Hacking. While it sounds rich in devious Hollywood plot-twists, the arena played in by spies and bored teenagers with mad PC skills, it’s no longer just a tool of the “bad guys”. Ethical, or white-hat, hacking has become a booming field. Also grouped under the term “pentesting”, or penetration testing, many hackers who use their skills for good are being leveraged as a critical part of testing cybersecurity for code chunks, apps, software, and companies looking to stay ahead of the bad guys. Today we look deeper at the Bug Bounty phenomenon, and how you can earn your share of the bucks on the table.
Do I Quit My Day Job?
Hold up a little there! While you can make some nice cash in the bug bounty arena, it’s going to be a while before you have the skills (and the “clout”) to make this your only source of income. However, if you’re looking at a sweet way to do what you love and get a little recompense for it, bug bounties have a lot of potential. Hey, we all need to upgrade our rigs, right? Why not let those skills do the work for you.
Think of hunting bug bounties exactly as you would traditional bounty hunting. You’re just tracking down software vulnerability rather than bail-jumpers on the run. Some people make a full-time living from it, but most do it as a nice cash influx on the side.
How Do Bug Bounties Work?
So, what goes into bug bounty programs besides a cool name? Companies that want to test out their digital assets, be it codes, security protocols, or software, set up these programs to incentivise ethical hackers to help.
Keen to see what a bug bounty looks like “in the flesh”? Check out ExpressVPN’s bug bounty for yourself.
Security researchers, or white-hat hackers, then test the digital asset for vulnerabilities, gaps, exploits, and other weaknesses. Just finding them isn’t quite enough, however. You’re going to have to come through with a way to fix or circumnavigate the issue. Then, you’re rewarded. While most bug bounties focus on monetary recompense, some offer free products, leaderboards, recognition, or other “bragging rights”.
The Two Types of Bug Bounty
While every program is a little different, most typically fall in two categories:
Internal Programs: The company actively headhunts the security researchers they want to test their software. To even get invited to these, you need to be on their radar, so a track-record in participating (successfully) in open source programs helps a lot.
Crowd-sourced: Currently being leveraged very successfully to seal the gaps in open source code security, these programs are open to all participants. They throw up the terms and conditions of their bug bounty on a platform (HackerOne is a well known host for these) and any member who fancies the challenge can look for exploits.
Do Bug Bounties Work?
Yes, they do! They’ve become a popular way to leverage the skills of ethical hackers and pentesting experts to the company’s benefit, while letting them test their skills and earn money for it. And even if you don’t manage to score on a bug bounty program, it’s still a way to get valuable (and ethical) experience you can use towards a cybersecurity career.
In-house teams are not omnipotent. Having fresh sets of eyes catching the vulnerabilities you missed works fantastically for the companies in question. And the more people actively checking out your digital assets, the less chance of leaving a live exploit there is.
Where to Find Paying Bug Bounties
They are, quite truly, everywhere these days. You can either specifically hunt for a program hosted by a company who’s digital assets match your interests, or sign up with a platform that focuses on bug bounties. Some of these platforms even host bug bounty programs themselves.
Here’s a few of the most popular online bug bounty platforms. There’s plenty of others.
- Bugcrowd
- HackerOne
- Cobalt
- SafeHats
- SynAck
Remember, not all of these are open to raw beginners. You may need to undertake an application process that displays your expertise before you are accepted. And most invitation-only programs will work off of your community reputation, so building meaningful connections (and a portfolio of work) there is critical.
How Lucrative are Bug Bounty Programs?
There have been some large-scale payouts for successful ethical hackers in recent years. One of the top platforms currently brags that its vulnerability closures have doubled between 2019 and 2020, with a collective $44.75 million paid out to people on the platform. We also know that 9 individuals have netted a cool $1 million of that (or more) each. Their average critical vulnerability bounty is around $3,000.
Before you get carried away by all that filthy lucre, however, realize that most smaller vulnerabilities net rewards in the hundreds. And, as the field gets more popular, the biggest payouts are going to the closure of only the most challenging and dangerous bugs.
While it may only be a smaller payout, it’s a great way to build cybersecurity skills and earn a side income, so participation can be super valuable.
How to Succeed In Bug Bounty Programs
As we mentioned, this isn’t a side income for just anyone. You need not only convincing hacking skills in a field of your choice, but you need to have great organizational skills, be willing to test and expand yourself, and love a challenge for the sake of the challenge. Many people start out small in the industry, building their skills and reputation to bigger things as they learn more. Actively participating in the white-hat hacking community is a smart start, too. Not only does this foster collaboration and learning, but it also gets your name and skills ‘out there’ for invitation-only programs.
If the idea of boosting your cybercrime-beating skills, earning a little money on the side, and making a name for yourself in an exciting and dynamic field appeals to you, then bug bounties might be a great arena for you.