Mental Health
This is the page I wish existed when I started. Nobody in the community talks about this stuff honestly, at least not publicly. The Twitter feed is all wins. The Discord is full of people sharing their crits. What you don't see is the three-month dry spell before that crit, or the researcher who quietly burned out and disappeared.
Duplicates Are Statistics, Not Failure
Getting a duplicate on a good finding is one of the most demoralizing things in bug bounty. You find something real, you write a solid report, and you get back "Duplicate, closed." Nothing. No bounty, no recognition, sometimes not even a thank-you.
Here's the frame that actually helped me: on a popular target with a large researcher pool, a high-value endpoint getting found by two people within days or even hours of each other is not bad luck. It's probability. Thousands of researchers, finite attack surface, limited window between when a feature launches and when it gets reported.
Duplicates don't mean you were wrong. They often mean you were right, just not first. The skill that found it is still yours. The next target doesn't know about your duplicate.
The worst response to duplicates is avoiding new programs or common vulnerability classes to minimize the risk of getting duped. That's playing to not lose. Keep hunting what you're good at.
Burnout: What It Actually Looks Like
Burnout in this context doesn't always look like exhaustion. Sometimes it looks like this: you open a target, you poke around for an hour, nothing feels interesting, you close it and watch TV. Then you feel guilty about not hunting. Then you open the target again. Then you close it again.
That cycle is the warning sign. It's not laziness. It's your brain telling you the current approach isn't working.
Session structure that helps:
- Time-box sessions. Two hours with a specific goal is better than six hours of unfocused browsing. Decide before you open a browser what you're looking at.
- Target rotation. Staring at the same app for weeks is a diminishing returns problem. Fresh eyes on a new target often produce more than grinding an old one.
- Outcome-agnostic sessions. Some sessions are just reconnaissance with no expectation of finding anything. This removes the pressure that kills creative thinking.
- Hard stops. Set a time to stop and stop at that time. The "just one more endpoint" spiral is real and it ruins evenings.
When to actually stop for a while: if you've been hunting consistently, the work feels mechanical, everything looks the same, and you're not curious about what's behind the next parameter, take a week off. Not a break where you feel guilty the whole time. An actual break. The curiosity comes back. It always does.
Imposter Syndrome
Everyone's first valid was terrifying. I don't know a single experienced researcher who wasn't convinced their first report was going to get closed as informational. The anxiety before submitting a report you think might be real is a feature of caring about the work, not a sign you don't belong.
The researchers who look confident on Twitter have submitted plenty of garbage reports. They've had plenty of N/A's and informational closures. The difference between them and someone still stuck in imposter syndrome is usually just volume of attempts. They kept submitting. The feedback loop eventually built confidence.
You are not uniquely bad at this. You are at a stage everyone passes through.
The specific flavor of imposter syndrome that bugs me to see: researchers who find a real vulnerability, downgrade their own assessment before submitting because they're afraid of looking dumb if it's not as severe as they think, then get back "Resolved, thanks" with no bounty because they submitted it as a low. If you think it's a high, say it's a high. Include your reasoning. Let the triage team disagree if they need to.
The Loneliness Problem
Solo work is isolating. Most researchers work alone, on targets they can't talk about publicly, with findings they often can't share for months or ever. The work is invisible until a bounty hits.
The practical response: find two or three people who hunt at a similar level and talk to them regularly. Not to share techniques necessarily, though that's a bonus. Just to have people who understand what you're doing. A Telegram group, a Discord server, a weekly call. The community exists. You have to seek it out.
Collaborations help too. Hunting with a partner on a shared target breaks up the isolation and often produces better results because different people notice different things. See Business of Bounties.
The Comparison Trap
Someone on Twitter just posted a $30,000 payout screenshot. Someone else just announced they're number one on a leaderboard. Someone else is speaking at a conference you've never been to.
The comparison trap is brutal in this community because the wins are very public and the losses are private. You are comparing your full experience, including all the failures, to other people's highlight reels. It's not a fair comparison and it never will be.
The only useful comparison is you versus yourself three months ago. Are you finding things you couldn't find then? Do you understand something now that confused you before? That's the metric.
Mute or unfollow accounts that make you feel bad about your progress. This isn't weakness. It's information management.
Taking Breaks Makes You Better
I used to feel guilty about every day I didn't hunt. That guilt made me grind through sessions where I wasn't producing anything useful, which made me resent the work, which made the next session worse.
Taking an actual break, a few days or a week, regularly, is not falling behind. The target isn't going anywhere. The skills you've built aren't going anywhere. You come back with fresh pattern recognition and you find things you'd walked past twenty times before.
The researchers who last in this field for a decade aren't the ones who never stop. They're the ones who figured out how to rest without guilt and come back sharp.
See also: Career Strategy, Running a Program