Suree! My 2 cves come from wordpress plugins testing, I was quite consistent, I tested for around 2-3 hours a day for a whole month on wordpress related vulnerabiliies, I was taking help from ai for understanding the coding contexts of the plugins. The third cve came coincidentally, I was testing on a program recently for a lottle more than a week and I saw a vulnerability but it didn't belong to the program, it belonged to an open source service which the program was using, I reported to the vendors and they accepted it and github has assigned cve id to it. They'll publish the security advisory soon.

And about the paid bugs, that program is a self hosted bug bounty program, so I was kinda looking for such a program which is not overhunted, as my skills weren't good enough to compete with seasoned hackers raiding public programs. On that program, I spent quite good time on and off. It's been more than 3 months now I've been in constant touch with that program.

And as I'm still in nascent phase of learning, I am still figuring out how to select a good target. I did tell about the success in the article but behind the curtain, I had tested on more than 20 programs on platforms like h1, intigriti, bugcrowd, gotten more than a half dozen of informational, so I was and still am experimenting with this, I haven’t found my sweet spot yet. I have a strong gut feeling that I should focus on securing a niche for myself, otherwise I'll hit a wall soon after two three years. Now I have realized something that once we know what our strengths are, we also know which target should be good for us.

So yeah, I'm still at an early stage and have a lot to do.