January through March always seems like a very quiet time when hunting with Synack. This is where most of the re-tests occur & the opportunities to find new things is limited and it becomes a bit scrappy.
With that said, this year I've done a bit better than I had compared to last year (USD):
*As of 15th March 2024
| January | February | March | |
| 2023 | 493 | 2072 | 3652 |
| 2024 | 4870 | 1430 | 7050* |
In the above, most of February's earnings were related to patch verifications from vulnerabilities found before Christmas. For each month I've only found a couple of bugs at most - I just haven't been putting much time in. Changes to target distribution definitely didn't help the motivation. Previously I earned the right to initial access through consistent findings, but this changed as it was been horrifically abused by some others who had the early access. My focus has also changed to finding anything and everything to things I enjoy finding like SSRF and SQL Injection. The problem with access control/IDOR & XSS is that I am just too slow when it's speed running vulnerabilities on newer targets, I prefer to take my time on reports and not just send in the minimum needed information.
I decided to spend my time doing more constructive things rather than banging my head against hardened targets with the few hours free I get a day:
- Taking the Certified Red Team Operator from Zero-Point Security Ltd (and passing!)
- Taking the CPSA exam from CREST (and passing!)
- Taking part in the HTB Cyber Apocalypse with colleagues at work (managed to find 21 flags!).
- Planning for the CRT from CREST in April
It seems silly with my experience to take CPSA and CRT, but this looks to be more desired than OSCP and OSWE in the UK which I've held for sometime and used regularly in security research and hunting. Hoping that April onwards will bring more success with some fresh targets!