Security / ZDI — real revenue surface by Y2); premium platforms (H1 / Bugcrowd / Intigriti / YesWeHack — Track A bread-and-butter); Web3 (Immunefi tail-heavy + Code4rena / Sherlock / Cantina audit contests); AI-security (Anthropic / Google AI VRP / OpenAI / Huntr — fastest-growing segment, +210% YoY H1 AI reports). Y2+ adds consulting, course buyers, sponsors. NahamSec \~50/25/25 bounty / content / consulting = validated income mix. **Primary beneficiaries:** vendor security teams, open-source maintainers, AI-safety teams, end users of those products. Code-of-conduct: *dangerous to systems, not humans*. Every disclosure coordinated. Every PoC minimum-reproducer. Every boundary documented. **The problem this practice resolves.** The ambient path for a CS graduate is employment — the employer owns the causal chain skill→outcome. That path already failed on two axes for this operator: work killed aliveness (boredom axis), and the chain is broken (employment = beholden). Existing alternatives don't close the gap: (a) public-program grinding produces commodity volume autonomous agents now do better; (b) influencer-first creator careers decouple from capability; (c) broker sales are criminally prosecuted post-Operation Zero (Oct 2025) and strategically foreclosed by the reputation-is-the-asset axiom; (d) "quit the job and go solo" trades real runway for fake agency and wrecks 0-day research, which has long dry spells. No packaged path exists for the identity being aimed at — the quiet mercenary with a public shell, income compounding across bounty + research + rep + tooling, with an unbroken causal chain from skill to outcome. #### What Makes This Special [#what-makes-this-special] **The moat is the intersection, not any single leg.** Each leg alone is commodity; the combination is defensible: * **Against autonomous AI agents (XBOW, RunSybil):** concentrate on surfaces they demonstrably underperform on — DOM XSS (XBOW solved 57%), blind SQLi (0%), multi-step authorization chains, business-logic exploitation, binary, Web3 logic bugs, indirect prompt injection. Chain-hunting, not point-finding. Vendor-direct, not H1-public commodity. * **Against influencer-first creators:** research is the product; content is the distribution. Every writeup is an output of real work, not the reason for it. Nicholas Carlini's Claude-assisted kernel CVE credits and Sam Curry's writeup arc are the reference — not lifestyle-content accounts. * **Against employed security engineers:** unbroken causal chain. Legible output (CVEs, repos, talks, PoCs) exists independent of any employer. * **Against other solo hunters:** AI workstation live Day 1 (Claude Code + `shuvonsec/claude-bug-bounty` + Burp MCP; GhidraMCP / Decyx M2–3), not Month 6. Sector niche by M2, not "general hunter." Vendor-direct by M4, not "someday." Writeup cadence from bounty #1, not after five. **Core insight — the 2026 bifurcation bet.** The bug-bounty market is bifurcating. Commodity web volume → autonomous agents. Premium surfaces (vendor-direct, audit contests, AI-security, 0-day) need scarce human operators who ship *quality*, not volume. The right product to build in 2026 is the researcher whose report a program manager actually wants to open. The wrong product is the generic H1 hunter. **Why now:** * Vendor-direct ceilings vertical (Apple $5M+, Google +40% YoY 2025, top Chrome VRP hunter $811K, MSRC $17M/2025). * AI-security bounties exploding (+210% YoY H1 AI reports; Anthropic $35K/jailbreak, Google AI VRP $30K). * Platforms hardening against AI-slop — legible human operators get premium. * EU CRA Sep 11, 2026: mandatory coordinated-disclosure channels open; full obligations Dec 11, 2027 — pre-positioning window live. * Claude Code 1M-token context + MCP ecosystem — solo-operator scale never before possible. **Structural unfair advantages:** mass AI context (Claude Code 1M tokens as working memory), intermediate CS foundation, activatable professor network, day job as 18-month runway. The structural edge is **cadence** — shipping a 14-day writeup and a quarterly tool while the field debates whether AI counts as cheating. **Non-negotiable positioning axiom (overrides every tactical preference in this PRD):** **Research is the product. Content is the distribution. Skills are the features. Reputation is the asset.** If a decision routes content / influencer / attention ahead of research / capability / legibility, it is wrong regardless of short-term metrics. **Load-bearing gates (first-class in this PRD, enforced at every sprint):** * No talk, no podcast, no paid product before ≥1 disclosed bounty + published writeup exist. * Track A revenue without Track B + C progress = failed V1. * No broker sales. Non-negotiable. Operation Zero (Oct 2025) is the reference case. * No unverified AI submissions on any platform. Policy-compliant use only. * No quitting the day job before $300K banked or 18 months runway. * No "general hunter" positioning. Sector-niche or die. ### Project Classification [#project-classification] * **Project Type:** `human_as_product / solo_research_practice` (custom — standard project-type CSV does not fit; features are skills, distribution is writeups / OSS / talks, revenue is bounties + audits + Y2 consulting). * **Domain:** `offensive_security / vuln_research` (custom hybrid; closest CSV analog `scientific` for research-first posture, but regulatory surface is fintech-level hot — Operation Zero Oct 2025 criminal prosecution, EU CRA Sep 2026 coordinated-disclosure regime, platform AI-slop ban policies, DMCA §1201 AI-bias exemption denied, Schedule C / SEP-IRA / LLC tax surface from Day 1). * **Complexity:** **high** — live-moving regulatory surface, compounding skill stack (web → binary → browser → kernel → fuzzing → 0-day), market mid-disruption (XBOW / RunSybil absorbing commodity volume), reputation legally load-bearing (one bad submission ends the practice). * **Project Context:** **greenfield** — no existing practice, no shipped output yet, first bounty not submitted. Brief + distillate + PRFAQ + domain research + brainstorm provide upstream context; no operational artifacts exist. ### Success Criteria [#success-criteria] #### User Success [#user-success] **Primary user — Fardin-as-operator:** * **M3 aha moment:** first disclosed bounty resolved + writeup published within 14 days. The chain works — skill → submission → payout → public artifact, no intermediary. * **M6 aha moment:** Claude Code workstation demonstrably removes ≥50% of recon/triage grind while staying platform-policy-compliant. * **M12 aha moment:** ≥$15K earned **AND** ≥1 Track B binary-exploitation artifact shipped (pwn.college Orange Belt done + ≥1 public fuzzing / reversing writeup). * **Emotional success:** fear-of-being-fired gone. Work stays alive (boredom-axis filter passing at every monthly review). Day job = subsidy, not prison. * **V1 completion signal (M12):** operator looks at the year's artifacts and says *"this work is legibly mine — it wouldn't exist without me, and it continues to exist regardless of any employer."* **Secondary user — vendor security teams / program managers:** * Every submission: minimum-reproducer PoC + severity justification + coordinated-disclosure timeline + writeup draft under embargo. * Triage time on a Fardin-submitted report \< queue average. * Reporter name / CVE portfolio recognized on inbound → top of queue. * Zero AI-slop, zero dupes, zero scope violations. #### Business Success [#business-success] **Financial (kill-switch-gated, not target-maximized):** * **M3:** ≥1 bounty **OR** surface switch (H1-public → Intigriti-EU / Synack). Failing both → surface-selection is the diagnosis, strategy still viable. * **M6:** cumulative earnings tracking toward M12 floor (≥$3–5K trailing). Claude Code saves ≥50% recon/triage time **AND** zero platform-policy violations. * **M12:** ≥$15K earned **AND** not 100% low-severity commodity H1-public (must include ≥1 vendor-direct attempt, ≥1 audit-contest entry, or ≥1 AI-security submission). * **Stretch run-rate:** \~$60K/yr at M12–M18. Y2 path to $100K. Y3 path to $100K–$300K. * **Cash-out discipline:** every bounty auto-split 50% brokerage / 25% SEP-IRA / 25% tools+consulting. LLC at \~$30K gross. Schedule C + 30% tax reserve from Day 1. * **North-star metric (overrides revenue if they disagree):** months-of-runway stacked per quarter. Y1 target: +6–9 months added. **Identity / legibility:** * Y1: CVE portfolio ≥1 public entry; writeup archive ≥3 published; ≥1 OSS tool shipped; pwn.college CSE 466 Orange Belt complete. * Y2: first vendor-direct CVE; BSides talk delivered (gated: ≥1 bounty + writeup); ≥4 OSS tools shipped. * Y3: first 0-day CVE in progress or initiated; paid product / course generating secondary income; consulting inbound exists. **Reputation / legal-compliance (non-negotiable, measured every sprint):** * Zero illegal moves — lifetime. No broker sales. No AI-slop. No program-scope violations. * Zero platform strikes across H1 / Bugcrowd / Intigriti / YesWeHack / Immunefi. * 100% disclosed bounties → public writeup within 14 days of resolution. * 100% coordinated-disclosure compliance with ISO 29147 / 30111 / CISA CVD. #### Technical Success [#technical-success] **Tooling spine (V1 ready Day 7):** Claude Code + `shuvonsec/claude-bug-bounty` + Burp Community + Burp MCP + GitHub-dorks scripts. M2–M3: GhidraMCP + Decyx. Every AI finding human-verified. Zero unverified submissions. **Skill stack:** * **Web (Track A):** sector-niche fluency by M2 (fintech / devtools / infra). Chain-hunting + business-logic chops ≥ commodity IDOR volume by M6. * **Binary (Track B):** pwn.college Orange Belt by M6. V8 / kernel source-reading routine by M4. First fuzzing campaign M12. * **Web3 (Track A+):** Immunefi-ready by M3 (Solidity + ≥1 audit-contest entry). * **AI-security:** OWASP LLM top-10 fluency + ≥1 indirect prompt injection attempt by M6. **Research / output infrastructure:** * `fardin.sh` live Week 1 with manifesto + writeup templates + CVE portfolio page. * Writeup template: minimum-reproducer PoC + severity justification + invariant violated + reconstructable methodology. * OSS tool cadence: 1/quarter. Repo per tool with README, install, MIT license. Adoption: ≥1 external contributor or ≥50 stars on Q4 tool. **Policy compliance (legally load-bearing):** * Every platform account in good standing. * Every submission inside documented program scope. * Every disclosure coordinated, embargo honored. * Zero AI-bias research outside program authorization. #### Measurable Outcomes [#measurable-outcomes] * **Weekly:** ≥5 days/week × ≥30 min focused practice; ≥1 GitHub-org recon per active target; weekend with Track B work = binary-marathon success. * **Monthly:** ≥30 days-in-market per vuln class before context-switching; ≥1 writeup draft in progress; pain-log entries (8-week rolling); X monthly update posted. * **Quarterly:** ≥1 OSS tool shipped; ≥3 disclosed bounties OR ≥1 vendor-direct submission (M4+) OR ≥1 audit-contest entry (M3+); runway delta ≥+1.5 months. * **M3 / M6 / M12:** as above. ### Product Scope [#product-scope] #### MVP (V1 target: M12) [#mvp-v1-target-m12] 1. Claude Code workstation operational — **Day 7**. 2. Five platform profiles active — **Week 1**. Sector-niche target by M2. 3. `fardin.sh` + X live — **Week 1**. One-page manifesto. 4. pwn.college enrolled — **Day 5**. Orange Belt by M6. 5. First disclosed bounty + writeup shipped — **by M3** or surface-switch. 6. First vendor-direct submission attempt — **M4**. 7. First audit-contest entry — **M3**. 8. First OSS security tool shipped — **Q1 end**. 9. Tax / legal baseline — **Day 1**. Schedule C, 30% reserve, LLC note at $30K. 10. Writeup cadence active — 14-day max turnaround. 11. M3 / M6 / M12 reviews calendar-blocked with criteria. 12. Policy-compliance checklist — AI-usage disclosure + scope confirmation per submission. **Out of MVP:** BSides talk (M8+, gated); paid product (M18+); consulting (Y2+); quitting day job; 0-day research beyond pwn.college + source-reading. #### Growth (M12–M24) [#growth-m12m24] * Vendor-direct ≥50% of revenue by M18 (MSRC / Google VRP / Chrome / Android / Apple / ZDI). * Track B first fuzzing campaign complete M12; published harness + findings. * Sector-niche authority: nuclei library + ≥3 sector writeups by M18. * AI-security leg: ≥1 Anthropic / Google AI VRP / OpenAI disclosed finding by M15. * BSides talk shipped M8–M12. * First paid product / course shipped M18+ — derivative of writeups + tooling, not standalone content play. * Consulting onboard Y2 — retainer-only, capped hours. * Automated income-split pipeline live. #### Vision (Y3+) [#vision-y3] * First 0-day CVE landed (M24–30). Vendor-direct, high-severity, coordinated disclosure. * CVE portfolio as commercial asset — recognizable in ≥3 vendor program queues. * OSS tool ≥1K stars or external contributor traction. * Revenue mix matches NahamSec template: \~50/25/25 bounty / content / consulting. * Day job optional: $300K banked or 18mo runway. * EU CRA disclosure wave captured — first-mover filings after Sep 11 2026. * Black Hat / DEF CON submission credible. * Runway ≥24 months stacked per year. ### Operating Principles (the 12 Bold Moves, canonical form) [#operating-principles-the-12-bold-moves-canonical-form] All 12 are research-confirmed. Applied at every sprint review. 1. **pwn.college from Week 2** — binary track starts parallel, not "later." GhidraMCP + Decyx by M2–M3. 2. **Writeup within 14 days** of every disclosed bounty. Non-negotiable. 3. **Automated cash-out 50/25/25** — brokerage / SEP-IRA / tools+consulting. Every inflow. 4. **One OSS tool per quarter** — AI-adjacent gaps only (binary-first Claude skills, sector-specific nuclei, writeup-to-skill compilers). **Never** head-on autonomous-pentest — XBOW / RunSybil own that. 5. **GitHub-org recon Day 1** of every target. Dorks running before anything else. 6. **Vendor-direct by M4** — hygiene M2–M3. Consider M2–M3 pull-forward if capability permits. 7. **Sector niche by M2** — fintech / devtools / infra. Financial + gov highest median P1. 8. **Immunefi + Code4rena + Sherlock + Cantina** by M3 as variance hedge. 9. **Weekend marathons for binary** — not daily drips. 10. **Pain-log 8 weeks** before building any SaaS. 11. **Public disclosure requested** on every resolved bounty. 12. **Collaborator + accountability + IRL meetup** by M3. ### Risk Register & Kill-Switches [#risk-register--kill-switches] **Monthly review against each risk. Triggered action, not optional.** | Risk | Leading indicator | Trigger | Action | | ---------------------------------------- | ---------------------------------------------------------------- | ---------------------------------------------- | ------------------------------------------------------------------------------------------- | | Surface mismatch (Track A) | M3 with 0 bounties and no plausible M6 resolution | M3 gate fails | Switch surface (H1-public → Intigriti-EU / Synack) before switching strategy. | | AI workflow incompatible with policy | M6 with `<50%` grind-reduction OR any policy strike | M6 gate fails | Redesign Track A workflow. No mass-submit. | | Losing to autonomous agents on H1-public | M12 with 100% low-severity commodity earnings | M12 gate fails | Force-move to vendor-direct / AI-security / Web3 audit contests. | | LARP drift | Planning-artifacts : disclosed-bounties > 3:0 at M3 | M3 ratio | Stop all planning. Execute only until a bounty ships. | | Broker temptation | Any consideration | First instance | Kill the practice. Start different one. Operation Zero (Oct 2025) = reference. | | AI-slop submission | Any | First instance | Platform strike accumulates; second instance on any platform ends Track A on that platform. | | Scope violation / DMCA §1201 | Any out-of-scope research | First instance | Stop, document, disclose internally. Repeat → legal exposure. | | Day job pressure to quit early | Any consideration before $300K / 18mo | First instance | Reject. Anti-Solution axiom #2. | | Boredom axis fires | Monthly review | Track A surface producing dev-style repetition | Force-shift toward binary / 0-day / AI-security. Not out of bug bounty. | | Influencer drift | Talk / podcast / paid-product attempt before ≥1 bounty + writeup | Any attempt | Hard block. Axiom enforcement. | ### Operating Cadence [#operating-cadence] * **Daily floor:** 30 min focused practice, ≥5 days/week. Streak tracked on fardin.sh public page. * **Weekend:** Track B binary marathon (≥3 hr block). Tooling Sunday (OSS tool work). * **Weekly:** X update posted. Backlog grooming. Target-rotation review. * **Monthly:** KPI review against risk register. Runway delta calculated. Writeup queue audit. Pain-log entry. * **Quarterly:** OSS tool shipped. Sector review. Kill-switch check if milestone quarter (M3 / M6 / M12). Cash-out split executed. * **M3 / M6 / M12:** formal kill-switch review. Written decision artifact on fardin.sh (internal draft; publish post-M12 retrospective). ### Sprint 0 — Next 7 Days (the real PRD, per PRFAQ verdict) [#sprint-0--next-7-days-the-real-prd-per-prfaq-verdict] Execution starts now. Ship order, not suggestion order. * **Day 1 (today):** * Register `fardin.sh` domain. Configure DNS. * Register / claim X handle. Set bio, header. * Draft one-page manifesto (brief distillate + axiom). * Set up Schedule C accounting baseline. 30% tax reserve account opened. * **Day 2:** * Publish manifesto to `fardin.sh`. * Create accounts: HackerOne, Bugcrowd, Intigriti, YesWeHack, Immunefi. Complete profiles. * First X post (commitment device): "Week 1 — operator practice starts today." Link manifesto. * **Day 3:** * Pick Week-0 target. Rails / Next.js stack, explicit safe harbor, in-scope recon only. * Install Burp Community + Burp MCP. * Install `shuvonsec/claude-bug-bounty` in Claude Code. * Run GitHub-org recon dorks on chosen target. Log findings in private notes. * **Day 4:** * Track A hunting: first recon session on Week-0 target. No submission yet — build the pipeline, not the report. * Draft sector-niche shortlist (fintech / devtools / infra). Pick one by end of Day 7. * **Day 5:** * Enroll pwn.college CSE 466. Complete first module. * Schedule weekly Track B weekend block (Sat + Sun, 3-hr minimum). * **Day 6:** * X Week-1 update post. Specific: what was installed, what was learned, what's next. No hype. * Writeup-template v0 committed to `fardin.sh/writeups` repo (even empty — infrastructure exists before first bounty). * **Day 7:** * Outreach to security-fundamentals professor. Ask for one intro or one conversation. * Week-1 retrospective (internal). Commit to Week 2 targets. Sector niche locked. * LLC note filed for $30K-threshold trigger. **Sprint 0 done signal:** platform profiles live, workstation operational, manifesto published, pwn.college enrolled, Week-0 target under recon, first X commitment post shipped, writeup infrastructure in place. ### PRD Status [#prd-status] **V1 complete 2026-04-21.** Steps 4–11 compressed at operator's direction after PRFAQ-verdict recall ("further planning without execution is LARP"). This PRD is operational, not exhaustive. Revisions happen post-M1 with real bounty / submission data — not before. **Governing axiom:** Research is the product. Content is the distribution. Skills are the features. Reputation is the asset.