In Disney’s hit live-action Star Wars TV show The Mandalorian, bounty hunters join a guild in order to earn status and be assured of the best bounties available. While real-world bug bounty hunters might not have a diminutive, big-eared green sidekick, it turns out that what works for a galaxy far, far away is not so different from computer bug bounties.
Bug Bounties 101
The two best-known and biggest bug-hunting organizations, HackerOne and Bugcrowd, cumulatively have raised $190.4 million of venture funding since 2011 for creating platforms that connect hackers and security researchers with organizations that offer vulnerability disclosure programs and bug bounties. The US Department of Defense defines the difference thus: disclosure programs focus on long-term, sustained vulnerability mitigation efforts, and bounties expose vulnerabilities on specific targets. Independent experts qualify that by adding that the term “bug bounty” also implies a monetary reward, while a vulnerability disclosure program does not.
HackerOne, Bugcrowd, and others like them are more than mere middlemen taking a cut of the action. They also encourage organizations across government, tech, and beyond to create new programs and work with independent hackers to test their systems. HackerOne found that hackers using its platform earned approximately $40 million in bounties in 2019, more than the cumulative total of $31 million in 2018, and their community almost doubled to more than 600,000 hackers in its fourth annual report on hackers and bug bounties published in February.
Established bug bounty hunters recommend that aspiring hackers looking for extra cash sign up for not just those two platforms, but several more including Bugbountyjp, Hackenproof, Intigriti, Open Bug Bounty, and Yogosha. But Casey Ellis, the CTO and founder of Bugcrowd, cautions that as attractive as the bounty payouts are on paper, there’s much more to bug-hunting than learning a bit of code, downloading some tools, and signing up for potentially lucrative bounty programs.
The success of Bugcrowd’s hackers, he says, is tiered. Annually, there are a few hackers making close to or more than $1 million, with many more making between $100,000 and $250,000, a still-larger third tier whose purchase parity, whether from cost-of-living or because they’re students allows them to live off $30,000 to $40,000 per year, followed finally by hacker hobbyists.
“There’s the perception that it’s super-easy to go out and make a million dollars finding bugs. It’s true for some, but not for most. You’ve got to work for it, and work on your skills to get into that superstar range of earnings,” Ellis says.
While bug bounties have existed since 1995, it’s only been in the past decade or so that some hackers have been able to make a full-time living from them. For vulnerability researchers, no matter your level of experience, here’s what you need to know about getting started down the bug bounty hunters’ path.
‘Chasing Money Will Burn You Out’
But before all that, bug bounty hunters should spend time thinking about what it is that they want to learn from hunting bugs, says Philippe Harewood. Harewood is one of the most prolific hackers in Facebook’s bug bounty program, and he’s carved out a niche by choosing a company and sticking to them. Yet there’s an even bigger secret to his success, he says, than stubbornness: mindset.
“If I do everything that I think is possible to check for a vulnerability, then I’ve done the best I can,” he says. “I’m trying to be as creative as I can. I just have to play within the bounds and terms [of the bounty,] and I’m good. I’m not going to limit myself to any mental barrier.”
Harewood, who says that he meditates and does yoga every morning before starting his full-time “hobby” of bug hunting, stresses that open-mindedness is crucial to bug bounty success.
“You have to have proper expectations and proper alignment,” and a curiosity about finding bugs, he says. “Chasing money will burn you out.”
Pick a Program You Care About
Security researcher and regular bug bounty participant Jesse Kinser says that she earned her first bounty through Starbucks’ program because she wanted to choose a company that she was familiar with.
(continues on page 2 of 2)
Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also … View Full Bio