Update

 As I have indicated before, my company has gotten serious about working in the office and I have been let go.

To be honest, I got most of my freaking out done before it actually happened. Based off the conversations I had with my manager, I knew that if I continued to refuse this was likely to happen.

In some ways, having it happened actually came as a relief - no more wondering when the hammer would fall. 

Given I had some prior notice, I had finally gotten around to reading my version of The Web Application Hacker's Handbook, and...

I understand quite a bit about how it works.

Oh, I have realized (especially as I work through some of the labs on the PortSwigger site, as well as a book on Burp Suite from my account with O'Reilly) that understanding what's going on behind the scenes does not really mean I can open up a website and easily knock out an sql injection.

On the other hand... Burp Suite is a powerful tool, and while I'm sure the true experts will grumble about 'script kiddies' and whatnot, if it can automatically test for that I don't think I need to reinvent the wheel and inject it myself.

Well, I mean... I want to, eventually. But as my father has said - if you do it often enough you'll memorize it, and if you don't you'll forget it. 

I think I just need to build up experience and I can do it without having to look things up, too.

So anyways...

I think I'm going to try being a bug bounty hunter.

Seriously.

I am... concerned about whether I can earn enough money to pay the bills. Looking around online gives mixed messages.

Some people have done really, really, really well, but they might just be the special exceptions. Others have not done so well, and only hunt for bugs as a hobby.

Digging into it a little deeper, it does seem like most of those are the ones - like I have met in my professional career - who generally have a superficial knowledge and don't dig into things that deeply.

If that is true, then I don't think I need to worry. After the last five-six years I have realized I'm actually quite good at digging into complicated things like this.

I have also repeatedly heard professionals say that there are a LOT of bugs out there, so it seems like I should be able to find plenty.

Maybe.

It seems a bit like a gamble to be honest. Potentially great pay off, potentially a huge disaster (or maybe it will just give me some experience to put on my resume and then go back to some sort of company payroll).

For now, however - I have a plan. I have the capability and the resources to follow the plan. And I really want to try working for myself.

It has been... rather nice so far, actually. So long as I don't dwell too much on how I'll pay the bills once I've worked through my safety net.

I've been trying to somewhat keep the same business hours, just firing up the computer and playing around with Burp Suite and the OWASP vm and the PortSwigger labs. It's rather fun, even. Like 'Oh! That is how they do it!'

Some of it is quite clever, too. Like figuring out what a legitimate username is based on how long it takes the application to process a login attempt with an invalid password. I'm really impressed with the people who worked out some of these tricks.

I really hope I can make this work permanently.