Last time, we gained a bird’s eye view of the landscape of bug bounties. We concluded that they have many benefits, but can also lead to bug bounty burnout. Today, we explore what causes burnout and suggest ways to heal from it and preserve your mental health while still doing what you’re passionate about: Hacking!
As a side note, although burnout and depression share some symptoms, they are different. If you suffer from depression, you should visit a mental health professional. These suggestions reflect what worked with my own burnout experience. They are not based on scientific facts and don’t replace your doctor’s intervention.
Burnout and bug bounty mental health
I am not a mental health specialist. However, according to a medically reviewed post on verywell mind, burnout happens when you feel exhausted, start to hate your job, and begin to feel less capable at work. Other factors like your personality traits and thought patterns, such as perfectionism and pessimism, can contribute to burnout as well.
That’s exactly what is happening to many of us in bug bounty hunting. But why is burnout common in our community?
How exhaustion leads to burnout in bug bounty hunting?
As we saw in the previous episode, the majority of hackers do bug bounty hunting part-time. This means that besides a 9 to 5 job or a day of studies, we dedicate yet another chunk of our daily hours looking for vulnerabilities on bug bounty programs. Guess what, it takes time and energy to first understand how targets work, then analyze and test the different features. Besides, doing it every day is exhausting. In the end, we’re not even sure that we will find a vulnerability or not!
Bug bounties and duplicates
You might think that full-time bug bounty hunters don’t suffer from burnout because they have all the time available, and you’d be right, partially! In fact, they might not find vulnerabilities for days or even weeks, or report duplicate vulnerabilities and get nothing in return. As we saw in the previous episode, a bug bounty hunter gets rewarded only if he or she is the first to report a valid bug. This adds frustration and a sense of instability because bug bounties are a main income for them. So, while part-time hunters spend more working hours and get exhausted over time, full-timers might have troubles keeping a steady salary from an unstable source of income. You might also find full-time bug bounty hunters who are also exhausted, which make things even worse.
Lack of a organization
In my opinion, this is one of the most important factors of burnout from my humble experience. If you’re not organized, you will always achieve less and feel that you are behind your goals.
- Lack of focus: In fact, with the growing number of programs joining bug bounty platforms, it’s easy to get lost jumping from one program to another and wasting your valuable time doing nothing but shallow testing.
- Physical health: During the whole time of your bug bounty hunting, you are probably sitting on a chair, maybe drinking energy sodas and perhaps skipping meals in favour of delivered snacks. If you’re doing some or all of this, you should ask serious questions about your physical health routine.
Over time, a growing voice inside you starts telling you that your life is unbalanced. Your relationships might be declining while not finding any bugs. In other words, you feel disturbed, unfocused and less capable in bug bounty hunting.
If you use Twitter like most of the bug bounty community members, chances are that your feed is full of bug bounty tweets and hacking content. Well, you surely stumbled across tweets showing off bounty rewards. You might even have seen tweets about payment statements of hundreds or even thousands of dollars in one single day. You then start questioning your abilities and comparing yourself, which has only one outcome; feeling incompetent, jealous, and even pessimistic!
You have burned out, what to do now?
The first thing to do when you have a burnout during bug bounty hunting is to actually realize that you have one. That sounds obvious, but not many hunters ignore the symptoms. Once you are aware of it, there are many things you can do about it.
Stop hacking immediately
You should eliminate exhaustion by giving yourself some rest. The good thing about bug bounty hunting is the time flexibility it provides, so take advantage of it! Go out with some friends, watch a movie, spend some meaningful time with your family, do some exercise, or simply get some sleep. Life has a lot to offer than just the rush of finding a bug or getting paid. Stay away from hacking until you cool down and feel rested. For me, that was about a year.
Adapt your mindset and expectations
If you recall from the first part of this episode, burnout can be amplified with personality traits. For example, if you tend to compare yourself with others and get jealous when they earn bug bounties, maybe you should get inspired from them instead. Remember that you only see the results, not the amount of hours and effort which led to finding those bugs in the first place.
Another important aspect to consider is the reason why you hunt for bugs. If it is mainly for money, you will definitely feel low sooner or later. Instead, why don’t you consider each bug bounty hunting session as an opportunity to understand how your target works, to learn the new technologies it uses and how the features work together. With this approach, you’re not only moving the money problem away, but you’re also increasing your chances of finding deep security bugs. Even if you don’t find any bugs, which is less likely to happen, you would still have learned many new things which would help you in future targets.
Solve small bug bounty challenges
Have you left bug bounty hunting for months but still don’t have the mood to go back? In this case, try to solve mini security challenges. For example, the hacker101 platform provides real-world challenges from a range of difficulty levels. This will have two positive effects. First, your mind will produce adrenaline that will boost your mood. Secondly, you will get private invites from HackerOne. Pretty cool huh?!
Consult a doctor
If you’re still suffering from burnout even after applying the suggestions above, or if it’s starting to affect other parts of your life such as your work or your close relationships, I would highly recommend you visit your doctor. It might be that you’re heading towards a depression.
How to avoid burnout in bug bounty hunting?
Rather than suffering from burnout and then try to heal from it, wouldn’t it be better if you could prevent it from happening in the first place? Let’s explore proactive ways you can apply to stay healthy while hacking on your favourite bug bounty platform.
Lower you bug bounties expectations
If you start your hacking session willing to find a vulnerability right away, you will have a hard time meeting your expectation, unless you are lucky enough, which doesn’t happen all the time. Understand that bug bounty hunting takes time and effort. The more time you spend enumerating your target, the higher your chances of finding interesting bugs will be. If you’ve done your best effort and poked around every corner of your target without finding anything, just move on to another one. It doesn’t necessarily mean that you are incompetent.
Level up your bug bounty hunting skills
If you want to expand your attack surface, you have to learn new hacking techniques. There are many resources you can learn from. For instance, follow other hackers who share their techniques, read the HackerOne Hacktivity which discloses published bug bounty reports, subscribe to security feeds like the PentesterLand’s newsletter. With time, you will find that you can exploit more vulnerabilities.
Develop a healthy schedule
I bet you have other responsibilities in your life. Well, failing to manage them in the favour of bug bounty hunting is a bad idea. As you continue to ignore them, they will keep growing until they affect your productivity. You must have a schedule which helps you fulfill them. You daily routine should include healthy meals, break time, room for other duties, etc. The idea is to avoid exhaustion by keeping your life balanced.
Have a hacking buddy
This depends on your personality, but if you feel uncomfortable being isolated in your room hunting for bugs, then it’s good to have a bug bounty friend you can collaborate with. That way, you will combat loneliness and exchange hacking ideas and attack vectors with each other. Sometimes, all you need is a small hint from another perspective to achieve your exploitation, and your buddy can give you just that!
Bug bounty hunting doesn’t have to be painful. With the right mindset and healthy attitudes, you can definitely stay passionately motivated while hunting for security bugs. So that’s it! Let me know how you deal with burnout in the comments. I’d love to hear what you do to overcome it.