Today I am gonna explain about getting duplicates in reporting bugs. This is purely my experience and how am I overcoming that
When I started learning to hack I heard everywhere that “Duplicates are common in Bug Bounty”, but till I get a duplicate I didn’t realized how demotivating that is. There are some guys who takes duplicates as motivation, they are just awesome.
When I started getting duplicates, I felt nothing but when everything I report is a duplicate I felt too much demotivated and became mad at myself. But once I reported 5 bugs to a company and 4 of them were duplicates and one got valid ( i.e my second ever bounty ) I felt so happy and started to motivate myself. The thing is we are mostly only watching tweets that telling Yey! I got $$. Literally only few people are tweeting about Oh I got duplicates.
Then I tried to realize why everything I am reporting is a duplicate or a NA it’s end up with OWASP top 10 vulns. I realized that everything I am reporting is low hanging fruit. Mostly companies ignore them, if a low hanging bug is reported and if it’s hard to resolve it will be still there and the next hacker hacking on there will find it and report them and end up with duplicates and demotivation. Once on my tweets telling about duplicates STOK once said me that to go for Owasp Top Ten bugs. Yeah thank you stok.
Mostly when we report a critical or a high severe bug they will resolve it ASAP for not getting abused by blackhats, so chance of getting duplicates will be very low. Because they will resolve it before someone else getting there.
The old me is reporting at least 1 bug a day, mostly I only hack a target for 2–3 days and will move to the next, now it’s the 2nd week I am on a same target. I will explain the difference. Finding a critical is way better then finding 5–10 low bugs. will get paid almost equally, but chance of duplicate is too low.
I want to tell my beginner guys that getting duplicates is not at all uncommon there are a lot people hunting on the same way as you so what I will suggest is that spend some long time in understanding the target and make your brain work and find a business logic bug or learn owasp top vulns and try them out there. Yes as always Good Things Take Good Time.
Happy hacking guys, ping me on twitter: iam_j0ker