You don’t know a bug bounty hunter until you’ve walked a mile in their shoes—and spent a week on their PC trying to detect vulnerabilities in exchange for big bucks.
Companies are doling out big rewards to hackers willing to unearth vulnerabilities in their software. Last year, Netflix disclosed that it had awarded more than $1 million in rewards through its bug bounty program. Meanwhile, Apple said it was rewarding security and privacy researchers able to hack into its Private Cloud Compute up to $1 million through its own bounty program.
Security professionals are cashing in on the opportunity. Mat Rollings, an application security professional turned bug bounty hunter, told IT Brew that he took on the gig full-time last year and has since racked up about 500 reports. Rollings, who brought in $27,000 in the first half of last year, joins the group of ethical hackers who have made a career out of the lucrative programs.
But while the gig continues to lure hackers for its flexibility and appealing rewards, bug bounty hunters told IT Brew that it’s no walk in the park.
Challenges. Ben Sadeghipour, a hacker who has been in the bug bounty hunter scene for more than a decade, told IT Brew that part of the challenge of the gig is learning a company’s business model, such as what may be considered sensitive data, when jumping from hacking one tech stack to another.
“The hardest struggle a lot of times is having to put these pieces together in short amount of times when you’re doing an event or even a competition,” Sadeghipour said.
Rollings told us that maintaining good mental health is another challenge the ethical hacker community faces.
“It’s so easy to get burned out and just spend all your time hacking,” Rollings said, adding that it can be upsetting when it takes a while to locate a bug or when a found bug is rejected.
Cassim Khouani, a full-time bug bounty hunter as of last year, added that the job can often feel like a “roller coaster” due to the ebbs and flows a hunter will experience in their ability to discover new bugs each week.
“Sometimes you find nothing and you don’t get paid and sometimes you find a lot of stuff and are getting paid a lot,” he said.
Be their guest. Despite the challenges, bug bounty hunters who spoke with IT Brew raved about the community that has formed.
“This has been the thing that has given us a place to belong,” Sadeghipour said.
For those looking to dabble in the bug bounty world, Sadeghipour told IT Brew that there are fewer barriers to entry than when he first joined the industry thanks to the rise of bounty platforms and educational content geared towards individuals looking to learn.
“Companies are paying $30, $40, $50, even $300,000 for a single web vulnerability,” Sadeghipour said. “So, I think there are more opportunities. It’s just [that] it’s more competitive, but I don’t think it has made it harder to get in.”
He told IT Brew that those starting out should focus on learning the nuts and bolts of the applications they are trying to hack first, and remain patient in the process.
“This is more [of] a marathon than a run.” Sadeghipour said. “It’s not gonna happen overnight, so consistency is also a part of it without putting yourself through the ringer and burning yourself out.”
This report was originally published by IT Brew.