The number of bug bounty programs offered by companies and government agencies continues to grow, providing more opportunities for technologists to earn extra cash, explore a potential career change, or simply bask in knowing that they discovered a major flaw in a leading website.
Take the US government, for example. A few years ago, only the Department of Defense offered a small handful of pilot programs to researchers eager to find bugs in Pentagon software, platforms, and various computer systems. Now many other federal agencies are jumping on the bug-hunting bandwagon, including the Department of Homeland Security, which announced the results of its first-ever “Hack the DHS” program in April that uncovered 122 vulnerabilities, including 27 listed as reviews.
This Homeland Security program has also paid out over $125,000 to researchers and bounty hunters. Seeing success in the Pentagon and other departments, lawmakers are pushing other federal agencies to adopt these programs.
The success of these bug bounty programs has created many opportunities for security researchers, bug bounty hunters, and other ethical hackers. “The majority of people we see entering bug hunting are taking advantage of meritocratic entry options as a way to launch a career in cybersecurity. Democratizing this access by being part of the solution has been one of my biggest great motivations to pioneer the space,” Casey Ellis, Founder and CTO of Bugcrowd, told Dice recently.
“Sometimes it’s a lateral movement. Automotive enthusiasts, for example, who care about security and use the bounty to turn to automotive cybersecurity,” Ellis added. “Then there are people who get into bug bounty as a legally safe way to learn, practice and improve their hacking skills with the possibility of seeking financial rewards in the process… This really takes all kinds, and every one of them is valid in my opinion.”
How Much Can Bug Bounty Hunters Earn?
Exact figures for how much money bounty hunters make may vary, as many of these ethical researchers and hackers use these programs on a part-time basis. Additionally, those select bug bounty hunters who earned rewards exceeding $1 million also skew the average.
A 2020 report from HackerOne found that the average bounty paid for critical vulnerabilities was $3,650, and the highest bounty paid to date for a single flaw was $100,000. The study also found that at least 50 hackers working with the company’s platform to find and report vulnerabilities earned an average salary of $100,000 per year in 2019.
By comparison, an ethical hacker working full-time for a US organization can expect total annual compensation of around $115,700, according to Glassdoor’s latest stats.
Although the money is tempting, some experts note that the field has become increasingly competitive, with more talent looking for bigger payouts, making developing a skill set all the more important. .
“Starting out as a bug bounty hunter is a challenge. Money is good when you can earn it, however, expect to spend many hours competing against highly skilled people for bounties. struggle, but the end result and the skills that can be developed by working on it are worth the time investment,” Josh Kocher, adversarial engineer at LARES Consulting, told Dice.
What skills are needed to hunt bug bounty?
Since bug bounty hunting typically remains a part-time source of income for many ethical researchers, security experts and observers note that the most successful of these bug hunters rely on a combination of soft skills. and specialized to make an impact and collect their rewards.
Strong communication skills are essential. “An often overlooked skill is communication and empathy. Ultimately, the point of all of this is for the defender, as a business, to understand the risk and be able to address it,” Ellis added. “Hunters who end up doing very well often excel at learning ‘what matters’ from a business and technical perspective, as well as communicating that to a variety of different audiences.”
On the technical side, Ellis noted that bug bounty hunting fluctuates every year, and the demand for finding flaws in certain software and systems will eventually fade. Scanning for vulnerabilities in legacy systems is all the rage right now due to the changes brought about by COVID-19.
“Right now, a lot of attention is being paid to legacy systems, which have been thrown onto the internet as a result of all the digital transformation that has accompanied COVID,” Ellis noted. “It seems almost counterintuitive, but learning to apply security skills to languages like Java, ASP.NET, and even COBOL is actually a growth area for people looking to differentiate themselves in the space — and all the attention that has recently been focused on the security of critical infrastructure, where systems tend to be older, will only accelerate this.
Mike Parkin, senior technical engineer at Vulcan Cyber, added that developing a hacker mindset is the first skill bounty hunters need, followed by a curiosity about how hardware and software work. From there, a bug hunter can develop their specialty.
“So what areas should we focus on now? Cloud apps and related areas are hot, although there will always be a need for conventional and mobile apps,” Parkin told Dice.
Another way to improve is to learn about testing issues and methodologies, said Darrell Damstedt, principal consultant at cybersecurity consulting firm Coalfire.
“Read everything. Obviously for the entertainment factor of reading cool exploits – because I like infosec and ‘sick sploits’ – but also to see how other researchers are testing things,” Damstedt told Dice. “For example, after seeing a blog post about how a researcher exploited a certain problem, I’ll try to figure it out.”
Once he’s finished reading, Darmstedt then asks himself questions about what he can learn from someone else’s success in finding a loophole:
- “Did I find this bug?”
- “If I think the answer is yes, I’m still going to compare how I think I was able to find the problem and how the blog post author found it.”
- “If I think the answer is no, I’m trying to figure out what I’m not doing that would make me miss that right now?”
- “Then I look to see how I’m going to fill those gaps?”
What certifications do I need for bug bounty hunting?
As with any cybersecurity position, experts are torn over certifications, if any, that can help with research and bug bounty hunting. Several noted that any certification can provide a solid background that could help those looking to get started. That being said, practical experience is usually the best source.
For those looking to further their education, Vulcan Cyber’s Parkin recommends Certified Ethical Hacking as a starting point, while LARES Consulting’s Kocher leans towards the Offensive Security Certified Professional certification as a certification that can help lay the groundwork.
“OSCP training and certification is also good for teaching the mindset of being persistent and understanding the basics,” Kocher said. “Personally, that’s all I had before I started doing bug bounties. I’ve seen a lot of people make a lot of money just by being really good at exploiting a specific type of vulnerability.
Other certification recommendations include Burp Suite Certified Practitioner and Offensive Security Web Expert certifications.