Bug Bounties: What It Takes to Succeed (and Get Paid)

In the uncertain times that COVID-19 and the rush to work-from-home has created, there is one constant: Software is still full of bugs and someone needs to find them.

For cybersecurity professionals and other technologists looking to switch careers, improve their skills or earn a little extra cash on the side, bug hunting is emerging as a potentially lucrative and growing outlet at a time when many large-scale organizations are thinking about reducing or trimming their technology budgets. Even with cutbacks at some level, businesses and government agencies continue to take a more collaborative approach to application development, and this includes finding and reporting on vulnerabilities in this software.

And with that comes opportunities for white hat hackers.

“Many organizations now view hacker-powered security programs as an essential component of their continuous software development lifecycle,” Jobert Abma, the co-founder of bug bounty platform HackerOne, told Dice. “Even with multiple security solutions and security teams working round the clock to protect your systems, the bottom line is that vulnerabilities exist, and hackers are looking for them anyway, so it’s better to harness the power of ethical hackers before bad actors exploit them.”

That approach to application development and security has proven lucrative for many willing to invest the time and effort. Recently, HackerOne announced that it had hit the $100 million mark in rewards paid out to white hat hackers who have found and disclosed vulnerabilities.

Since HackerOne platform was founded in 2012, over 170,000 security software vulnerabilities have been uncovered; currently, 700,000 white hat hackers use the company’s platform.

In addition, HackerOne disclosed on June 29 that a total of nine hackers have now earned over $1 million through disclosing various software and application bugs.

Besides HackerOne, tech firms such as Google are also paying out millions each year to white hat hackers to find bugs, and organizations such as Pwn2Own have expanded into newer areas for bug hunting, such as industrial control systems.

Abma believes that part of the lure of white hat hacking is the money, but many also find new career paths and opportunities by participating in these and other types of bug bounty programs, whether run through companies or government agencies such as the U.S. Defense Department.

“While hacking can be very lucrative for those who are really successful at it, it’s about so much more than money,” Abma said. “Many are finding career-building opportunities through bug bounties, with companies hiring from within the hacker community at a faster clip than ever before. Companies are utilizing vulnerability reports and hacker engagement as an enhanced resume of proven skills that will impact company goals and security efforts from day one.”

Abma adds that, in a world of digital transformation, where continuous integration (CI) and continuous delivery (CD) are the norm, finding and disclosing vulnerabilities in software and applications becomes invaluable. That means more work for ethical hackers.

“Organizations experiencing a digital transformation must also transform their security strategy,” Amba said. “The old way of thinking about security will no longer work in this world of CI and CD.”

Right Skills and Attitude

Jon Colston has reaped the benefits of bug hunting over the years.

Colston, who goes by the handle @Mayonaise, was the ninth and most recent white hat hacker to earn over $1 million through HackerOne. Over the last two years, the Las Vegas resident has disclosed around 170 real-world vulnerabilities for private businesses and government organizations.

As a freelancer, Colston said he enjoys the freedom that comes with bug hunting and white hat hacking, in addition to the monetary benefits. He believes that those with a deep interest in reverse engineering, combined with mental tenacity, application of experience, and the willingness to put in the time, can succeed in bug hunting and hacking.

“While I do not have a background in web security, I use 25 years of data science and analytics to assist in my search for vulnerabilities,” Colston told Dice. “My approach is somewhat unique within the community, and I like to think it helps me find weaknesses previously overlooked. When hundreds of researchers look at the same application, the most significant skill is the ability to leverage your knowledge and experience to approach the target with a different set of eyes.”

On the practical side, Colston said successful bug hunters save and organize their data. “It will be an essential asset in building wordlists to brute-force domains and directories, mining for insightful trends, identifying flags that signal issues, and discovering bugs you missed during previous tests,” he said.

Learning a scripting language also helps. “I strongly recommend spending time incorporating a scripting language such as Bash to string together toolsets and standardize outputs,” Colston added. “Data is the digital image of the experiences you acquired while testing. As you become a more skilled bug hunter, you will be able to turn that data into information and advance your skills further.”

Full-Time Hunting

Alyssa Herrera first got into bug hunting as a teenager and is largely self-taught when it comes to security and finding software flaws. 

Now as a full-time bug hunter, Herrera is still learning, but notes that, even without certified programming skills, those interested in this type of white hat hacking can still get a foot in the door.

“I think it’s a combination of both self-learning and applying what you learn, at least from my experience of starting when I was in high school. When I first started out, there weren’t many resources, so a lot of what I learned was from the various blogs I read and trying to find those types of issues in other websites and slowly working out my own path to success in finding vulnerabilities,” Herrera told Dice. 

“As far as programming goes, I never actually have learned any amount of programming to really build or make anything, that’s one of the things I loved about bug bounties was that I was able to enter into this with some basic understandings of how websites worked and all, but not really needing to have much background knowledge on programming to be successful,” Herrera added.

When it comes to bug hunting, Herrera finds that collaboration is key; it’s not only about seeking out help, but offering assistance in return. It’s what helps build the community around white-hat hacking for a living.

“The other thing is to not stop learning and collaborate where you can, as collaboration will help you a lot and push you outside of what you know and it lets you share knowledge and be successful alongside other collaborators,” Herrera said.