For almost two years, I hunted bugs without a single acknowledgment.
Late nights, no triaged reports, no bounties — just learning, failing, and trying again.
I questioned myself many times, but I never quit.

The Shift That Changed Everything

I stopped chasing only paid bug bounty programs.
I switched to VDP/RDP programs to build my portfolio and gain confidence first.
That mindset shift was the real turning point.

Finding GEA Group’s VDP

During recon, I came across GEA Group’s VDP.
The scope wasn’t clearly defined, so I explored its subdomains myself.
My strategy: don’t aim for complex bugs — just find something valid and impactful.

The Vulnerability

On one of their login pages, I noticed missing X-Frame-Options/CSP headers.
I tested it in an iframe → it loaded → pure clickjacking.
I documented PoC, screenshots, impact, and sent the report immediately.

The Result

Less than a month later, I received the email.
The bug was fixed.
I was officially recognized in their Hall of Fame.
No money — but massive validation.

What This Taught Me

• Even small bugs matter.
• Recognition matters more than payout in the beginning.
• Building a portfolio comes before chasing bounties.
• Consistency beats everything.

You don’t fail in bug bounty unless you quit.