How Valkant Started: Our First 90 Days on HackerOne

Three months ago we created a HackerOne account and started submitting vulnerability reports. We had no reputation, no track record, and no playbook beyond a solid foundation in web security. Ninety days later we hit the top 2.5% of researchers on the platform with about $18,000 in bounties earned across paid programs and VDP submissions.

Here is what actually happened. Our first submissions went to Goldman Sachs and DoorDash. We picked these because they had large attack surfaces and active programs. We found real bugs on both. The Goldman Sachs work taught us about financial application security. DoorDash taught us about GraphQL APIs and the value of differential response analysis. Both paid.

Then we found the OPPO Cloud vulnerability. A critical cryptographic weakness that affected hundreds of millions of devices. That single finding changed our trajectory on the platform. It proved that going deep on one target and understanding its architecture from the ground up beats spraying automated scans across dozens of programs.

We also submitted to Anduril Industries, testing their defense technology platform, and to the Department of Defense through their VDP. Not every program pays cash, but VDP submissions build reputation and signal. The DoD work in particular showed us that government targets have a completely different risk profile than commercial ones.

What worked: spending days on a single target instead of hours. Reading every line of JavaScript. Understanding the business logic before trying to break it. Writing detailed reports with clear reproduction steps and honest impact assessments.

What did not work: running scanners and hoping for results. Submitting low-quality reports to farm volume. Targeting programs with thousands of active researchers. Trying to find XSS on hardened targets instead of looking for logic flaws.

This is not a "how to get rich" post. The first 90 days were a grind. Plenty of dead ends, lots of duplicates, lots of things that looked like bugs but turned out to be intended behavior. But the compounding effect is real. Every target you study makes you better at the next one. Every report you write sharpens your communication. If you are thinking about starting, just start. Pick a target, read its code, and look for things that do not make sense.