This write up is about success in bug bounties and the level of preparedness one needs to be at before starting with bounty programs.
This is indeed a lucrative field, but don't be of the assumption that you'll earn money as soon as you jump into it or as soon as you find a bug. The stories you get to hear of hackers earning big time from bounties is after several months or sometimes several years of research. So, do not have the expectation that you can earn your daily pocket money or live on the bounties in the initial days.
What's likely to happen
Cyber security is a difficult field hence, bugs get scrutinized very diligently by the developers. So what is most likely to happen when you start hunting security bug is, you would either not find a bug, find an issue that YOU think is a vulnerability or you may find a severe issue thinking you have nailed it this time.
Now let's go over each of the scenario in slight detail: It's quite possible that initially you will spend hours and hours on targets, but without finding any bugs. This is normal because this is the first time you would be navigating a website with the intent to understand how it works and what it contains. More importantly with the intent of looking for loopholes.
After toiling for a few weeks / months you will eventually find a bug and with enthusiasm you would report it too. But the sad part is, most likely it would get triaged as not applicable or something with no security impact. I can imagine how it would feel.
Finally, after going through lot of frustration you would find a severe bug. At this point you are likely to breathe a sigh of relief and fist the air telling yourself, yes... Finally... Phew... Now you would do your best to write a kickass report and patiently wait for their response. For all you know, in happiness you wouldn't get sleep either. Soon you'll realize that the bug you wrote up is a duplicate. Ie: somebody already found it and reported it to the organization. Note: A duplicate yields no bounty, no appreciation, but a very cold response stating they are already aware of the issue and are working on fixing it.
I hope by now I have given you enough reasons to feel frustrated and demotivate yourself. Well, that's the idea. This is exactly how you'd feel the first several weeks or months. You'd most likely go through a plethora of YouTube videos that explain how to hack and you will be left telling yourself, that's exactly what I'm doing. Why on earth I can't find bugs? The answer my friend is far simpler than you think. You cannot find bugs because the application is secure!
By now if I have demotivated you and successfully convinced you that it's time you give up, then I'd pat my back and tell myself Great job! In fact at this point most researchers are on the verge of giving up. And it's important you realize that it's not gong to be any different for you. If you can accept this and move on, then bingo. Congratulations! you have crossed the first hurdle.
Beginning
For many this is actually the end of the journey. I went through this phase too and at one point I felt I'm not meant for it. I still feel I'm not meant for it. But for me the journey just began and I'm willing to walk the entire mile. At this point if you can accept this and get yourself together to continue the hunt. Then this is where your journey will actually begin.
That said, I will bid good bye on a simple note. This is a difficult, but very interesting journey if you can bear the brunt. On this journey you will not find a companion and the learning process would most likely be solo. Therefore, accept the loneliness, initial failures and focus on the learning, not the bounty. Demonstrate persistence and commitment to the cause. Believe me you'll start appreciating it and will see benefits soon.