Begin with VDPs (no monetary reward but low pressure) - Move to public programs with broad scope - Focus on one vulnerability type until you can find it consistently - Submit reports even for low-severity findings to build reputation