Hey, how are you?
Six years ago, I made a decision. After reading about that famous 10,000-hour rule, I said to myself: I want to master something. Turn that mastery into income. And by the time I’m 40, instead of being a government employee, I want to be financially free. I was 30 at the time.
The 10,000-Hour Trap: From Logo Design to Tutorial Hell
I picked graphic design. Then I realized logo design was a good fit for me. I started taking courses to produce quality work. At the same time, I was entering logo contests. After a while, I noticed a problem with that business model. People were getting hundreds of ideas and designs for a single logo, and they’d pick one — maybe. This field had too much competition and too much unfairness. We’ll come back to that later heheh. An expectation as if fairness was promised…
So I shifted the journey in a different direction. I’d had an interest in 2D animation since childhood, and I decided to move into that. I won’t drag this part out, but I fell into tutorial hell there too. After 6 years total, I became a 2D animator who took a ton of courses, found a ton of mentors, spent a ton of money, and couldn’t even build a portfolio hahah.
And that brings us to 4 months ago. Most of the 10-year window I gave myself was gone. For the last 6 years, I’d been putting in hours almost every day toward mastery, and the only financial impact I saw was negative. I started to realize I was on some kind of self-deception path. An insight about never being “ready” and the system constantly exploiting that fear. And as a super smart guy, the fact that this took me 6 years to figure out was a clear sign of a prosperous mind 🙂
So yeah, I’m a government employee. Let’s be more specific — I’m an IT teacher. My field is computer science. I’ve been in the profession for 12+ years. I’m not telling you this to introduce myself. Stay with me.
The Spark: A Mandatory “Digital Literacy” Seminar
4 months ago, something happened. The ministry I work under assigned me a mandatory video course on digital literacy. Under the name of a “seminar.” This was like forcing an English teacher to complete an A1 level course.
And I took it personally. Before this, I could choose my own trainings. Now there was an interactive system checking whether I was actually sitting at my computer. And on top of that, forcing a teacher who’s been actively teaching IT for 12 years to take a digital literacy course… It really pissed me off.
So I hit F12.
Bypassing SCORM and Frontend Logic
I built a simple logic in my head. If the video player wants me to click buttons interactively, tells me to wait when I finish, or gives me a green checkmark — is it trusting my browser, or its own backend? I needed an API.
I dug around the source code for a while. Found out the platform was built on SCORM — you know, that dinosaur. Then I found the API. Finding it actually took about as long as watching those videos would have. But I wasn’t going to watch them. It felt like an insult to myself.
With some help from AI, this command in the developer console let me declare my kingdom hahah:
JavaScript
api.LMSSetValue("cmi.core.lesson_status", "completed");I still remember how that felt. But this wasn’t where the hacker story really began.
Anyway, videos done, got the completion certificate instantly. Then I went to a forum where IT teachers hang out — I’d check it from time to time. People were complaining like crazy and looking for workarounds. The best they had was browser extensions to speed through the videos faster. I even remember some of them saying, “isn’t there someone who can just handle this for us?”
And that’s when it hit me. What I did was different. I had been thinking everyone must have figured this out already. These guys are IT people, they must be better than me. Turns out they weren’t. That’s the moment I realized.
The Epiphany: Breaking Systems’ Assumptions
And I asked a question. Everything starts with a single question, you know.
Could I be talented at breaking the assumptions systems make?
This question eventually started turning into what I call “assumption breaking” as a bug bounty method. We’ll talk about that later too. But the simplest logic is this: every system has to make choices and assumptions.
That video course site assumed “users can only reach what they see in the UI.” So it was checking whether a video was completed based on a status it pulled from my own browser. And when I flipped that frontend assumption — when I gave it the status it wanted without watching a single video — it believed me. Strange, but I’ve seen this repeat even in massive companies. We’ll talk about those too.
Entering the Bug Bounty World: Finding My Frictionless Environment
After this questioning, something started developing inside me. A kind of inner understanding, maybe. For years, I’d worked with discipline to master a field and build income from it. Under normal circumstances, I should have achieved that by now — whoever says so anyway heheh.
6 years had passed, and I still felt like I was at the starting line. Nothing wrong with that either… I see now that “knowing” and “being” in the way I understood them never really complete. But on that mastery path, I was actually standing still. No movement.
After a serious internal evaluation and a battle with sunk cost, I said it’s time to crash this ship into the rocks. Time to board a new ship — or even a rowboat. I let go of everything I’d accumulated up to that point — which turned out to be wrong, because I hadn’t actually let go. For example, I’d developed an insane attention span without even noticing. We’ll talk about that too.
And I threw myself into the arms of the cybersecurity and hacking world. There was only one question again. Was I in what I call a “frictionless environment” — the place where a person finds their natural fit?
Spoiler alert: when it comes to finding bugs and business logic flaws, yes. And as always, when it comes to communication and what comes after — nope heheh.
Anyway, we’ll continue.