‘We’re in the age of the hacker,’ states the website HackerOne, a bug bounty platform that connects businesses with cyber security researchers (or bug bounty hunters). The reason is simple: there’s a massive rise in bug bounty programs at large companies like Facebook and Apple, explains Wired. So what exactly are bug bounty programs and how can you get involved in this lucrative endeavour?
Bug Bounty Programs: What Are They?
Put simply, a bug bounty program is a deal offered by companies where hackers (or computer software programmers) can receive recognition and compensations for finding bugs in your code, especially those relating to exploits or vulnerabilities. However, it’s not always easy for big software companies to find and interact with hackers and that’s where a company like HackerOne gets involved; they are essentially a kind of middleman between companies and hackers.
The basic idea is ‘to put good-guy hackers on the company’s payroll so they can find problems before the bad guys do,’ explains Business Insider. The good-guy hackers are known as ethical hackers, or white hat hackers (also known as ‘security researchers’). It’s not that the the skill set is different from malicious or black hat hackers, but the goal differs: malicious hackers are in pursuit of evil goals such as spam or cyber attacks to steal personal information, whereas ethical hackers use their skills in a lawful way to try and find vulnerabilities that need to be fixed. And remember: the internet gets safer every time a vulnerability is found and implemented.
Bug Bounty Programs: What Can You Actually Earn?
Money is definitely a big motivator. Based on the 2018 Hacker Report, the largest documented survey with 1698 respondents from the ethical hacking community, the following reasons were put forward as motivators for hacking. You can see that money wasn’t actually the biggest motivator – ‘to learn tips and techniques’ was.
Image Source: https://www.hackerone.com/blog/2018-Hacker-Report
And what about the cash? How much can you make? It’s certainly possible, depending on which country you come from, to make more than you would as a software engineer. In the table below, the median annual wage for a software engineer was taken from PayScale for the different regions. You can see how much more bug bounty hunters are making: India shows the largest difference with researchers making an average of 16 times the median salary of software engineers in that country, whereas in Belgium hackers make an average of 2.7 times more than the median software engineer salary.
Image Source: https://www.hackerone.com/blog/2018-Hacker-Report
Rewards can range from $500 to $100 000 depending on the type of bug and the amount of time spent searching for it. One of the world’s largest bug bounty programmes is Trend Micro’s Zero Day Initiative (ZDI), states Computer Weekly, which is for Microsoft and Adobe. They have paid out over $15 million to researchers to date. Companies like Google and Apple can offer up to $200 000 as a reward for a single bug. Intel and Microsoft can offer up to $250 000. The average payout, however, is about $2000 for revealing a single security vulnerability.
So how can you get involved in a bug bounty program?
Bug Bounty Programs: Getting Involved
Here are some ideas from LifeHacker about how to become a bug bounty hunter:
- Learn coding – this seems pretty obvious, but you will need to start here. Consider an online bootcamp to acquire your skillset fast.
- Learn how web applications work. Think about looking over The Web Application Hacker’s Handbook.
- Get the right tools – e.g. Kali Linux (free), Burp Suite ($349 a year, but popular) and OWASP Zap (free alternative to Burp Suite).
- Practice finding bugs – look at Google Bughunter University (teaches you how to write vulnerability reports – a vital aspect of performing the work).
- Once you have the knowledge and the tools, check out a bug bounty board (it’s simpler than seeing out each individual company’s website) – e.g. Vulnerability Lab, Bugcrowd and Hacker One.
In closing, coding skills open up a world of opportunity, from traditional jobs in large companies to freelancing. Now you can add Bug Bounty Hunter to your skillset – there’s certainly good cash to be made, and you’ll have fun in the process, if you get involved in a bug bounty program. If you’re needing to update or learn coding, consider signing up for one of HyperionDev’s six month, online coding bootcamps in Full Stack Web Development, Mobile Development and Software Engineering. You could be the next Big Bug Hunter.