Overview of the lesson
For years, hackers were convicted for their activities and cataloged as criminals. Nowadays, they can legally hack some of the largest companies and get rewarded. In this lesson, we will discuss bug bounties and how they changed the collective perception of hackers and security.
What you'll learn
Usually, most of the people start their career in information security by getting a corporate job as a penetration tester/security consultant. But you can make good money hacking from home, too. In this lesson, we explore the advantages and disadvantages of being a bug bounty hunter.
|Objective||To provide an alternative to the classical penetration testing job and describe how ethical hackers can make money legally as freelancers while hacking some of the largest companies in the world.|
Considering the global lack of information security professionals, small to medium enterprises struggle to find enough ethical hackers having strong skills and knowledge to keep their services and products secure. Therefore, more and more companies started to consider crowdsourced security as a valuable tool in the vulnerability management process. Despite the significant efforts of software developers to ensure high-quality products, web and desktop applications, or even IoT devices remain insecure. The lack of security education and training for developers, highly-complex features, the use of outdated frameworks and codebases, or short production deadlines are just a few reasons that impede rigorous engineering practices.
However, in the last few years, it has been observed an increasing number of both small-to-medium and large enterprises that decided to use the potential of external ethical hackers to enhance their company’s security efforts.
A bug bounty programalso referred to as a vulnerability reward program is a crowdsourced security solution whereby independent ethical hackers are allowed to find and report vulnerabilities in company products or infrastructure. Some of the hackers are doing this for a living, while others are motivated by monetary rewards (“bounties”), public recognition in the program’s hall of fame, or even job opportunities. Depending on the impact of the vulnerability, report quality, and how easy it is to exploit, the bounty price may range from a few $100 to up to $100,000. Businesses that do not afford to pay a bounty usually award t-shirts, hoodies, or gadgets.
Bug bounty programs are simply the oldest form of vulnerability markets. This approach has been around for more than twenty years but became popular just a few years ago when technology giants such as Google, Yahoo and Microsoft successfully implemented this complementary process to the classical penetration testing audits. This increase in popularity lead to the development of several bug bounty platforms (HackerOne, Bugcrowd, Synack, Cobalt) whose purpose is to “successfully facilitate the process of building and maintaining bug-bounty programs for companies” (Mingyi Zhao). These platforms are proactive services where both small to medium and large enterprises — or even governmental bodies — expose their products to be assessed by ethical hackers, based on a well-defined testing policy.
For example, HackerOne — the largest bug bounty platform — reported that as of February 2020, more than 150.000 vulnerabilities have been fixed and rewarded with a total of $80M in bounties by hundreds of companies around the world (HackerOne 2020 Report).
There are several steps involved in this process, as shown in Figure 1.
When testing for a bug, please also keep in mind:
- Only use authorized accounts so as not to inadvertently compromise the privacy of our users
- When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
- Read: cat /proc/1/maps
- Write: touch /root/<your H1 username>
- Execute: id, hostname, pwd (though, technically cat and touch also prove execution)
As an ethical hacker, bug bounty comes with a lot of benefits and opportunities. For creative, curiosity-driven individuals, the most significant advantage of bug bounties is that they can legally hack some of the biggest companies without worrying they will break any law. Instead of being persecuted as criminals, they are publicly recognised for their efforts and rewarded with monetary bounties or even job offers.
According to HackerOne’s 2020 Report, ethical hackers are mainly motivated by making money, learn new things, and have fun. Since this work can be done remotely, from anyone by anywhere, many hackers transformed this opportunity into a full-time job. Compared to a competitive salary for a similar role, an ethical hacker earns 2.7 times more money than a software engineer without having a computer science degree or tight deadlines.
As a bug bounty hunter, you decide which company you want to work with, when, and how much time you should dedicate to this activity.
One of the hardest parts of most freelancing jobs is to get a constant flow of clients. But as a bug bounty hunter, you will never stress with this. Your potential clients are already out there, presenting their bug bounty program and the rewards they offer. All you need to do is to pick one and start hacking. That’s awesome, right?
Vulnerability reward programs are an excellent way to learn and practice hacking skills, as they provide a legal and challenging environment for ethical hackers. Capture the flag competitions or vulnerable virtual machines also allow hackers to practice their skills, but they do not offer the same feeling as hacking real-world applications. For this reason, crowdsourced security attracts the interest of both experienced and novice security enthusiasts, and even blackhat hackers.
Being a bug bounty hunter may sound like the ideal job, isn’t it? However, as good as it may sound, it also has some notable drawbacks.
The first drawback is the competition. Bug bounty programs payment model is based on the first come, first served rule. Therefore, if more hackers report the same vulnerability, only the first will be rewarded. From this point of view, this job is a race against others to claim bounties for issues that may be discovered by more than one hacker.
The primary source of stress for bug bounty hunters comes from the fact that you are paid only for the results. You can invest a few hours, a day, or even weeks to understand how an application works without being able to find a vulnerability. While trying to overcome personal limits and find a vulnerability, you may lose confidence or motivation and get burned out. All these factors can significantly damage a person’s mental health, leading to anxiety and depression. @NathanOnSecurity wrote an excellent article on this subject, so make sure you check it out.
In contrast to a corporate job as a penetration tester, bug bounty hunting does not guarantee continuous cash flow. For this reason, you need to plan your finances in advance with realistic goals. When forecasting your payouts, always use the worst-case scenario (e.g., the lowest bounty you can get for a vulnerability). It’s better to be surprised by a higher payout, then disappointed by a lower bounty than you estimated.
Without a doubt, you can make a good living from bug bounty, but if you decide to do it full-time, make sure you have some backup money just in case.
The increasing popularity of the bug bounty programs definitely made some changes in the collective perception of hackers and security. While this kind of activity was previously considered illegal and hackers were persecuted, nowadays, security enthusiasts can legally hack companies and get rewarded. If you are a beginner, bug bounties are an excellent way to gain real-world experience and, why not, earn some money. For experienced hackers, they can become a full-time job.