Career Paths: Bug Bounty

Usually, most of the people start their career in information security by getting a corporate job as a penetration tester/security consultant. But you can make good money hacking from home, too. In this lesson, we explore the advantages and disadvantages of being a bug bounty hunter.

Prerequisites	None.
Objective	To provide an alternative to the classical penetration testing job and describe how ethical hackers can make money legally as freelancers while hacking some of the largest companies in the world.
TL;DR	In the last few years, an increasing number of businesses decided to use the potential of external ethical hackers to enhance their company’s security efforts. A bug bounty program is a crowdsourced security solution whereby independent ethical hackers are allowed to find and report vulnerabilities in company products or infrastructure. For each valid vulnerability, ethical hackers can be rewarded with t-shirts, hoodies, and gadgets or bounties up to $100,000. The main advantages of being a bug bounty hunter are that you can make good money from anywhere in the world while helping the largest companies in the world keep their products secure. Also, you don't need to find clients, but just to pick a program and start hacking. The main disadvantages of being a bug bounty hunter are competition, no guarantee of constant cash flow, and that you are paid only for the results.

Considering the global lack of information security professionals, small to medium enterprises struggle to find enough ethical hackers having strong skills and knowledge to keep their services and products secure. Therefore, more and more companies started to consider crowdsourced security as a valuable tool in the vulnerability management process. Despite the significant efforts of software developers to ensure high-quality products, web and desktop applications, or even IoT devices remain insecure. The lack of security education and training for developers, highly-complex features, the use of outdated frameworks and codebases, or short production deadlines are just a few reasons that impede rigorous engineering practices.

However, in the last few years, it has been observed an increasing number of both small-to-medium and large enterprises that decided to use the potential of external ethical hackers to enhance their company’s security efforts.

What is a bug bounty program?

A bug bounty programalso referred to as a vulnerability reward program is a crowdsourced security solution whereby independent ethical hackers are allowed to find and report vulnerabilities in company products or infrastructure. Some of the hackers are doing this for a living, while others are motivated by monetary rewards (“bounties”), public recognition in the program’s hall of fame, or even job opportunities. Depending on the impact of the vulnerability, report quality, and how easy it is to exploit, the bounty price may range from a few $100 to up to $100,000. Businesses that do not afford to pay a bounty usually award t-shirts, hoodies, or gadgets.

Bug bounty programs are simply the oldest form of vulnerability markets. This approach has been around for more than twenty years but became popular just a few years ago when technology giants such as Google, Yahoo and Microsoft successfully implemented this complementary process to the classical penetration testing audits. This increase in popularity lead to the development of several bug bounty platforms (HackerOne, Bugcrowd, Synack, Cobalt) whose purpose is to “successfully facilitate the process of building and maintaining bug-bounty programs for companies” (Mingyi Zhao). These platforms are proactive services where both small to medium and large enterprises — or even governmental bodies — expose their products to be assessed by ethical hackers, based on a well-defined testing policy.

For example, HackerOne — the largest bug bounty platform — reported that as of February 2020, more than 150.000 vulnerabilities have been fixed and rewarded with a total of $80M in bounties by hundreds of companies around the world (HackerOne 2020 Report).

How does bug bounty work?

There are several steps involved in this process, as shown in Figure 1.

1. First, you need to pick a target. That shouldn’t be hard, given the number of public bug bounty programs available. Just sign-up on HackerOne/Bugcrowd/Intigriti or any other bug bounty platform, and you will get access to dozen of programs.
2. After you choose your target, let’s say Paypal, read their policy carefully. The policy sets the ground rules for how security testing activities should be performed. Usually, it is split into four sections:
   
   
   • Program terms — this section describes the basic agreement between the company and the hackers. It provides information about the rules of engagement (e.g., minimum age, no extortion, etc.), legal terms, and safe harbor.
   • Bounty Program — here you can find the vulnerability types that the company is most interested in, reward structure (i.e., how much they pay for each type of vulnerability), and guidance on how to safely test for some vulnerabilities that may disrupt their services.

     When testing for a bug, please also keep in mind:
     - Only use authorized accounts so as not to inadvertently compromise the privacy of our users
     - When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
     - Read: cat /proc/1/maps
     - Write: touch /root/<your H1 username>
     - Execute: id, hostname, pwd (though, technically cat and touch also prove execution)

     — Verizon bug bounty program

   • Exclusions — specifies the vulnerabilities that the company is not interested in (e.g., social engineering attacks, low impact vulnerabilities such as content injection, path disclosure, etc.).
   • Scope — defines the scopecompany assets that they want to be tested of the bug bounty program. This section may include:
     - an IP range (e.g. 1.3.3.7 - 1.3.3.250)
     - a wildcard domain, e.g., *.paypal.com — this means you can look for vulnerabilities on all paypal.com subdomains)
     - a single subdomain, e.g., testing.paypal.com
     - a mobile application
     - a hardware device
     You are only allowed to test the assets listed as in-scope. If you find a vulnerability in an out-of-scope asset while testing an in-scope target, you can report it. You won’t get sued, but you probably won’t get a reward neither.
3. The next step is to start looking for vulnerabilities. Once you got one, you need to write a proof of concept report which details your finding. The report should contain four sections:
   
   • A relevant title. And no, “[URGENT] CRITICAL XSS vulnerability” is not a good choice. Instead, go for a title that already offers insights about your finding: “Reflected XSS on username parameter at admin.secure.com/login”
   • A summary of your finding — what vulnerability is that? How did you find it? What is the impact?
   • The proof of concept — this section should describe, in detail, the steps to reproduce the vulnerability.
   • Impact — elaborate on the impact. What is the worst thing an attacker can do with your vulnerability?
4. The final step for you is to submit your report to the company.
5. Next, it’s the company’s job to review your submission and validate your findings. There are three possible scenarios here:
   
   • your vulnerability is valid and eligible for a bounty — in this case, the company will reward you sooner or later.
   • your vulnerability is valid, but someone else already found and reported it — in this case, your report is marked as a duplicate, and you won’t get a reward.
   • your vulnerability is not valid — you probably reported an out-of-scope vulnerability. In this case, your report is closed, and you won’t get a reward.

Advantages

As an ethical hacker, bug bounty comes with a lot of benefits and opportunities. For creative, curiosity-driven individuals, the most significant advantage of bug bounties is that they can legally hack some of the biggest companies without worrying they will break any law. Instead of being persecuted as criminals, they are publicly recognised for their efforts and rewarded with monetary bounties or even job offers.

Making good money from anywhere in the world

According to HackerOne’s 2020 Report, ethical hackers are mainly motivated by making money, learn new things, and have fun. Since this work can be done remotely, from anyone by anywhere, many hackers transformed this opportunity into a full-time job. Compared to a competitive salary for a similar role, an ethical hacker earns 2.7 times more money than a software engineer without having a computer science degree or tight deadlines.

As a bug bounty hunter, you decide which company you want to work with, when, and how much time you should dedicate to this activity.

You don’t need to search for clients.

One of the hardest parts of most freelancing jobs is to get a constant flow of clients. But as a bug bounty hunter, you will never stress with this. Your potential clients are already out there, presenting their bug bounty program and the rewards they offer. All you need to do is to pick one and start hacking. That’s awesome, right?

Gain real-world experience while having fun

Vulnerability reward programs are an excellent way to learn and practice hacking skills, as they provide a legal and challenging environment for ethical hackers. Capture the flag competitions or vulnerable virtual machines also allow hackers to practice their skills, but they do not offer the same feeling as hacking real-world applications. For this reason, crowdsourced security attracts the interest of both experienced and novice security enthusiasts, and even blackhat hackers.

Disadvantages

Being a bug bounty hunter may sound like the ideal job, isn’t it? However, as good as it may sound, it also has some notable drawbacks.

Competition

The first drawback is the competition. Bug bounty programs payment model is based on the first come, first served rule. Therefore, if more hackers report the same vulnerability, only the first will be rewarded. From this point of view, this job is a race against others to claim bounties for issues that may be discovered by more than one hacker.

You are only paid for results

The primary source of stress for bug bounty hunters comes from the fact that you are paid only for the results. You can invest a few hours, a day, or even weeks to understand how an application works without being able to find a vulnerability. While trying to overcome personal limits and find a vulnerability, you may lose confidence or motivation and get burned out. All these factors can significantly damage a person’s mental health, leading to anxiety and depression. @NathanOnSecurity wrote an excellent article on this subject, so make sure you check it out.

No guarantee of constant cash flow

In contrast to a corporate job as a penetration tester, bug bounty hunting does not guarantee continuous cash flow. For this reason, you need to plan your finances in advance with realistic goals. When forecasting your payouts, always use the worst-case scenario (e.g., the lowest bounty you can get for a vulnerability). It’s better to be surprised by a higher payout, then disappointed by a lower bounty than you estimated.

Without a doubt, you can make a good living from bug bounty, but if you decide to do it full-time, make sure you have some backup money just in case.

Conclusion

The increasing popularity of the bug bounty programs definitely made some changes in the collective perception of hackers and security. While this kind of activity was previously considered illegal and hackers were persecuted, nowadays, security enthusiasts can legally hack companies and get rewarded. If you are a beginner, bug bounties are an excellent way to gain real-world experience and, why not, earn some money. For experienced hackers, they can become a full-time job.