
On Bounties and Boffins - ingve
https://blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/
======
withzombies
I've made a lifetime total of $2500 on bug bounties. I find them pretty
interesting as a distraction from my main job but I don't see how they can
compete.

Most platforms seem to run these private invite-only hackathons where the top
performers get a first crack at each new campaign. I was invited to one of
those and it was pretty fun hanging out with the other participants, but
application security pentesters can easily make $80k+/year in the US and none
of them were coming close to this. Additionally, a real pentest comes with
remediation advice and the consultants are incentivized to help you fix the
flaws correctly. On the flipside, a bug bounty participant is incentivized to
help to fix the most narrow version as possible -- so they can further probe
the area for more bounties.

------
dguido
There's an extensive discussion on twitter about this research paper in the
following three threads:

[https://twitter.com/trailofbits/status/1084791374468259846](https://twitter.com/trailofbits/status/1084791374468259846)

[https://twitter.com/trailofbits/status/1084858540248961026](https://twitter.com/trailofbits/status/1084858540248961026)

[https://twitter.com/k8em0/status/1084826951305424896](https://twitter.com/k8em0/status/1084826951305424896)

