Hacker News new | comments | show | ask | jobs | submit login
Life as a bug bounty hunter (technologyreview.com)
131 points by mkm416 3 months ago | hide | past | web | favorite | 75 comments

Bug bounty literally changed my life.

In 2013 Facebook paid me $5000, because of it I was able to pay my education loan(in India) and avoided all those compound interest.

I started way before when it was popular and actually got my current job from this thread “list of YC companies I’ve worked with(Hacked)” https://news.ycombinator.com/item?id=10463286

Bug bounty is really hard these days, you are competing with the whole world - whoever report first, wins(even when you have put equal efforts)

It’s good for side hustle but you can’t do it full-time these days.

I'm still doing bug bounty as my full time job these days and planning to invest some of my bounty for a business in the future :)

Are you in the US?

It seems like it may be possible to live on the bug bounty rewards in places with cheaper cost of living, but you would need to get, like, 10 $5,000 bounties a year to survive in the US wouldn't you?

> you would need to get, like, 10 $5,000 bounties a year to survive in the US wouldn't you?

More like 2 $5k bounties a year for me. Where I live in the U.S., I could rent a house for $500/mo ($6,000 a year), and I eat about $200 of food per month ($2,400 a year). So the cost of living per year is $8,400.

But yes, it entirely depends on where you live. For me, I specifically chose this place so that I could live comfortably on bug bounty income

Assuming you don't need to pay for health insurance and can handle financial ruin if you break your leg.

Assuming you don't need to pay for electricity, water, trash service, internet, phone service, medicine, toilet paper, detergent, need to leave your house ever, buy a computer to actually work with.

I mean, i had lady brag to me that she was in a super nice apartment for $375/mo in my area. That leaves a lot of room for toilet paper and detergent.

So you a pseudonymous stranger have heard from an anon stranger that somewhere there is an apartment for rent with undefined qualities and location that is "super nice" for near 1/3 the median rent. A rate that wont rent a yurt in most places.

you're right, i didn't include that stuff. I was trying to price it out for someone who is renting a house/apt, but neglected the utilities bit. I actually bought a house here for $20k (in cash from bug bounties) so all I pay for is utilities. This place has an acre of forest and FIOS internet, 3 br and next to the lake. I pay about $300 a month for the services you mentioned, save health care, which I don't pay for at all at the moment.

In US, workers making minimum wage with full-time schedule make around $15,000 a year. Many people have fewer hours or lower hourly rate. They survive. It's not a great standard of living, though.

On the plus side, the bug hunter would have the advantages of being their own boss. On negative side, their finance and tax situation might be worse or at least more complicated. Probably also better to save money in case they have a stretch where bug finds or payouts drop. Someone doing that would need even lower cost of living.

There are still folks doing it full time in expensive cities.

The main aim of the game is to have extensive infrastructure and code to do asset identification & delta. When Facebook puts a new host live without ACLs, you’ve gotta wake at 3am and hit it.

And when at 3.15am the ACLs kick-in, they’ll end up closing your report as “can’t repro”.

Which is trivially remedied by taking screenshot/directory listings as evidence

Nope, I'm from a small province here in the Philippines.

I had one experience reporting a security vulnerability to a bug bounty program and never want to do it again. I reported an issue to United Airlines that I could reset anybody's MileagePlus number by only guessing their Security Questions ("what is your favorite sport", etc), bypassing any email confirmation or anything like that. After 3 months of back and forth with their security team, they released an Android update that patched the issue. I was then told "It turns out this fix was pushed by the QA team and was actually unrelated to your Bug Bounty submission" and that my submission was ineligible.

Your mileage may vary, but the headache for me is not worth the payout

> Your mileage may vary

Not anymore, thanks to your report :)

Well, United? Really?

Even before the "incident" normally it was enough to use them one time to understand:

1. Sooner or later something like this had to happen and

2. Never fly them again.

Exploiting smart contracts are the ultimate bug bounties these days.

Forget these fortunes 500s, governments and startups.

And to the cynics? This is perfect for you if you hate cryptocurrencies and everything blockchain. Yeah, they're broken, make some money off of that.

If you believe, as many of us do, that cryptocurrencies are really self-organizing distributed Ponzi schemes, then there's really no ethical way to make a living taking money out of them; every dollar you extract ultimately contains some significant component surrendered by an economically vulnerable person in the US, Asia, Africa, &c.

There's also lots of bug bounties for smart contracts, cryptocurrencies, etc. And they typically pay pretty well. So make money, fix problems, and stay out of jail is also another avenue.


and you can also "audit" these things at a nice premium for a day job as well

the hackerone bug bounty formalization was just getting up to speed, but the competition has greatly expanded.

exploit, audit, bug bounty.. its all semantics in my opinion. you get paid, and you have to weigh what kind of liability you create. where's the distinction? Even people that go straight through hackerone or some company's bug program wind up with undue liability, its still better not to be known in your most "compliant" way

How would you go about getting started with the bounties for cryptocurrencies? What sort of skills or background is needed? It's not so good if you need to be a hardened c++ dev with 10 years of experience. :*(

you don't need to be a hardened c++ dev with 10 years of experience. thats what you need if you don't want your currency to be exploitable.

forget the money and the terms, these are just linked lists with memory leaks. very profitable memory leaks. sometimes getting a function into a certain state gives you access to coins - a variable - just read the function.

Has there yet been any attempted legal action against someone who has "exploited" a software contract?

I mean, most of the smart-contracts crowd seem to be of the opinion that whatever a software contract permits must be its intent as well, but I don't imagine that conviction would prevent them from filing suit once they'd lost money.

I might be stretching the definition of legal: After a big project (the DAO) was hacked a group of governing people ruled in something similar to a court ruling that the money should go back to the people who put it in. Enforcement was done by having everyone agree that the money doesn't belong to the hacker anymore.

Though you can't convince everyone that "people are the law" in a system where "code is law". Which is why the Ethereum network split and people who refuse to agree stick to something called Ethereum Classic (an alternate reality where the hackers still own the funds).

Yeah code is law so far.

You will want to unlink the transaction and reintegrate later just to avoid the challenge. The disagreement with your actions might not come from the state, after all.

Except when it's not, for example ETH vs ETC.

and zero courts were necessary to express that opinion, which is the point here.

In general, doing research in the US is a bad move because of the CFAA.

"Researching" a smart contract just means broadcasting a transaction to a node in the network.

There are over 15,000 Ethereum full nodes, you can hit one not in the US from your own reported location not being in the US.

The gas you use in your address also needs to be unlinked from your identity too. So basically over tor just shapeshift like $5 worth of Monero to an ethereum address you just created.

A transaction with a specific set of instructions will execute the smart contract program on any of the 15,000 nodes in the network.

Yes, although international lawsuits and criminal charges are also a thing.

My willingness to do this is counterbalanced by the fact that I don't want to relocate to, for example, Thailand.

You immediately unlink the transactions with Monero.

You convert as much of your reward as you can into something more fungible like Ethereum or Bitcoin.

Typically this means having several unverified exchange accounts created where you deposit and trade under the unverified account threshold and withdraw. (This is typically 2 bitcoin worth, per account, per 24 hours... but there is always some new exchange with no withdrawal limits and the decentralized exchanges are pretty robust these days)

If that exchange doesn't offer Monero, or they have already blacklisted your Ethereum/Bitcoin addresses, then you Coinswitch or Shapeshift, or XMR.TO the rest.

Once in Monero nobody can blacklist any of your addresses. You can stay in Monero forever if you like, as it is good enough for reintegration into the normal economy. Or you can reintegrate slowly in other ways, such as back into Ethereum on new exchange accounts or countswitch/shapeshifting back onto that blockchain, simply because there are more things to buy.

And yes, it SHOULD go without saying that you should be doing this on Tails or Whonix, and having funded addresses that are unlinked from your identity to begin with. But everyone ever caught up in a legal action has done this part wrong so far.

If it looks like criminal behavior, LEO and the courts are going to treat it like criminal behavior. What you're suggesting carries a very large risk profile for someone living in a country where it can be safely assumed that all communications are captured.

Someone who places a high value on their freedom and happens to live in most of the desirable countries probably shouldn't be doing this.

OpSec shouldn't be treated lightly -- there's good reasons why folks like the grugq live in Thailand.

Right, the thing is there are 100 other reasons to use Monero if you spend any time using transparent blockchains.

What is described here works for all 100 reasons and is a best practice and is indiscriminate from what a hacker needs to do

The only "outlier" for your overzealous prosecutor's conspiracy charge is that not a lot of people understand this best practice. The solution? Talk about it.

I'm with you, but I wouldn't roll the dice on a judge or jury with poorly understood technology.

While there are 100 perfectly legitimate reasons to structure your transactions the exact same say someone laundering illicit money would, you probably don't want to become that test case.

correct, you wouldn't want to get caught.

either way, the US federal criminal charge of money laundering is heavily misunderstood by the public. people are uneasy at merely moving their own money, let alone watching someone else potentially obfuscate the origin of the money.

obfuscating the origin isn't illegal

the US federal money laundering requires the origin itself to be illicit AND THEN for it to be obfuscated

so the government would already have to weigh what happened at the origin, they'd also have to know about the origin, and yeah in this one case it would have implications on the how smart contract intent is formed

sure, you don't want to be the experiment, but its already a tall order to get there. save some money for appeals court.

Isn't this only an issue in jurisdictions with civil forfeiture? If a $10M bag of cash materialized in your house, and you properly paid income tax on it, what can the government do?

well in the US it is also illegal to pay tax on income from illicit sources.

so people obfuscate the source and reintegrate into the economy from a new source. if this fails and the government investigates the obfuscation AND finds the source is illicit, then you have the same problem (well actually more crimes to be charged with).

and no, this isn't a civil forfeiture issue, but also not mutually exclusive

VPN+ Tor also not enough?

In the 2015-2016 Playpen onion site cases, the FBI demonstrated an exploit which hopped outside of the TOR browser to run on clearnet and unmask the user's computers leading to many many indictments (unsure about convictions).

So the mainstep is to have an entire environment that is hardened by TOR, which Whonix offers with its dual VM setup where the entire guest OS runs through a TOR gateway VM.

Sure the exit node may still be problematic and thats where VPN comes in.

But all this isn't really necessary for broadcasting a cryptocurrency transaction. You can create the transaction file anywhere and just have a different computer send that file to the cryptocurrency network (also called broadcasting the transaction).

The network sees the IP address of the computer that relayed the transaction. On Ethereum's network many people use Infura, and therefore most nodes only see the IP address of Infura. You can broadcast to Infura over TOR.

It is theoretically possible that Infura, your exit node and your VPN are all accessible by subpoena. The subpoena's need to be based on the idea of some wrongdoing, and since it isn't 2012 anymore, nobody is doing a dragnet on all cryptocurrency transactions. Yours would look just as benign as anyone else's, and anyone tracing the transaction would eventually be stonewalled by Monero's blockchain. So, that case has never been seen.

Thanks for the guide on money laundering using crypto currency. It's shocking that crypto currency has such a bad reputation these days.

You're welcome.

It is supposed to be provocative as this particular route isn't used nearly enough, you can read indictments and see that.

There is a little bit of a shift, in one indictment the government was able to seize wallets and they were able to retrieve the addresses and amounts of Bitcoin, Zcash, but they could only make a footnote that they had a Monero wallet and didn't know the amounts or the addresses or senders of the recipients involved.

Monero is a public but opaque blockchain, and should be the default holdings for people, with occasional interaction with the rest of the crypto economy for conversion. It should always be a buffer between your national currency accounts and your crypto economy accounts.

It raises the bar for government investigations back to the level required to get information about your bank accounts.

With banks, the government needs subpoenas and warrants for multiple financial institutions to learn about what an investigated customer is doing.

With transparent blockchains, the government does not need a subpoena or warrant to analyze transactions and draw conclusions. They can just scan it like any other participant can.

With Monero, the government would need subpoenas and warrants for multiple exchanges to learn about what an investigated customer is doing. And if the customer follows best practices, there are limitations on the information that the exchanges would have, because one hop into the Monero network and the funds are not traceable. It is then easy for the customer to hop onto another blockchain. European Commission has proposed banning the RingCT technology used here, but that is a knee-jerk reaction as they have just gotten used to the transparency that non-opaque blockchains like Bitcoin offer for investigators.

General benign Monero use would be indiscriminate from money laundering, protecting everyone from financial sanctions and requiring law enforcement to do real investigations into whatever action they are actually trying to prevent, since they can no longer lazily leverage financial intermediaries.

There are some people who make a living doing this, but 99% of people are just making some side cash and messing around.

I've made some money doing it, not a lot, and to be honest, most of the submissions I've sent have been to unpaid programs (but through Hackerone, Bugcrowd, and some companies own bug bounty systems). Why? It's fun to be able to poke at large orgs, find issues, report them, and not have some pissy response like I used to get before bug bounties were a thing. You'll actually see them get fixed and you're doing stuff that may prevent unsavory types from screwing people over.

My favorite response though is still the "This is a duplicate from [random date six months ago]". Oh, so you're purposefully just leaving an XSS live on your corporate SSO? Makes sense! Nobody ever tries to phish corporate logins at large organizations.

> My favorite response though is still the "This is a duplicate from [random date six months ago]". Oh, so you're purposefully just leaving an XSS live on your corporate SSO? Makes sense!

Ug. I've submitted 2 bugs to Vimeo that gave this exact response. I even followed up a few months later to see if they'd patch it and they responded, "the developers are aware and working on it" ...

Seriously? Leaving 2 XSS bugs open on your website that you run a bug bounty program for?? for a year?

I really wish hackerone would punish this sort of behavior as it's a waste of every hacker's time to find a bug, write a report, only to be told it's a year old known bug so it's not eligible for a bounty.

I found an submitted a bug once through bugcrowd to a very well known company where a session cookie could be used for complete account takeover even after the user had signed out etc. I was blown away when I got the "duplicate" response for a submission that was almost a year old. I wonder if they've ever fixed it...

If you're genuinely good at finding vulnerabilities, and you can legally work in the US or Europe, you're pretty eminently hirable, and the impression I have is that the rate you'll command will probably swamp what you make on (ordinary) bounty submissions. I think most people who are really good at this either (a) use bounty programs as a way to liquidate extraordinary vulnerabilities, and are well compensated for it, or (b) do it as a side hustle.

Bounties are one thing but how about selling exploits to organizations like zerodium? Since you won't disclose,won't they pay a lot better?

If you can repeatably find the kinds of bugs Zerodium claims to buy, you probably already know what your best financial options are.

>> Companies like Bugcrowd and HackerOne (both of which Ricafort has worked with)

This article is very poorly written. It leaves out a lot of key details that could sway ones take away. It mentions that he has done a lot of bug bounties and not gotten paid for some of them. Were they duplicate reports? Was he doing these on his own merit and not going through the bug bounty programs?

The staff at hackerone and bugcrowd will make sure you are squared away when you are submitting reports and dealing with payouts. If a company were to refuse to pay you even though you submitted an in scope report that qualified for payment, these sites would help you resolve those conflicts.

This article to me tries to paint a picture of: Here is a hard working bug bounty hunter who's efforts barely go noticed because so many mean companies don't want to pay him, he can only make a meager living.

I take it as someone who doesn't go through the proper programs and sites, so he's playing with fire on getting his findings reported. If you are just some random hacker who emails a company out of the blue with a random vulnerability finding, most will not take you seriously. Companies who want to be hacked, have bug bounty programs and disclosure pathways. If he's as good as the article paints him to be, he should be making a ton more money than it says he is. So either he is getting royally screwed out of payments by not going through bug bounty programs, or he isn't as good of a hunter as he may seem.

Sorry, though I spend a lot of time on bc and h1, I didn't mention that I also hunt on other companies outside bc & h1. and btw not all companies offer monetary rewards. some are just swags and other stuffs.

A number of companies have bug bounty programs that do not go through HackerOne and such, and the quality really varies, from what I hear.

Which is why it's irritating that the article left out how he's going about this. I want to know if a majority of his finding were on a site like bugcrowd or if he's trying to do the freelance thing and just getting shot down. I have no input or information about experiences from freelance bug hunters, so I don't know if being ignored is a common thing or if this guy just isn't that good to warrant himself attention.

You can find some of the programs he's successfully submitted to via his website: http://evanricafort.com/achievements/

a lot of them aren't on H1 or bugcrowd.

Yeah, he could be throwing up stuff on openbugbounty, with its "spam 30 different @company.com email addresses" method of bug reporting.

Hackerone has both managed and self-managed programs, so even through hackerone not all the programs are well run.

At least hackerone still feels focused around disclosure so if you have a dupe you get linked to the original report.

With bugcrowd you can get closed as duplicate and never get to see the original report so just have to trust it's really a dupe.

With hackerone you can push for disclosure which puts a clock on companies (unless they completely disappear from the platform which has happened).

Neither feel like a route to riches but both are good for finding companies which probably won't aggressively react to researchers finding something.

Both major platforms feel like they've lost momentum though, on both platforms though it feels like there isn't much in-flow of new companies, and on bugcrowd most companies go through private programs first which really limits how much you can find as a casual well-meaning amateur. The participating companies probably get a better experience that way but the early days of hackerone were more fun.

Most H1 companies start "private" as well; the impression, and H1 amplifies it, is that the general public bounty programs are really noisy.

My experience is hackerone reports are almost 100% low effort spam, managed in an opaque manner. I would not choose it as a platform for a new bug bounty program.

That is not at all my experience with H1, and we manage (and have managed) a bunch of H1 programs for our clients. I wouldn't advise most startups to do bug bounty programs at all, but if I was, I'd recommend H1.

You have more experience than I have, obviously, because I'm only involved in running one bounty program on H1.

I have not been impressed with H1. Perhaps my opinion will change as our program matures, but I am not optimistic. I think there's a lot of space in this market for competition.

I suspect if I was driving as much revenue as you are, they might be more responsive. That's life.

I mean, I don't know what the problems you had were.

I look at H1 like a loot box in a game like, I don't know, Team Fortress 2. Most of the time you get a bunch of lame stuff. Every once in awhile, no matter how you structure your program or how much you pay, you get an excellent bluebird bug. In a twist on how "real" loot boxes work, sometimes you get bullshit that wastes your time.

I wouldn't pay a lot of money for access to those loot boxes, but for what they are, they're fine, and I think H1 does a good job of presenting and managing it.

I am not a believer in the sales pitch that different bug bounty sites have materially different cohorts of testers. The people you really want to attract probably aren't affiliated with any particular bounty site.

I used to work on the android VRP doing report analysis; I can confidently say that we never intentionally ignored or downgraded reports to save money. There were a few cases of things slipping through the cracks by missing bug assignees, but the majority of the engineering staff really did want those researchers to get as large of a payout as we could justify, and I imagine other companies/VRPs are in a similar position.

I think the true root cause of the payment discrepancy issue we see in this article is the bias towards believing the vulnerabilities that we find are more significant than they may be. It often can be either a matter of pride, or sometimes just a misunderstanding of the severity guidelines as published.

As a bug bounty hunter, this is nowhere near normal. The average payout for a single vulnerability is over $500, so even finding just one vulnerability a month would be more than mentioned in the article. Full-time bug bounty hunters often earn thousands to tens-of-thousands per month, making it far from a "struggling" profession.

I once found a bug for a company and reported it on Hackerone. Then they said it was a duplicate bug report and paid nothing but also immediately fixed it. My problem is most bug bounty programs put the power completely in the hands of the company.

I think there is probably a market for a site where users post the bounties with a detailed and accurate description and their desired price or the community and affected company bid to determine the value of a bug. The affected company could then "purchase" the bug and then the person who filed the report would pay an authoritative trusted third party like a professional security firm to verify the vulnerability. Then the person who found and reported it gets paid if the third party verifies it exists. The company would only get the vulnerability description if the third party verifies it to exist.

Feel like one could make more than $500 a year doing anything else with the skills required for bug hunting.

Node he's making about that much a month, which is apparently around the average income where he lives.

Still, it seems low.

There is people making way more on average doing it on the side. It is really hard to judge how skilled someone is (what is the framework to compare with?), but it is not like nobody actually makes real money.

My team runs the bug bounty program for our company.

What we get is a lot, lot of garbage reports (with public programs) and we spend a lot of time on basic communications with people who barely speak English. At some point we had to mention that we acknowledge the reception of each report and if you do not hear from us then it means that it is not accepted.

And then there are the good reports and, boy, some are really neat. We gladly pay for them and keep having many of the hunters coming back.

Making things clear from the start and keepingvyour word makes a long way. Bug bounties are great when well organized and a hell on earth for the unprepared.

Why do people do that? Selling their findings for chump change, possibly very serious vulnerabilities highly paid architects missed? Obviously they want to do The Right Thing, but they are very much in a position to negotiate.

I guess it's like fishing or hunting. You don't necessarily want to eat the catch, but there's a certain thrill to it.

This has been discussed a few times before on HN and I shared the anecdote that I have attempted to report multiple serious security issues to Google and Facebook and have been completely ignored, 100%.

There is a tiered internet nowadays, if you go real name and have a following you are treated quite differently from everyone else. You can't even get a response to emails or forms, much less paid out a bounty if you're not in the former group. The algorithm has made everyone who isn't a minor celebrity irrelevant. I don't care how much it benefits the corporations interested in marketing to me, I don't want a following, thanks.

Fortunately being able to "crash google" at will during cocktail parties and job interviews always impresses people, so I guess I'll just keep on doing that until they fix the problem.

I think your idea of "serious security issue" differs from googles. nobody cares if you can cause a local crash with some bad js in the console.

"Crash Google" in what way?

How viable would be to write a blog post about it so it gets some attention?

Much like what happens when someone gets banned and posts an article on it, to get someone on the inside to notice and help out.

Or is that too risky even if you censor the juiciest details?

"Completely ignored" doesn't sound right. Did they truly ignore you, or did they say "that doesn't qualify"?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact