From Zero to $2 Million: The Self-Taught Hacker Who Proved You Don’t Need a Degree
Jenish Sojitra went from getting his Facebook hacked in 2016 to earning over $2 million through bug bounties. He used free resources, no paid courses, and built his skills through practice and community learning. His story shows you don’t need elite credentials to succeed in cybersecurity.
In 2016, a college freshman named Jenish Sojitra got his Facebook account hacked by a friend using phishing. Most people would panic and move on. Sojitra got curious.
He wanted to know how it worked. That curiosity led him down a path that would earn him over $2 million by 2024.
Today, Sojitra ranks in the Top 20 hackers of all time on HackerOne under the handle “Jensec.” He has worked with over 190 organizations including Google, PayPal, and Facebook. He has found and reported more than 1,600 vulnerabilities.
His background? No tech experience. No paid courses. No certifications. Just hard work and willingness to learn.
Day One: Three Students and a Conversation
Sojitra’s transformation started with community. He still remembers when two friends, Bhavy Seth and Nirmal Chandarana, asked him to discuss bug bounty hunting. That conversation between three students changed everything.
All three would go on to earn serious money. Seth and Chandarana each made over $500,000 on HackerOne. Sojitra crossed $2 million.
This peer learning approach beat traditional education. Instead of waiting for formal instruction, they explored together. They shared discoveries and built knowledge as a group.
In 2016, bug bounty hunting was new in India. There were limited local mentors or structured programs. But online forums, Twitter, and HackerOne’s public reports gave them everything they needed. Sojitra learned from established hackers he admired without ever meeting them.
The Free Education: Learning Without Paying
What does it take to go from zero to bug bounty pro when you have no tech background? Sojitra’s answer: free resources and relentless practice.
His learning tools were accessible to anyone with internet:
Hacker101: Free video lessons and Capture The Flag challenges from HackerOne BugPoc CTF: Interactive exercises for finding vulnerabilities Twitter feed: Following security researchers and learning from their posts PentesterLand: Curated newsletter for staying current HackerOne Hacktivity: Public stream of real vulnerabilities found and fixed
No expensive courses. No specialized certifications. No formal mentorship programs.
Sojitra was enrolled in computer science at Nirma University and graduated in 2020. But his bug bounty skills developed independently of school. The degree gave him foundations. The hands-on expertise came from his own initiative.
His approach focused on understanding, not copying. He didn’t blindly follow tutorials or paste proof-of-concept code. He invested time in comprehending how and why vulnerabilities existed.
Before attacking any target, he spent an hour studying it. He learned the application’s architecture, business logic, and attack surface. This preparation became his secret weapon.
For tools, he kept things simple. Burp Suite handled 95% of his testing. He combined it with Google dorks for reconnaissance. Deep mastery of core tools beat superficial knowledge of many.
The Breakthrough: COVID Lockdown Changes Everything
By early 2020, Sojitra had spent four years quietly building his reputation. Then COVID-19 hit and bug bounty hunting exploded in India.
During lockdown, Sojitra earned over $50,000. For a 21-year-old college student, this was life-changing money.
His focus on cryptocurrency platforms proved smart. As crypto boomed, bounty rewards climbed. He found vulnerabilities in smart contracts, blockchain systems, and wallet APIs. But he didn’t limit himself. His portfolio expanded to API security flaws, IoT devices, and web application logic bugs.
By age 20, Sojitra became a millionaire through bug bounties and crypto trading. But he kept hunting. Money wasn’t the only driver. He loved working with security teams globally and the intellectual challenge of breaking security systems.
The $15,000 Logic Bug: Simple Beats Complex
Among thousands of vulnerability discoveries, one finding shows why logical thinking beats technical complexity.
Sojitra found a critical account takeover flaw in a gaming company. The vulnerability wasn’t sophisticated SQL injection or a zero-day exploit. It was a business logic error hiding in plain sight.
During account registration, he added an ID parameter to the signup request. He provided the user ID of an existing account. Instead of rejecting this manipulation, the application linked his email and password to the victim’s user ID.
The result? Complete account takeover. Anyone could hijack any account by knowing or guessing their user ID.
The company paid him $15,000, their maximum bounty.
This teaches a crucial lesson: the highest-paying vulnerabilities aren’t always technically complex. Logic flaws in workflows, authorization checks, and business processes often yield critical findings that automated scanners completely miss.
The $131,000 Month: Mobile Apps and Hidden Endpoints
October 2024 showcased Sojitra’s evolution into elite-tier researcher. That month, he earned nearly $131,000 from 18 paid reports. Average payout per finding: $7,300.
His technique? Mobile application reverse engineering. He decompiled Android APKs and iOS apps to analyze their code, API calls, and hardcoded secrets. This revealed internal API endpoints never meant for public access, authentication mechanisms to bypass, and code execution vectors invisible through normal app testing.
This demonstrates a key principle: continuous skill evolution. The vulnerabilities that earned him hundreds in 2016 were picked clean by 2024. To maintain his edge, he had to acquire new capabilities and explore emerging attack surfaces.
Old Programs Aren’t Dead: The Biggest Misconception
Sojitra challenges a common belief: “The idea that old programs do not have vulnerabilities is the biggest misconception to me.”
Many hunters assume mature bug bounty programs have been thoroughly examined. They chase newly launched programs believing fresh targets offer better opportunities.
Sojitra proved the opposite. He focused on five programs per month, then revisited old targets every three months. He consistently found new vulnerabilities in applications he had already tested.
Why this worked:
Applications constantly evolve. New features and updated code introduce fresh attack surface. Hacker knowledge expands. Returning after three months of learning brings new techniques. Competition drops off. Hundreds swarm new programs but most abandon them within weeks.
This strategy led to his most impressive achievement: earning $500,000 from a single company over two years.
The $500,000 Relationship: Deep Engagement Works
In February 2025, Sojitra shared statistics from his engagement with one HackerOne program. Over two years, he submitted 359 reports. Of these, 280 received bounty payments.
The breakdown:
Critical severity: 23 findings High severity: 88 findings Medium severity: 168 findings Low severity: 69 findings
By category:
Improper Access Control: 32% Broken Authorization/IDOR: 25% Information Disclosure: 13% Injections: 8% Cross-Site Scripting: 6% Others: 14%
His maximum single reward was $7,000. His lowest was $150. Over 730 days, this averaged $685 per day from one program alone.
This deep engagement model crushes the “spray and pray” approach. Many beginners submit shallow findings across dozens of programs without understanding any of them. Sojitra’s patient, methodical approach proved far more profitable.
Top 20 and Beyond: Elite Status Earned
By May 2024, Sojitra reached the Top 15 on HackerOne’s all-time leaderboard. To understand this achievement: HackerOne hosts over one million registered hackers. Reaching the Top 15-20 places him among the most productive security researchers globally.
The journey from 2016 to this milestone took eight years of consistent work. By November 2023, he had crossed $1.65 million. By May 2024, he surpassed $1 million on the platform. By late 2024, his total exceeded $2 million.
These numbers represent more than money. Each dollar corresponds to a security vulnerability discovered and fixed. A flaw that criminals could have exploited for ransomware or data theft.
The John Deere Moment: Financial Freedom
In March 2025, Sojitra posted a photo that captured the impact of his success: a John Deere tractor. His caption: “Thanks to bug bounty and computers.”
For context, the average software engineer salary in India is $10,000 to $15,000 per year. Sojitra’s earnings dwarfed this by orders of magnitude. He achieved financial independence through skills he taught himself.
But his impact extends beyond personal wealth. He has become an advocate for community-based learning. Through conference appearances, social media engagement with 22,000 followers, and tools he has created, he actively lowers barriers for the next generation.
His Day 1 friends also succeeded. This collective rise demonstrates how community-driven learning creates compounding benefits.
The Philosophy: Proof of Skill Over Proof of Credentials
Sojitra’s story fits a broader pattern: elite performance doesn’t require elite credentials.
Santiago Lopez became a millionaire at 19 learning from free tutorials. Aditi Singh earned significant income as a college dropout who taught herself JavaScript from YouTube. Mark Litchfield, Britain’s first ethical hacking millionaire, failed his computer studies exam.
When HackerOne surveyed its community, 85% cited learning as primary motivation. Many treated bug bounties as practical education superior to formal courses.
This represents a fundamental shift. Traditional career paths still hold value. But bug bounty platforms created a parallel system where proof of skill matters more than proof of credentials.
Sojitra’s advice to aspiring hunters: build confidence in earning consistently, master your tools deeply, and commit to understanding targets thoroughly.
The Takeaway
Jenish Sojitra’s journey from phished user to $2 million researcher offers a blueprint that challenges conventional wisdom.
His success required no expensive bootcamps, no elite university, no corporate sponsorship. It demanded curiosity about how systems break, humility to learn from free resources, discipline to develop systematic methods, and persistence to keep hunting when others quit.
For aspiring bug bounty hunters, especially those in regions with limited access to traditional tech opportunities, Sojitra’s story delivers a message: the barrier to entry is lower than you think. The learning resources are free. The financial upside is life-changing.
What separates hobbyists from professionals isn’t genius. It’s consistent practice, strategic focus, and willingness to revisit old targets with new eyes.
Opportunities don’t vanish because others have looked before. They hide in plain sight, waiting for someone with patience and fresh perspective to uncover them.
As the cybersecurity skills gap widens, bug bounty platforms represent a scalable solution. They transform learners into defenders. They reward results over resumes. They create wealth while hardening digital infrastructure.
Jenish Sojitra proved it’s possible. His journey took eight years, thousands of hours, and unwavering commitment. But it didn’t require permission, credentials, or privileged access.
Just willingness, hard work, and a laptop.
For the next generation of self-taught hackers, that might be the most valuable finding of all.
