Bug Hunting | Pros and Cons
In this blog I will give you my opinion, Pros and cons of an emerging career.
Being a bug bounty hunter who is seeking vulnerabilities and disclosing them to vendors (as opposed to selling the information to the highest bidder) has been and is an ambition of many ethical hackers.
A while back before vendors began paying for the information, the best they could hope was for a job offer, though an entry in the company's 'Thanks WhiteHats' or commonly known as 'Hall of Fame' was good enough incentive for most.
In more recent times vendors and service providers have an official vulnerability disclosure program (VDP), either run privately by themselves or managed by a third party, and offer bug bounties for quality reports about vulnerabilities discovered in their assets.
The high number of bug bounty programs at the moment and the fact that bounties occasionally reach tens or even hundreds of thousands of pounds has, as a result, lead many bug hunters to concentrate on searching for vulnerabilities as their only occupation.
Full-time bug hunting is not suitable for everybody
For someone who is already employed and has a well paid job and perhaps a couple of kids, bug hunting as a full-time job wouldn't be the best thing to jump into.
One reason would be that searching for bugs involves a lot of effort, time and learning.
But if you are ready for this you can succeed!
My advice would be, read the documentation, learn to program your own tools, read blog related security articles, invest time in research, learn to write quality reports and always approach your target strategically.
I think it's also very important to understand that you and your mindset is unique, so don't always follow what this or that person says. Try to absord little bits of knowledge and skill from everybody, analyze them and then integrate those in your workflow if they suit you.
Santiago Lopez, a fellow bug bounty hunter from Argentina who a year ago became the first bug hunter to earn over $1 million in bounty awards through the HackerOne bug bounty platform, told me that "wasted time" is also something that a would-be full-time bug hunter has to take into account.
What Lopez means is that sometimes a bug you put long and hard to discover, document and make a report could have been flagged by another hacker days or mere hours before – and those who come second are rarely awarded anything. (This is known as duplicate reports.)
Being able to deal with this fact of life is essential for aspiring bug hunters, just as much as having unrelenting curiosity and a desire to play around with stuff and break it.
Getting into bug hunting
Your route into full-time hacker/bug hunting can vary.
For example Lopez's path was the most straight-forward: he started hacking when he was 15 and earned his first bug bounty when he was 16. Since then, he has reported over 1,600 security flaws. Bug hunting is, effectively, his first job.
Another friend Alex, before becoming a bug hunter, was working as a software developer.
He and his colleagues were allowed to choose an event or course to attend for skill development. He picked a practical hacking seminar and there he found out about the existence of bug bounty platforms.
Soon after he made an account, he was not doing great at first but slowly gained more experience and now he has been doing it for full-time.
The pros and cons of full-time bug hunting
Let's not waste any time: the money is good if you're good.
If somebody works 40 hours a week and is really good, they can easily make 7 figures a year.
I know bug hunters whose highest bounty for a single bug has been around £25,000 and the highest single day payout around £160,000.
There is no upper limit on how much a dedicated, full-time bug hunter can earn in a year, but the final amount will depend on luck, timing and experience.
Another advantage is that you can take as many vacations as you want and when you want. You can attend a live hacking event when you're invited and meet people from all over the world.
There are cons, as well. You don't have a fixed salary, so some months can be worse than others. Social isolation can be an issue. Finally, you really need to know when to stop or change your working schedule to avoid potential burnouts.
Each hacker may have predilections when it comes to bug bounty programs and vulnerabilities.
For example Lopez likes searching for IDOR (Insecure Direct Object Reference) bugs, mainly because it's a type of vulnerability that is easy to find and companies pay big bounties for.
Alex searches mostly for improper access control bugs, misconfigurations in cloud instances, self privilege escalation flaws, information disclosure bugs or issues in the login process.
The future of bug hunting
Hacking will always be a good opportunity for people that don't want to follow a traditional corporate career path and want the flexibility that comes with the territory.
As public understanding about hacking grows, it will certainly become less niche and there will be more competition.
I already see more professional programs, a larger attack surface and higher rewards. I also see more competition from both programs and hackers and this is a very healthy trend as it leads to the constant improvement of both sides.
More and more Smart Things are being connected to the internet for example Samsung's SmartThings app has 52 million active users worldwide, and companies building IoT devices are still not prioritizing security, this is creating a vast threat surface and anyone who wants to help secure it is welcome.
I like to think the defenders will win this fight, simply because there are so many of us now. Cybercrime will continue to proliferate until we start taking security more seriously.
Some final advice
The Hacking community is welcoming and supportive so my advice would be following hackers on social media platforms e.g twitter,linkedin or find discord servers where like minded people join, this is a great way for aspiring ethical hackers to learn and swap ideas and information.
Still, since this can take so much practice and patience it might be a good idea not to choose to become a full-time bug hunter from the get go.
First make sure you know what you are doing, as hacking has a very very steep learning curve and it is overwhelming in the beginning.
Before commiting to make the change to a full-time bug hunting job, it's important to have at least half a year as a part-time bug bounty hunter. You should also be in a financially solid position or be a young person that does not have many expenses.
Have you got any suggestions for me ? Get in touch!
Thank you for reading my article, Until next time!
Your friendly neighbourhood Hacker.