Bug bounties allow people who discover security flaws in computer software and services to be rewarded with money. So what does it take to be a bug bounty hunter, and can you make a living doing it?
What Are Bug Bounty Programs?
The software and services we use every day are written by human beings often under pressure to get their code up and running so that the business can make money. While modern software development methods result in software with remarkably few serious problems, there’s no way for a small group of developers to foresee every possibility or see every single mistake.
Compare this to the army of hackers looking for every possible chink in the armor of that code, and it’s clear why bug bounty programs are necessary. These programs offer a reward to people who discover a credible vulnerability or another qualifying type of problem in the apps and services provided.
Who Gets to Claim Bug Bounties?
In principle, it doesn’t matter who discovers a vulnerability or exploit. What’s important is that the company knows about it and fixes the problem before it leads to real damage. In practice, bug bounties are most often claimed by professional security researchers. These are specialists who intentionally try to find weaknesses in systems and either get paid bounties or upfront to do “penetration testing” for a company.
That doesn’t mean you can’t report one if you find it, but you need to look up the requirements for submission and see whether you have the technical information needed to report the issue.
Bug Bounty Programs Are Not All the Same
The process to claim a bug bounty and what qualifies you to get the payment differs from one program to the next. The company in question sets the rules for what it considers a problem worth paying to know about. It will also set the proper format to report that problem, along with all the things it needs to know to replicate and verify the issue.
The amount of money a verified report is worth will also differ. Some companies are huge, with large budgets for security. Others are small businesses or startups that rely on bug bounty programs to make up for their relatively small permanent cybersecurity staff complement. In that case, the bounties might be more modest.
Where to Find Bug Bounty Programs
The first place to check if you run across a reportable vulnerability is the company website that makes the product or offers the service in question. It’s generally only very large companies that run and administer their own bug bounty programs.
Smaller outfits are more likely to use specialized bug bounty services. For example, HackerOne’s bug bounty program list promotes programs from various companies that are managed through the site.
How Much Do Bug Bounties Pay?
If you visited the HackerOne bug bounty list linked above, you may have noticed that each program lists a minimum bounty amount. If you open one of the programs, you’ll see statistics on the average bounty payout as well as the reward tiers, depending on the severity of the vulnerability.
Low-, medium-, and high- severity problems might net a few hundred to a thousand dollars, while critical vulnerabilities can pay out several thousand dollars.
There have been some truly staggering bounties paid out over the years and massive offers, but these are somewhat like winning the lottery. You need to be the one who happens across a one-in-a-million exploit and it has to be in the system of a big player who has that type of cash. If you want to make a living from bug bounties, you’re more likely to get a steady income from small common bugs that come up through systematic penetration testing.