Being a bug hunter who discloses their discoveries to vendors (as opposed to selling the information to the highest bidder) has been and is an ambition of many ethical hackers.
Before vendors started paying for the info, the best they could hope for was a lucrative job offer, though an entry in the company’s Hall of Fame was a good enough incentive for most.
These days many vendors and service providers have an official vulnerability disclosure program, either run internally or managed by a third party, and offer bug bounties for quality reports about newly discovered security vulnerabilities in their offerings.
The sheer number of bug bounty programs in existence and the fact that the bounties occasionally reach tens or hundreds of thousands dollars has, as a result, lead many a bug hunter to concentrate on searching for vulnerabilities as their only occupation.
Those who have yet to make that transition but would like to are wondering whether they are cut out for this kind of life/work.
Full-time bug hunting is not for everybody
For someone who already has a consistent, well paying job and maybe a couple of kids, bug hunting as a full-time occupation wouldn’t be the best thing to just jump into, says Tommy DeVoss, a hacker from Virginia (U.S.A.).
One of the reasons is that searching for bugs involves a lot of effort (learning) and time. But if you are ready for this you will succeed, says Cosmin, a 30-year-old Romanian hacker who lives in Osnabrück, Germany (and prefers not to share his last name).
“Read the documentation, learn to write your own tools, read security articles, invest time in research, learn to write reports and always approach your target tactically and with the strategy that fits you well,” he advised.
“It’s also very important to realize that you and your mindset are unique, so don’t follow what this or that person says. Try to grab little bits of knowledge and skill from everybody, analyze them and then integrate them in your workflow only if they suit you.”
Santiago Lopez, a young man from Argentina who a year ago became the first bug hunter to earn over $1 million in bounty awards through the HackerOne bug bounty platform, pointed out that “wasted time” is also something that a would-be full-time bug hunter has to take into account.
What he means is that sometimes a bug you worked long and hard to discover, document and report has been flagged by another hacker days or mere hours before – and those who come second are rarely awarded anything.
Being able to deal with this fact of life is essential for aspiring bug hunters, he says, just as much as having unrelenting curiosity and a desire to play around with stuff and break it.
Getting into bug hunting
Each of these three full-time hacker/bug hunters we interviewed for this feature has had a different route to their current work position.
Lopez’s path was the most straight-forward: he started hacking when he was 15 and earned his first bug bounty when he was 16. Since then, he has reported over 1,600 security flaws. Bug hunting is, effectively, his first job.
DeVoss also started hacking as a kid, but his life has had way more twists and turns.
“At school I would finish my work in ten minutes and spend the rest of the lesson playing on the computer. I was 10 or 11 when I stumbled across a chat room whose members taught me how to hack,” he told Help Net Security.
“I was just a bored kid doing it for fun. I first got into trouble for it in high school and was ordered to stay away from computers, but I didn’t. With others, I broke into secure government systems and was caught again and spent 4 years in prison. I was told that if I got caught again, the next time I wouldn’t get out.”
For him, bug bounty programs were a blessing, as he could continue with the hobby he loved while remaining on the right side of the law.
Before becoming a bug hunter, Cosmin was working as a software developer.
During that time, he and his colleagues were allowed to choose an event or course to attend for skill development. He picked a practical hacking seminar in Hamburg and there he found out about the existence of bug bounty platforms.
“Soon after I made an account. I was miserable at first, but slowly, slowly gained more experience and now I have been doing it full-time for almost 2 years,” he shared.
The pros and cons of full-time bug hunting
Let’s not beat around the bush: the money is good if you’re good.
“If someone actually works 40 hours a week and is really good, they can easily make 7 figures a year,” DeVoss opined. “I work about 10-40 hours a month right now and have brought in $903,000 last year. My highest bounty for a single bug has been about $28,000 and my highest single day payout, I believe, is around $180,000.”
There is no upper limit on how much a dedicated, full-time bug hunter can earn in a year, says Cosmin, but the final amount will depend on luck, timing and experience.
For him, though, the most important advantage of working as a bug hunter under a platform like HackerOne is the possibility of working when he wants and as much (or little) as he wants.
“This allows me to try and stay on my peak level and if I am feeling down or frustrated, I don’t persist because usually I gain nothing except more frustration,” he noted.
“Another advantage is that I can take as many vacations as I want and when I want. I can attend a live hacking event when I’m invited and meet people from all over the world.”
There are cons, as well. “You don’t have a fixed salary, so some months can be worse than others. Social isolation can be an issue. Finally, you really need to know when to stop or change your working schedule to avoid potential burnouts.”
Perhaps unsurprisingly, for De Voss one of the most important advantages of reporting vulnerabilities via bug bounty platforms is the protection they offer (meaning: they make sure the bounties are run in a way that protects the researchers legally).
Each of the three hackers have predilections when it comes to bug bounty programs and vulnerabilities.
Lopez likes searching for IDOR (Insecure Direct Object Reference) bugs, mainly because it’s a type of vulnerability that is easy to find and companies pay big bounties for.
“I had the opportunity to find a lot of interesting IDORs in my career. The most interesting ones allowed me to delete any user created by the affected company or edit critical settings without authorization,” he explained.
Other than that, he likes bug bounty programs that pay well and that have a wide scope to allow him to explore and research new things.
Cosmin searches mostly for improper access control bugs, misconfigurations in cloud instances, self privilege escalation flaws, information disclosure bugs or issues in the login process.
“I don’t spend that much time searching for rXSS (the reflector plugin for Burp does this) and I do not search for SQL injection flaws at all. I mainly just use Burp as it fits all my needs and there are a lot of really good plugins, but I also have some custom-built tools,” he noted.
DeVoss is another Burp user, and he also likes Sublist3r and dnscan.
“I spend most of my hacking time in Verizon Media because I’m most familiar with it, but I also like to check out new private bug bounty programs. My favorite bug was the one for which I received the highest single day pay out on the HackerOne platform: I was able to bypass the protections of Verizon Media’s blacklist, which allowed me to redo all the bugs I’d submitted from the previous months,” he shared.
The future of bug hunting
“Hacking will always be a good opportunity for people that don’t want to follow a traditional corporate career path and want the flexibility that comes with the territory,” Lopez noted.
“As public understanding about hacking grows, it will certainly become less niche and there will be more competition for us.”
All three have noticed an increased influx of hackers on the HackerOne platform and they welcome the competition.
“I already see more professional programs, a larger attack surface and higher rewards. I also see more competition from both programs and hackers and this is a very healthy trend as it leads to the constant improvement of both sides,” Cosmin said.
The fact that more and more smart things are connected to the internet and that companies building IoT devices are still not prioritizing security is creating a vast threat surface and anyone who wants to help secure it is welcome.
“I like to think the defenders will win this fight, simply because there are so many of us now,” DeVoss opined, but noted that cybercrime will continue to proliferate until we start taking security more seriously.
Some final advice
Lopez pointed out that the hacking community is welcoming and supportive so following hackers on social media or joining hacking forums is a great way for aspiring ethical hackers to learn and swap ideas and information.
Still, it might be a good idea not to choose to become a full-time bug hunter from the get-go.
“First make sure you know what you are doing, as hacking has a very very steep learning curve and it is overwhelming in the beginning,” Cosim advised.
“Before making the switch to a full-time bug hunting job, it’s important to have at least half a year or a year of experience as a part-time bug bounty hunter. You should also be in a financially solid position or be a young person that does not have many expenses.”