There’s more to bug bounty success than hacking skills

In Disney’s hit live-action Star Wars TV show The Mandalorian, bounty hunters join a guild in order to earn status and be assured of the best bounties available. While real-world bug bounty hunters might not have a diminutive, big-eared green sidekick, it turns out that what works for a galaxy far, far away is not so different from computer bug bounties.

The two best-known and biggest bug-hunting organizations, HackerOne and Bugcrowd, cumulatively have raised $190.4 million of venture funding since 2011 for creating platforms that connect hackers and security researchers with organizations that offer vulnerability disclosure programs and bug bounties. The U.S. Department of Defense defines the difference thus: disclosure programs focus on long-term, sustained vulnerability mitigation efforts; bounties expose vulnerabilities on specific targets. Independent experts qualify that adding that the term “bug bounty” also implies a monetary reward, while a vulnerability disclosure program does not.

“Chasing money will burn you out.”—Philippe Harewood, longtime Facebook bug bounty participant

HackerOne, Bugcrowd, and others like them are more than mere middlemen taking a cut of the action. They also encourage organizations across government agencies, tech companies, and beyond to create new programs and work with independent hackers to test their systems. HackerOne found that hackers using its platform earned approximately $40 million in bounties in 2019, more than the cumulative total of $31 million in 2018, and its community almost doubled to more than 600,000 hackers, according to its fourth annual report on hackers and bug bounties published in February.

Established bug bounty hunters recommend that aspiring hackers looking for extra cash sign up for not just those two platforms but several more, including Bugbounty.jp, Hackenproof, Intigriti, Open Bug Bounty, and Yogosha. But Casey Ellis, CTO and founder of Bugcrowd, cautions that as attractive as the bounty payouts are on paper, there’s much more to bug hunting than learning a bit of code, downloading some tools, and signing up for potentially lucrative bounty programs.



READ MORE ON BUG BOUNTIES AND VULNERABILITY DISCLOSURE

How bug bounties are fueling hacker entrepreneurs
China evaluates vulnerabilities for attacks before disclosure
How to attack security issues like Google and Microsoft just did
As bug bounties proliferate, hacking contests maintain strong pull
Why Apple’s bug bounty is a big deal
Bug bounties break out beyond tech
When to disclose a zero-day vulnerability
The dark side of bug bounties


The success of Bugcrowd’s hackers, he says, is tiered. Annually, a few hackers are making close to or more than $1 million, with many more making between $100,000 and $250,000. A still larger third tier whose purchase parity, whether from cost of living or because they’re students, allows them to live off $30,000 to $40,000 per year, followed finally by hacker hobbyists.

“There’s the perception that it’s super-easy to go out and make a million dollars finding bugs. It’s true for some, but not for most. You’ve got to work for it, and work on your skills, to get into that superstar range of earnings,” Ellis says.

While bug bounties have existed since 1995, hackers only in the past decade or so have begun making a full-time living from them. For vulnerability researchers, no matter your level of experience, here’s what you need to know about getting started down a bug bounty hunters’ path.

This story was originally commissioned by Dark Reading. Read the full story here.