In my earlier post i wrote about how I would focus on Bug Bounties, and how CTFs felt too gamey without any benefits.

While the latter still holds true, and I would only occasionally play it, the former is giving me something to think about.

I think when I engage in an activity, it has to check at least 2 of the 3 points below:

1. Enjoyment. Straightforward, I need to enjoy whatever I’m doing. Not in the sense of just “Happiness”, but rather to be able to get into the Flow state, and to find the presence of being that flow state comfortable.
2. Beneficial. The activity needs to benefit something, which does not necessarily need to be me. It could be someone else or for a greater cause like “Society”. The deeper reaching value here could possibly be “Meaning”. When someone or something benefits from the activity, there’s inherent meaning to it.
3. Skillfully Challenging. Mastery and getting challenged are key aspects of what I enjoy. If the task is too simple or if I don’t feel challenged enough, its hard to get into the flow state, and thus hard to enjoy the activity. There’s a circular dependency starting to form with point 1, and I think it’s perfectly rational.

When I’m playing games like World of Warcraft or my PS5, they’re checking points number 1 and 3. No one is benefiting from me sitting on the couch playing games, but they’re Skillfully Challenging (Ghost of Tsushima, Dark Souls etc), and I Enjoy them (again not in the sense of Happiness, but the immersive feeling of being in the game, appreciating level designs, characters, story lines etc).

When I’m playing sports like Basketball, Floorball or Nogi, they check all 3 boxes. It’s Fun (the competition and the social aspect of it), it’s Beneficial (both to the body as again from socially from hanging out with friends), and it’s Skillfully Challenging (Kinetically).

Even at work, it checks Beneficial and Skillfully Challenging. Sometimes it’s fun when I’m exploring new technologies, reading up on new exploits, or reverse engineering the program. But other times it can get quite mundane and boring (reading documentation, performing competitor analysis). It benefits others in someways, though not too obvious and perhaps a little detached from the direct work I’m doing, but researching and building security products can help our clients detect and prevent attacks. I might know feel the benefits directly, but at least I know it’s there. Skillfully Challenging happens when facing with new technologies and figuring out how to bypass their detection and protection layers.

Now, Bug Bounties and CTFs.

CTFs:

• Skillfully Challenging; High
• Enjoyment; Waning (It’s fun to solve puzzles here and there, but there’s a diminishing return on this feeling)
• Beneficial: Waning (Do I or anyone really benefit from learning an obscure bug?)

Bug Bounties:

• Skillfully Challenging; High
• Enjoyment; Low!
• Beneficial; High, BUT, only if you find a bug which is unfortunately quite rare. It’s unlike Sports where the benefits are constant no matter how the session went. You may not have scored a lot, but you got the work out in, and you hung our with friends. Bug Bounties on the other hand are only beneficial (to the target) if you find a Bug. I don’t believe that the process of hunting for bugs would make you more skillful. Maybe at the start, but it tapers off fast. So say you spend 200 hours hunting for a Bug, and you finally found one and helped the company secure their product, and they pay you a bounty of around $250, the ROI on that is $1.25 per hour. And quantifying the value of fixing the bug is not exactly possible. So taking all that into consideration, the Benefits are actually Low after normalizing it by probability of occurrence and time invested.

Therefore looking at these two activities, they only check 1 of the 3 requirements. I don’t particularly enjoy them, and there’s relatively little benefit to doing them.

So here’s the question then, what other pursuits should i engage in that would check off at least 2/3 boxes, that’s also related to my career? I don’t have the answers to that yet, but ideas like starting a startup or inventing something have came up, and these are usually easier said then done.