Kelly criterion for bug hunting?
A half-formed hunch: allocating research time across targets is a bankroll problem, and Kelly might be the right lens.
A captured spark. Unverified, unpolished, possibly wrong.
A seed, planted fast before it blew away. Possibly nonsense.
The Kelly criterion sizes bets to maximize long-run growth of a bankroll given your edge and odds. Security research has the same shape: my bankroll is attention, each target is a bet with some probability of a finding and some payout (bounty, knowledge, write-up), and I can size positions by the hours I spend.
Things Kelly would predict, if the analogy holds:
- Never go all-in on one target, even a juicy one (ruin risk = burnout + zero findings).
- Edge matters more than payout. A boring target where I have deep prior knowledge beats a glamorous one where I’m a tourist.
- Fractional Kelly (betting less than the formula says) is wise when your edge estimate is noisy, and my edge estimates are very noisy.
Suspicious wrinkle: research payoffs aren’t independent bets. Knowledge compounds across targets, which Kelly doesn’t model. Maybe that’s the interesting part.
Related muscle memory from ctf-field-notes-web: rotating hypotheses on a timer is basically fractional Kelly for a single afternoon.
Next action: re-read the Kelly chapter of Fortune’s Formula, then try actually logging a season of time-allocation decisions and outcomes. If the data is fun, this sprouts.
Paths that lead here
- The Birthday Ambush: Why 23 Strangers Hide a Secret Match · In a room of just 23 people, it's better than even odds that two share a birthday. The Birthday Paradox, and why your brain is hopeless at counting pairs.
- CTF field notes: the web category · A running log of web challenges: patterns that repeat, traps I fell into, and the meta-skill CTFs are secretly teaching.
- Learning in public · The operating philosophy of this whole garden: publish the process, not just the conclusions.
- The Invisible Scoreboard: How Do You Win at Being a Person? · Imagine an invisible scoreboard over your head: buy a friend a mango, +5; be cruel, −50. The catch is nobody handed you the rulebook. A tour of ethics: consequentialism, deontology, virtue ethics, and moral luck.
- The attacker's mindset is systems thinking · Attackers don't break rules; they discover that the rules compose differently than the designers believed.
- You will never know enough, and that's the job · Imposter syndrome in security isn't a character flaw; it's an accurate readout of an unbounded field, misfiled as a personal deficiency. The fix is a traversal strategy, not more knowledge.
Where this note points
- CTF field notes: the web category · A running log of web challenges: patterns that repeat, traps I fell into, and the meta-skill CTFs are secretly teaching.
More from these beds
- The ADHD-HTB playbook: hacking the brain that hacks the box · Ten friction-bypassing study methods for grinding HackTheBox with an ADHD brain, plus the two of them I turned into real tools: a Swipe-to-Pwn Anki deck and an htb-operator shell.
- The Diamond Lock: Writing Notes a Future Robot Can't Read · Quantum computers will slice through today's internet locks like a laser through glass. Inside the race to build math even a future super-machine can't crack: public-key crypto, Shor's algorithm, and the diamond lock.
- Fuzzing is evolution with a weird fitness function · Bridging theoretical biology and systems security in a way that isn't just a superficial metaphor