
Life as a bug bounty hunter - mkm416
https://www.technologyreview.com/s/611896/life-as-a-bug-bounty-hunter/
======
introvertmac
Bug bounty literally changed my life.

In 2013 Facebook paid me $5000, because of it I was able to pay my education
loan(in India) and avoided all those compound interest.

I started way before when it was popular and actually got my current job from
this thread “list of YC companies I’ve worked with(Hacked)”
[https://news.ycombinator.com/item?id=10463286](https://news.ycombinator.com/item?id=10463286)

Bug bounty is really hard these days, you are competing with the whole world -
whoever report first, wins(even when you have put equal efforts)

It’s good for side hustle but you can’t do it full-time these days.

~~~
justevan
I'm still doing bug bounty as my full time job these days and planning to
invest some of my bounty for a business in the future :)

~~~
claudiulodro
Are you in the US?

It seems like it may be possible to live on the bug bounty rewards in places
with cheaper cost of living, but you would need to get, like, 10 $5,000
bounties a year to survive in the US wouldn't you?

~~~
update
> you would need to get, like, 10 $5,000 bounties a year to survive in the US
> wouldn't you?

More like 2 $5k bounties a year for me. Where I live in the U.S., I could rent
a house for $500/mo ($6,000 a year), and I eat about $200 of food per month
($2,400 a year). So the cost of living per year is $8,400.

But yes, it entirely depends on where you live. For me, I specifically chose
this place so that I could live comfortably on bug bounty income

~~~
michaelmrose
Assuming you don't need to pay for health insurance and can handle financial
ruin if you break your leg.

Assuming you don't need to pay for electricity, water, trash service,
internet, phone service, medicine, toilet paper, detergent, need to leave your
house ever, buy a computer to actually work with.

~~~
stevehawk
I mean, i had lady brag to me that she was in a super nice apartment for
$375/mo in my area. That leaves a lot of room for toilet paper and detergent.

~~~
michaelmrose
So you a pseudonymous stranger have heard from an anon stranger that somewhere
there is an apartment for rent with undefined qualities and location that is
"super nice" for near 1/3 the median rent. A rate that wont rent a yurt in
most places.

------
Gasparila
I had one experience reporting a security vulnerability to a bug bounty
program and never want to do it again. I reported an issue to United Airlines
that I could reset anybody's MileagePlus number by only guessing their
Security Questions ("what is your favorite sport", etc), bypassing any email
confirmation or anything like that. After 3 months of back and forth with
their security team, they released an Android update that patched the issue. I
was then told "It turns out this fix was pushed by the QA team and was
actually unrelated to your Bug Bounty submission" and that my submission was
ineligible.

Your mileage may vary, but the headache for me is not worth the payout

~~~
ryandrake
> Your mileage may vary

Not anymore, thanks to your report :)

------
strictnein
There are some people who make a living doing this, but 99% of people are just
making some side cash and messing around.

I've made some money doing it, not a lot, and to be honest, most of the
submissions I've sent have been to unpaid programs (but through Hackerone,
Bugcrowd, and some companies own bug bounty systems). Why? It's fun to be able
to poke at large orgs, find issues, report them, and not have some pissy
response like I used to get before bug bounties were a thing. You'll actually
see them get fixed and you're doing stuff that may prevent unsavory types from
screwing people over.

My favorite response though is still the "This is a duplicate from [random
date six months ago]". Oh, so you're purposefully just leaving an XSS live on
your corporate SSO? Makes sense! Nobody ever tries to phish corporate logins
at large organizations.

~~~
update
> My favorite response though is still the "This is a duplicate from [random
> date six months ago]". Oh, so you're purposefully just leaving an XSS live
> on your corporate SSO? Makes sense!

Ug. I've submitted 2 bugs to Vimeo that gave this exact response. I even
followed up a few months later to see if they'd patch it and they responded,
"the developers are aware and working on it" ...

Seriously? Leaving 2 XSS bugs open on your website that you run a bug bounty
program for?? for a year?

I really wish hackerone would punish this sort of behavior as it's a waste of
every hacker's time to find a bug, write a report, only to be told it's a year
old known bug so it's not eligible for a bounty.

~~~
SandwichTeeth
I found an submitted a bug once through bugcrowd to a very well known company
where a session cookie could be used for complete account takeover even after
the user had signed out etc. I was blown away when I got the "duplicate"
response for a submission that was almost a year old. I wonder if they've ever
fixed it...

------
tptacek
If you're genuinely good at finding vulnerabilities, and you can legally work
in the US or Europe, you're pretty eminently hirable, and the impression I
have is that the rate you'll command will probably swamp what you make on
(ordinary) bounty submissions. I think most people who are really good at this
either (a) use bounty programs as a way to liquidate _extraordinary_
vulnerabilities, and are well compensated for it, or (b) do it as a side
hustle.

~~~
badrabbit
Bounties are one thing but how about selling exploits to organizations like
zerodium? Since you won't disclose,won't they pay a lot better?

~~~
tptacek
If you can repeatably find the kinds of bugs Zerodium claims to buy, you
probably already know what your best financial options are.

------
Rotdhizon
>> Companies like Bugcrowd and HackerOne (both of which Ricafort has worked
with)

This article is very poorly written. It leaves out a lot of key details that
could sway ones take away. It mentions that he has done a lot of bug bounties
and not gotten paid for some of them. Were they duplicate reports? Was he
doing these on his own merit and not going through the bug bounty programs?

The staff at hackerone and bugcrowd will make sure you are squared away when
you are submitting reports and dealing with payouts. If a company were to
refuse to pay you even though you submitted an in scope report that qualified
for payment, these sites would help you resolve those conflicts.

This article to me tries to paint a picture of: Here is a hard working bug
bounty hunter who's efforts barely go noticed because so many mean companies
don't want to pay him, he can only make a meager living.

I take it as someone who doesn't go through the proper programs and sites, so
he's playing with fire on getting his findings reported. If you are just some
random hacker who emails a company out of the blue with a random vulnerability
finding, most will not take you seriously. Companies who want to be hacked,
have bug bounty programs and disclosure pathways. If he's as good as the
article paints him to be, he should be making a ton more money than it says he
is. So either he is getting royally screwed out of payments by not going
through bug bounty programs, or he isn't as good of a hunter as he may seem.

~~~
phyzome
A number of companies have bug bounty programs that do not go through
HackerOne and such, and the quality really varies, from what I hear.

~~~
Rotdhizon
Which is why it's irritating that the article left out how he's going about
this. I want to know if a majority of his finding were on a site like bugcrowd
or if he's trying to do the freelance thing and just getting shot down. I have
no input or information about experiences from freelance bug hunters, so I
don't know if being ignored is a common thing or if this guy just isn't that
good to warrant himself attention.

~~~
update
You can find some of the programs he's successfully submitted to via his
website:
[http://evanricafort.com/achievements/](http://evanricafort.com/achievements/)

a lot of them aren't on H1 or bugcrowd.

------
cablej
As a bug bounty hunter, this is nowhere near normal. The average payout for a
single vulnerability is over $500, so even finding just one vulnerability a
month would be more than mentioned in the article. Full-time bug bounty
hunters often earn thousands to tens-of-thousands per month, making it far
from a "struggling" profession.

------
eterm
At least hackerone still feels focused around disclosure so if you have a dupe
you get linked to the original report.

With bugcrowd you can get closed as duplicate and never get to see the
original report so just have to trust it's really a dupe.

With hackerone you can push for disclosure which puts a clock on companies
(unless they completely disappear from the platform which has happened).

Neither feel like a route to riches but both are good for finding companies
which probably won't aggressively react to researchers finding something.

Both major platforms feel like they've lost momentum though, on both platforms
though it feels like there isn't much in-flow of new companies, and on
bugcrowd most companies go through private programs first which really limits
how much you can find as a casual well-meaning amateur. The participating
companies probably get a better experience that way but the early days of
hackerone were more fun.

~~~
tptacek
Most H1 companies start "private" as well; the impression, and H1 amplifies
it, is that the general public bounty programs are really noisy.

~~~
RyJones
My experience is hackerone reports are almost 100% low effort spam, managed in
an opaque manner. I would not choose it as a platform for a new bug bounty
program.

~~~
tptacek
That is not at all my experience with H1, and we manage (and have managed) a
bunch of H1 programs for our clients. I wouldn't advise most startups to do
bug bounty programs at all, but if I was, I'd recommend H1.

~~~
RyJones
You have more experience than I have, obviously, because I'm only involved in
running one bounty program on H1.

I have not been impressed with H1. Perhaps my opinion will change as our
program matures, but I am not optimistic. I think there's a lot of space in
this market for competition.

I suspect if I was driving as much revenue as you are, they might be more
responsive. That's life.

~~~
tptacek
I mean, I don't know what the problems you had were.

I look at H1 like a loot box in a game like, I don't know, Team Fortress 2.
Most of the time you get a bunch of lame stuff. Every once in awhile, no
matter how you structure your program or how much you pay, you get an
excellent bluebird bug. In a twist on how "real" loot boxes work, sometimes
you get bullshit that wastes your time.

I wouldn't pay a lot of money for access to those loot boxes, but for what
they are, they're fine, and I think H1 does a good job of presenting and
managing it.

I am _not_ a believer in the sales pitch that different bug bounty sites have
materially different cohorts of testers. The people you really want to attract
probably aren't affiliated with any particular bounty site.

------
shiado
I once found a bug for a company and reported it on Hackerone. Then they said
it was a duplicate bug report and paid nothing but also immediately fixed it.
My problem is most bug bounty programs put the power completely in the hands
of the company.

I think there is probably a market for a site where users post the bounties
with a detailed and accurate description and their desired price or the
community and affected company bid to determine the value of a bug. The
affected company could then "purchase" the bug and then the person who filed
the report would pay an authoritative trusted third party like a professional
security firm to verify the vulnerability. Then the person who found and
reported it gets paid if the third party verifies it exists. The company would
only get the vulnerability description if the third party verifies it to
exist.

------
usepgp
I used to work on the android VRP doing report analysis; I can confidently say
that we never intentionally ignored or downgraded reports to save money. There
were a few cases of things slipping through the cracks by missing bug
assignees, but the majority of the engineering staff really did want those
researchers to get as large of a payout as we could justify, and I imagine
other companies/VRPs are in a similar position.

I think the true root cause of the payment discrepancy issue we see in this
article is the bias towards believing the vulnerabilities that we find are
more significant than they may be. It often can be either a matter of pride,
or sometimes just a misunderstanding of the severity guidelines as published.

------
wolco
Feel like one could make more than $500 a year doing anything else with the
skills required for bug hunting.

~~~
Tloewald
Node he's making about that much a month, which is apparently around the
average income where he lives.

Still, it seems low.

~~~
zulln
There is people making way more on average doing it on the side. It is really
hard to judge how skilled someone is (what is the framework to compare with?),
but it is not like nobody actually makes real money.

------
BrandoElFollito
My team runs the bug bounty program for our company.

What we get is a lot, lot of garbage reports (with public programs) and we
spend a lot of time on basic communications with people who barely speak
English. At some point we had to mention that we acknowledge the reception of
each report and if you do not hear from us then it means that it is not
accepted.

And then there are the good reports and, boy, some are really neat. We gladly
pay for them and keep having many of the hunters coming back.

Making things clear from the start and keepingvyour word makes a long way. Bug
bounties are great when well organized and a hell on earth for the unprepared.

------
a_imho
Why do people do that? Selling their findings for chump change, possibly very
serious vulnerabilities highly paid architects missed? Obviously they want to
do The Right Thing, but they are very much in a position to negotiate.

~~~
muzani
I guess it's like fishing or hunting. You don't necessarily want to eat the
catch, but there's a certain thrill to it.

------
gammateam
Exploiting smart contracts are the ultimate bug bounties these days.

Forget these fortunes 500s, governments and startups.

And to the cynics? This is perfect for you if you hate cryptocurrencies and
everything blockchain. Yeah, they're broken, make some money off of that.

~~~
phyzome
Has there yet been any attempted legal action against someone who has
"exploited" a software contract?

I mean, most of the smart-contracts crowd seem to be of the opinion that
whatever a software contract permits must be its intent as well, but I don't
imagine that conviction would prevent them from filing suit once they'd lost
money.

~~~
busterarm
In general, doing research in the US is a bad move because of the CFAA.

~~~
gammateam
"Researching" a smart contract just means broadcasting a transaction to a node
in the network.

There are over 15,000 Ethereum full nodes, you can hit one not in the US from
your own reported location not being in the US.

The gas you use in your address also needs to be unlinked from your identity
too. So basically over tor just shapeshift like $5 worth of Monero to an
ethereum address you just created.

A transaction with a specific set of instructions will execute the smart
contract program on any of the 15,000 nodes in the network.

------
crunchlibrarian
This has been discussed a few times before on HN and I shared the anecdote
that I have attempted to report multiple serious security issues to Google and
Facebook and have been completely ignored, 100%.

There is a tiered internet nowadays, if you go real name and have a following
you are treated quite differently from everyone else. You can't even get a
response to emails or forms, much less paid out a bounty if you're not in the
former group. The algorithm has made everyone who isn't a minor celebrity
irrelevant. I don't care how much it benefits the corporations interested in
marketing to me, I don't want a following, thanks.

Fortunately being able to "crash google" at will during cocktail parties and
job interviews always impresses people, so I guess I'll just keep on doing
that until they fix the problem.

~~~
usepgp
I think your idea of "serious security issue" differs from googles. nobody
cares if you can cause a local crash with some bad js in the console.

