[mzfr]

I've seen a lot of your tweets about those bounties :)

As someone who has done bug bounties and also has certifications, I can suggest a few things.

1. College - Like others said, it helps a lot not just careerwise but socially as well.

2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.

You might think why would you need a job in any org to do so? Well, simply because a stable income(the reason I stopped doing bug bounties) and association with a good org/group improve your network. Not sure if you know this or not but having a good network of people really helps, professionally.

3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.

**

You already know this but I'd state it again, literally every program lowballs, and no one wants to pay up. So if you get 10k for RCE but expected 100k, just stop reporting to that program. If you like working on their services then maybe try talking to the program managers about it. In the end, if you feel like the program isn't giving back as you expected just move on to a different program.

All the above stuff was what came to mind to help your professional/bug-bounty career. To answer the question

> I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.

If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)

Happy hunting!

[equatorium]

Thank you really much, great advice.

> 2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.

Already got my foot in some cool groups, not really a work-together thing, but still filled with some very skilled people like pmnh (https://hackerone.com/pmnh?type=user) and zi (the guy from dayzerosec https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA). Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.

> 3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.

I'd say that's very much true, but certifications is still a nice-to-have on the side, but surely not a big change.

> If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)

Yea, especially now, smart-contract research pays big. I'm probably gonna look into both and decide on later on what to focus.

Thanks again man, much appreciated.

[mzfr]

> Already got my foot in some cool groups, not really a work-together thing

Yeah I actually was saying insense of professional work. For Ex: Take assetnote, they do code review,s and such. If you get to work with them that would be really good for professional work. There are several other smaller startups/org with good people in them that are doing security research.

> like pmnh (https://hackerone.com/pmnh?type=user) and zi

Oh, that is a good thing. I've followed some of their work.

> Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.

Right now, not sure how it would work. But P0 was just an example, if the idea of working they seem good then the first step would be to professionally become part of a smaller org/group that does security research. And then gain traction from there by doing more public research in whatever field you like. AFAIK P0 prefer people with public research experience and have something decent to show they did publically.

> and will easily land a job when the time will come." Well, that's the thing. I don't want to leave out any opportunities, just because I was lazy in my young years. There are many insanely good people out there and I heard companies more look at years of experience and certifications, instead of public "achievements" like HackerOne, etc.

Just read this in one of your comments (sorry just going through the thread). I actually agree with what @mrg2k8 said you are young and don't forget to enjoy the time you have now.

The thing about certification/Year of Experience is true but only when you actually want to work in an organization that works for itself. Basically, if you want to go in a line where you are working as insert security-related post, in a company. If you want to continue working as a researcher, just exploring applications and finding bugs then you don't have to worry about all that because in that scenario public achievements would rein over certifications or years of experience.

If you are getting bored with research and want to get a job like penetration tester, Product security, etc then I think the majority of my suggestions become irrelevant. And then you should just go for a degree -> certifications -> Apply for jobs -> $$$$