The target in this case was a mainstream e-commerce platform with Facebook login enabled. While reviewing their OAuth integration, I noticed the flow relied on Facebook as the identity provider (IdP) — and that immediately triggered a reflex.

Whenever I see Facebook or Google OAuth on a target, I always test the Jayesh trick:

Remove the email scope during the social login → wait to see if the app lets you manually input an email after OAuth completes.

I spent a year navigating the full-time bug bounty world myself. My goal here is simple: to share a practical, no-nonsense financial test based on my experience.

Important Note: This is my perspective from my journey. It worked for me as a framework, but everyone’s situation – skills, location, risk tolerance, family commitments – is different. I’m not telling you to quit your job, find one or take any specific action. Think of this as a tool to help you assess your circumstances. This post focuses purely on the money aspect – can bug bounty consistently cover your essential bills right now? We’re not diving into the equally important (but harder to measure) aspects like learning, networking, or the sheer experience itself today.