+1 206 446 0600 umv@merysolsecurity.com

Bug Bounty – Getting Paid to Discover Software Bugs – update

Let’s say that you are already a savvy IT practitioner. Either because you have been using your PC for school work or you use it for your job, or you are a software developer.   Have you considered becoming an ethical hacker making money from bug bounties?

According to Wikipedia, a Bug Bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs. Especially those pertaining to security exploits and vulnerabilities.

These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organizations, including MozillaFacebookYahoo!, Google, Reddit, Square, Microsoft, and the Internet bug bounty.

Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs. The Pentagon’s use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with “ … legal recourse, to inviting them to participate as part of a comprehensive vulnerability disclosure policy”.

ZDNet, a web site specializing in cybersecurity and IT in general, reports about bug reporting:  “Can you get rich from reporting software bugs? For some, hunting down vulnerabilities in websites and apps is a challenge a bit like doing a crossword; for others it’s a major source of income.”

“Paying hackers to search for flaws in software or services is becoming increasingly common; these ‘bug bounty’ programs allow hackers to get paid for spotting problems, while organizations benefit from the ability to tighten their security by paying a few thousand dollars per bug.”

HackerOne, which runs bug bounty programs for organizations including the US Department of Defense and Google, has published new data about the number of vulnerabilities found by hackers signed up to its projects — and how much they have been paid. To date, over 181,000 vulnerabilities have been reported, and over $100 million paid out to the hackers who have signed up to its service.  Click here for details.

So you might be thinking, ok this sounds interesting, what steps do I follow to become an ethical hacker and hunt Bugs for Bounty?

Capture the Flag Events

Well, one good way to get started is by becoming familiar with the “Capture the Flag” (CTF) competitions.  These events are computer security competition where participants compete in security-themed challenges for the purpose of obtaining the highest score. Competitors are expected to “capture flags” to increase their score. Hence the name CTF. Flags are usually random strings embedded in the challenges.

To gage how qualified you are to participate in these CTF competitions, there are organizations like Tryhackmeand Pluralsight. These company offers learning paths to take you from a beginner to an advanced white hat hacker covering both defensive and attacking strategies.

The training provided by those companies is more hands-on on hacking-relevant subjects than the certification / formal education programs described above in section 4.3.1 Getting a Cybersecurity Job.  The skills you receive in these programs while valuable for applying for or performing a cybersecurity job, they actually are even more useful for the hacking required to compete in CTF contests.

We will provide additional blog posts on interesting CTF events.  As we shall describe, some of these events are public and spectators are allowed. In some cases, Live Twitch sessions are conducted.

Bounty Hunter Principles

A bounty Hacker is a hacker who is paid for finding software and web vulnerabilities?  3 Major principles:

    • Submit valuable and easy-to-understand bugs. Quality over quantity. A remote code execution on a production system is a lot more valuable than a self-XSS, even though they’re both security issues. Enjoy the thrill of the hunt for a super severe bug. Also, successful hackers spend a lot of time describing the issue as clearly as possible. Finally, successful hunters read the program policy before they start looking for vulnerabilities.
    • Earn and show respect. Gain respect by submitting valuable bugs. Respect the company’s decision on the bounty amount. Being communicative and reasonable pays off: Successful bug bounty hunters receive tons of job offers.
    • Do your homework. If you’re not comfortable with the basics, get more comfortable. We found it really helpful to have a good understanding of protocols like IP, TCP, and HTTP and to take a few (web) programming courses.
      Most of the bug bounty programs are focused on web applications. To become a successful bug bounty hunter on the web, we’d suggest you check out the following resources:
    • Read “The Web Application Hacker’s Handbook
    • Take a look at the publicly disclosed bugs on HackerOne;
    • Check out the website:  Google Bughunter University.

    To end this section, lets view some amazing statistics:

      • More than $44.75 Million in bounties have been paid to hackers across the globe
      • The potential earning power of a hacking career is above the typical salary
      • There are now over 830,000 hackers registered on the HackerOne Community. They’ve earned more than $100 million through reports on 565,000+ vulnerabilities.
      • The average bounty paid for critical vulnerabilities increased to $3,650 in the past year; an 8% year-over-year increase. To date, $100,000 remains the largest individual bounty earned for a critical vulnerability on HackerOne.
      • Industries with year-over-year increase in total programs of 200% or greater included Computer Hardware (250%), Consumer Goods (243%), Education (200%), and Healthcare (200%).

      Through Hack for Good, a feature that enables hackers to automatically donate bounty earnings to a chosen charity, hackers donated more than $30,000 to The World Health Organization (WHO) COVID-19 Solidarity Response Fund, Hack For Good’s first recipient.

      You May Also Like …

      Cybersecurity Hiring Frenzy

      On Tuesday July 19, 2022, the Biden administration announced a plan to create hundreds of registered apprenticeship...


      Submit a Comment

      Your email address will not be published. Required fields are marked *