The number of bug bounty programs offered by enterprises and government agencies continues to expand—presenting more opportunities for technologists to make extra money on a side hustle, explore a potential career change, or simply bask in the knowledge that they discovered a major flaw in a prominent website.
Take the U.S. government, for example. A few years ago, only the Defense Department offered a small handful of pilot programs for those researchers willing to find bugs in the Pentagon’s software, platforms and various IT systems. Now, many other federal agencies are jumping on the bug-hunt bandwagon, including the Department of Homeland Security, which announced the results of its first-ever “Hack the DHS” program in April that uncovered 122 vulnerabilities, with 27 listed as critical.
That Homeland Security program also paid out over $125,000 to researchers and bug bounty hunters. Seeing success at the Pentagon and other departments, lawmakers are pushing other federal agencies to adopt these programs.
The success of such bug bounty programs has created numerous opportunities for security researchers, bug bounty hunters and other ethical hackers. “The majority of folks we see entering bug hunting fresh are taking advantage of the meritocratic options of entry as a way to kick off a career in cybersecurity. Democratizing this access into being a part of the solution was one of my biggest motivators for pioneering the space,” Casey Ellis, founder and CTO at Bugcrowd, recently told Dice.
“Sometimes it’s a lateral move. Automotive enthusiasts, for example, who are getting curious about security and using bounty to pivot across into automotive cybersecurity,” Ellis added. “Then there are folks who get into bug bounty as a legally safe way to learn, practice, and improve their hacking skills with the option to pursue financial rewards in the process… It really does take all kinds, and each of these is valid in my opinion.”
How Much Can Bug Bounty Hunters Earn?
The exact numbers for how much money bug bounty hunters earn can vary, since many of these ethical researchers and white hat hackers use these programs as part-time work. In addition, those select bug bounty hunters who have earned rewards surpassing $1 million also skew the average.
A 2020 report by HackerOne found that the average bounty paid for critical vulnerabilities stood at $3,650, and that the largest bounty paid to date for a single flaw was $100,000. The study also found that at least 50 hackers working with the company’s platform to find and report flaws earned an average salary of $100,000 a year in 2019.
By comparison, a full-time ethical hacker working for a U.S. organization can expect total annual compensation of about $115,700, according to the latest statistics from Glassdoor.
While the money is tempting, some experts note that the field has become increasingly competitive, with more talent seeking bigger payouts, which makes developing a skill set that much more important.
“Starting off as a bug bounty hunter is challenging. The money is good when you can make it, however, expect to spend many hours competing with highly skilled individuals for bounties. It’s a struggle, but the end result and skills that can be nurtured by working towards it are worth the time investment,” Josh Kocher, an adversarial engineer at LARES Consulting, told Dice.
What Skills Are Needed for Bug Bounty Hunting?
Since bug bounty hunting typically remains a part-time money maker for many ethical researchers, security experts and observers note that the most successful of these bug hunters rely on a combination of soft and hard skills to make an impact and collect their rewards.
Solid communications skills are a must. “An often-overlooked skill is communications and empathy. At the end of the day, the purpose of all of this is for the defender, as a business, to understand the risk and be able to fix it,” Ellis added. “Hunters that end up doing really well often excel at learning ‘what matters’ from both a business and a technical standpoint as well as how to communicate that to a variety of different audiences.”
On the technical side, Ellis noted that bug bounty hunting ebbs and flows with each year, and demand for finding flaws in certain software and systems will eventually fade out. Right now, finding vulnerabilities in legacy systems is hot due to changes wrought by COVID-19.
“Right now there’s a lot of attention being drawn to legacy systems, which were thrust onto the internet as a result of all of the digital transformation which accompanied COVID,” Ellis noted. “It seems almost counterintuitive, but learning how to apply security skills against languages like Java, ASP.NET, and even COBOL, is actually a growth area for folks looking to differentiate in the space—and all of the attention that has recently come to critical infrastructure security, where the systems tend to be older—is only going to accelerate this.”
Mike Parkin, a senior technical engineer at Vulcan Cyber, added that developing a “hacker” mindset is the first skill bug bounty hunters needed, followed by a curiosity about how hardware and software work. From there, a bug hunter can develop his or her specialty.
“So, what areas are hot now to focus on? Cloud applications and related fields are hot, though there will always be a need for conventional and mobile applications as well,” Parkin told Dice.
Another way to improve is to read up on issues and testing methodologies, said Darrell Damstedt, principal consultant at cybersecurity consulting firm Coalfire.
“Read everything. Obviously for the entertainment factor of reading cool exploits—because I love infosec and sick ‘sploits—but also to see how other researchers are testing things,” Damstedt told Dice. “For example, after seeing a blog post about how a researcher exploited a certain issue, I will try to figure out.”
Once he’s done the reading, Darmstedt then asks himself questions about what he can learn from someone else’s success in finding a flaw:
- “Would I have found that bug?”
- “If I think the answer is yes, I still will compare how I think I could have found the issue and how the author of the blog post found it.”
- “If I think the answer is no, I try to figure out what am I not doing that would cause me to miss this currently?”
- “Next, I look to see how do I go about filling those gaps?”
What Certifications Do I Need for Bug Bounty Hunting?
As with any position in cybersecurity, experts are torn on which, if any, certifications can help in bug bounty hunting and research. Several noted that any certification can provide a solid background that could help those looking to start. That being said, hands-on experience is usually the best source.
For those looking to expand their education, Parkin of Vulcan Cyber recommends Certified Ethical Hacking as a starting point, while Kocher of LARES Consulting leans toward the Offensive Security Certified Professionalcertification as one that can help build a foundation.
“OSCP training and certification are also good for teaching the mindset of being persistent and understanding the basics,” Kocher said. “Personally, that’s all I had before starting doing bug bounties. I’ve seen lots of people make good money just by being really skilled at exploiting a specific type of vulnerability.”
Other certification recommendations include the Burp Suite Certified Practitioner and the Offensive Security Web Expert certifications.