In Disney's hit live-action Star Wars TV show The Mandalorian, bounty hunters join a guild in order to earn status and be assured of the best bounties available. While real-world bug bounty hunters might not have a diminutive, big-eared green sidekick, it turns out that what works for a galaxy far, far away is not so different from computer bug bounties.
Bug Bounties 101
The two best-known and biggest bug-hunting organizations, HackerOne and Bugcrowd, cumulatively have raised $190.4 million of venture funding since 2011 for creating platforms that connect hackers and security researchers with organizations that offer vulnerability disclosure programs and bug bounties. The US Department of Defense defines the difference thus: disclosure programs focus on long-term, sustained vulnerability mitigation efforts, and bounties expose vulnerabilities on specific targets. Independent experts qualify that by adding that the term "bug bounty" also implies a monetary reward, while a vulnerability disclosure program does not.
HackerOne, Bugcrowd, and others like them are more than mere middlemen taking a cut of the action. They also encourage organizations across government, tech, and beyond to create new programs and work with independent hackers to test their systems. HackerOne found that hackers using its platform earned approximately $40 million in bounties in 2019, more than the cumulative total of $31 million in 2018, and its community almost doubled to more than 600,000 hackers, according to its fourth annual report on hackers and bug bounties published in February.
Established bug bounty hunters recommend that aspiring hackers looking for extra cash sign up for not just those two platforms but several more, including Bugbountyjp, Hackenproof, Intigriti, Open Bug Bounty, and Yogosha. But Casey Ellis, CTO and founder of Bugcrowd, cautions that as attractive as the bounty payouts are on paper, there's much more to bug-hunting than learning a bit of code, downloading some tools, and signing up for potentially lucrative bounty programs.
The success of Bugcrowd's hackers, he says, is tiered. Annually, a few hackers are making close to or more than $1 million, with many more making between $100,000 and $250,000. A still larger third tier whose purchase parity, whether from cost of living or because they're students, allows them to live off $30,000 to $40,000 per year, followed finally by hacker hobbyists.
"There's the perception that it's super-easy to go out and make a million dollars finding bugs. It's true for some, but not for most. You've got to work for it and work on your skills to get into that superstar range of earnings," Ellis says.
While bug bounties have existed since 1995, it's only been in the past decade or so that some hackers have been able to make a full-time living from them. For vulnerability researchers, no matter your level of experience, here's what you need to know about getting started down the bug bounty hunters' path.
'Chasing Money Will Burn You Out'
But before all that, bug bounty hunters should think about what they want to learn from hunting bugs, says Philippe Harewood. Harewood is one of the most prolific hackers in Facebook's bug bounty program, and he's carved out a niche by choosing a company and sticking to them. Yet there's an even bigger secret to his success than stubbornness, he says. It's mindset.
"If I do everything that I think is possible to check for a vulnerability, then I've done the best I can," he says. "I'm trying to be as creative as I can. I just have to play within the bounds and terms [of the bounty], and I'm good. I'm not going to limit myself to any mental barrier."
Harewood, who says he meditates and does yoga every morning before starting his full-time "hobby" of bug hunting, stresses that open-mindedness is crucial to bug bounty success.
"You have to have proper expectations and proper alignment" and have curiosity about finding bugs, he says. "Chasing money will burn you out."
Pick a Program You Care About
Security researcher and regular bug bounty participant Jesse Kinser says she earned her first bounty through Starbucks' program because she wanted to choose a company she was familiar with.
"Pick a program for a company that you use every day or relate to — one that you'll feel more invested in," Kinser says. "You'll have more drive to protect that data and that company."
Kinser works on both sides of the bug bounty coin. She's also the chief information security officer at health IT company LifeOmic, which runs a bug bounty program through HackerOne. Her experiences have reinforced how important communication and engagement is for both the vendor offering the bounty and hackers hunting for vulnerabilities," she says.
"Hackers need to show why the bug is important, and the company needs to give feedback to the hacker — if it's not important or valid, why that is. That feedback from the company helps get hackers to search for the critical finds," she says. "On our program that I run, I try to get creative with it. We have a public Slack channel for any hacker on our program. If they think they're close on a bug they can engage with us, ask questions."
In addition to communicating early with the vendor, Kinser advises bug hunters to clearly document their work so they can show the vendor why the bug is important. Without that effort to communicate clearly, the importance of critical vulnerabilities can be lessened or even lost on vendors. But hackers getting started should take heed of organizations that have reputations for not engaging with hackers or outright betraying them as voting-technology company Voatz did earlier this year, she points out.
Frustratingly, she says, "I've submitted reports that have sat for months and months. Now I spend my time on companies where the engagement is high."
It's also important for beginning bug hunters to not get discouraged by the rapidly changing bug-hunting landscape, according to an experienced bounty participant based in England who declined to be identified for the story.
"For what used to be a simple cross-site scripting vulnerability now requires much more skill to get. We're seeing a lot more APIs, where everything is connected to the Internet of Things," she says. "It's not just important to follow what people did three years ago but to look at what works this year, such as far more frameworks with security controls built in."
However, she also says while it's important to stay abreast of the latest hacking trends, legacy code is still just as susceptible to vulnerabilities as new software. In the first year of Norwegian classified advertisements website FINN.no's private bounty program, run through HackerOne, the company received 221 bug reports. A total of 129 earned $55,000 for 31 hackers, but one of the most critical vulnerabilities was found in a one-line change in old code.
"That flaw tells us that all changes, both big or small, are worth investigating," the company concluded in its report on the bounty program's results published Oct. 21.
This Is the Way
The actual process of getting started requires no more than picking a target that has at least a vulnerability disclosure program, if not a paying bug bounty. Without one, even well-intentioned hackers can run afoul of anti-computer hacking laws such as the Computer Fraud and Abuse Act in the U.S. A new guide from Harvard Law School and the Electronic Frontier Foundation lays out some of the legal risks of security research.
A mindset built on inquisitiveness and tenaciousness will take hackers further in finding bugs than staying on top of the latest automated tools for uncovering them — skills that must be learned but are hard to teach.
Or as Mandalorian Din Djarin and others of the Mandalorian creed explain their philosophy, "This is the way." For real-world bug bounty hunters, the way starts however you can make it work, but the creed is the same: Nothing replaces hard work.