In 2013 Facebook paid me $5000, because of it I was able to pay my education loan(in India) and avoided all those compound interest.
I started way before when it was popular and actually got my current job from this thread
“list of YC companies I’ve worked with(Hacked)”
Bug bounty is really hard these days, you are competing with the whole world - whoever report first, wins(even when you have put equal efforts)
It’s good for side hustle but you can’t do it full-time these days.
It seems like it may be possible to live on the bug bounty rewards in places with cheaper cost of living, but you would need to get, like, 10 $5,000 bounties a year to survive in the US wouldn't you?
More like 2 $5k bounties a year for me. Where I live in the U.S., I could rent a house for $500/mo ($6,000 a year), and I eat about $200 of food per month ($2,400 a year). So the cost of living per year is $8,400.
But yes, it entirely depends on where you live. For me, I specifically chose this place so that I could live comfortably on bug bounty income
Assuming you don't need to pay for electricity, water, trash service, internet, phone service, medicine, toilet paper, detergent, need to leave your house ever, buy a computer to actually work with.
On the plus side, the bug hunter would have the advantages of being their own boss. On negative side, their finance and tax situation might be worse or at least more complicated. Probably also better to save money in case they have a stretch where bug finds or payouts drop. Someone doing that would need even lower cost of living.
The main aim of the game is to have extensive infrastructure and code to do asset identification & delta. When Facebook puts a new host live without ACLs, you’ve gotta wake at 3am and hit it.
Your mileage may vary, but the headache for me is not worth the payout
Not anymore, thanks to your report :)
Even before the "incident" normally it was enough to use them one time to understand:
1. Sooner or later something like this had to happen and
2. Never fly them again.
Forget these fortunes 500s, governments and startups.
And to the cynics? This is perfect for you if you hate cryptocurrencies and everything blockchain. Yeah, they're broken, make some money off of that.
and you can also "audit" these things at a nice premium for a day job as well
the hackerone bug bounty formalization was just getting up to speed, but the competition has greatly expanded.
exploit, audit, bug bounty.. its all semantics in my opinion. you get paid, and you have to weigh what kind of liability you create. where's the distinction? Even people that go straight through hackerone or some company's bug program wind up with undue liability, its still better not to be known in your most "compliant" way
forget the money and the terms, these are just linked lists with memory leaks. very profitable memory leaks. sometimes getting a function into a certain state gives you access to coins - a variable - just read the function.
I mean, most of the smart-contracts crowd seem to be of the opinion that whatever a software contract permits must be its intent as well, but I don't imagine that conviction would prevent them from filing suit once they'd lost money.
Though you can't convince everyone that "people are the law" in a system where "code is law". Which is why the Ethereum network split and people who refuse to agree stick to something called Ethereum Classic (an alternate reality where the hackers still own the funds).
You will want to unlink the transaction and reintegrate later just to avoid the challenge. The disagreement with your actions might not come from the state, after all.
There are over 15,000 Ethereum full nodes, you can hit one not in the US from your own reported location not being in the US.
The gas you use in your address also needs to be unlinked from your identity too. So basically over tor just shapeshift like $5 worth of Monero to an ethereum address you just created.
A transaction with a specific set of instructions will execute the smart contract program on any of the 15,000 nodes in the network.
You convert as much of your reward as you can into something more fungible like Ethereum or Bitcoin.
Typically this means having several unverified exchange accounts created where you deposit and trade under the unverified account threshold and withdraw. (This is typically 2 bitcoin worth, per account, per 24 hours... but there is always some new exchange with no withdrawal limits and the decentralized exchanges are pretty robust these days)
If that exchange doesn't offer Monero, or they have already blacklisted your Ethereum/Bitcoin addresses, then you Coinswitch or Shapeshift, or XMR.TO the rest.
Once in Monero nobody can blacklist any of your addresses. You can stay in Monero forever if you like, as it is good enough for reintegration into the normal economy. Or you can reintegrate slowly in other ways, such as back into Ethereum on new exchange accounts or countswitch/shapeshifting back onto that blockchain, simply because there are more things to buy.
And yes, it SHOULD go without saying that you should be doing this on Tails or Whonix, and having funded addresses that are unlinked from your identity to begin with. But everyone ever caught up in a legal action has done this part wrong so far.
Someone who places a high value on their freedom and happens to live in most of the desirable countries probably shouldn't be doing this.
OpSec shouldn't be treated lightly -- there's good reasons why folks like the grugq live in Thailand.
What is described here works for all 100 reasons and is a best practice and is indiscriminate from what a hacker needs to do
The only "outlier" for your overzealous prosecutor's conspiracy charge is that not a lot of people understand this best practice. The solution? Talk about it.
While there are 100 perfectly legitimate reasons to structure your transactions the exact same say someone laundering illicit money would, you probably don't want to become that test case.
either way, the US federal criminal charge of money laundering is heavily misunderstood by the public. people are uneasy at merely moving their own money, let alone watching someone else potentially obfuscate the origin of the money.
obfuscating the origin isn't illegal
the US federal money laundering requires the origin itself to be illicit AND THEN for it to be obfuscated
so the government would already have to weigh what happened at the origin, they'd also have to know about the origin, and yeah in this one case it would have implications on the how smart contract intent is formed
sure, you don't want to be the experiment, but its already a tall order to get there. save some money for appeals court.
so people obfuscate the source and reintegrate into the economy from a new source. if this fails and the government investigates the obfuscation AND finds the source is illicit, then you have the same problem (well actually more crimes to be charged with).
and no, this isn't a civil forfeiture issue, but also not mutually exclusive
So the mainstep is to have an entire environment that is hardened by TOR, which Whonix offers with its dual VM setup where the entire guest OS runs through a TOR gateway VM.
Sure the exit node may still be problematic and thats where VPN comes in.
But all this isn't really necessary for broadcasting a cryptocurrency transaction. You can create the transaction file anywhere and just have a different computer send that file to the cryptocurrency network (also called broadcasting the transaction).
The network sees the IP address of the computer that relayed the transaction. On Ethereum's network many people use Infura, and therefore most nodes only see the IP address of Infura. You can broadcast to Infura over TOR.
It is theoretically possible that Infura, your exit node and your VPN are all accessible by subpoena. The subpoena's need to be based on the idea of some wrongdoing, and since it isn't 2012 anymore, nobody is doing a dragnet on all cryptocurrency transactions. Yours would look just as benign as anyone else's, and anyone tracing the transaction would eventually be stonewalled by Monero's blockchain. So, that case has never been seen.
It is supposed to be provocative as this particular route isn't used nearly enough, you can read indictments and see that.
There is a little bit of a shift, in one indictment the government was able to seize wallets and they were able to retrieve the addresses and amounts of Bitcoin, Zcash, but they could only make a footnote that they had a Monero wallet and didn't know the amounts or the addresses or senders of the recipients involved.
Monero is a public but opaque blockchain, and should be the default holdings for people, with occasional interaction with the rest of the crypto economy for conversion. It should always be a buffer between your national currency accounts and your crypto economy accounts.
It raises the bar for government investigations back to the level required to get information about your bank accounts.
With banks, the government needs subpoenas and warrants for multiple financial institutions to learn about what an investigated customer is doing.
With transparent blockchains, the government does not need a subpoena or warrant to analyze transactions and draw conclusions. They can just scan it like any other participant can.
With Monero, the government would need subpoenas and warrants for multiple exchanges to learn about what an investigated customer is doing. And if the customer follows best practices, there are limitations on the information that the exchanges would have, because one hop into the Monero network and the funds are not traceable. It is then easy for the customer to hop onto another blockchain. European Commission has proposed banning the RingCT technology used here, but that is a knee-jerk reaction as they have just gotten used to the transparency that non-opaque blockchains like Bitcoin offer for investigators.
General benign Monero use would be indiscriminate from money laundering, protecting everyone from financial sanctions and requiring law enforcement to do real investigations into whatever action they are actually trying to prevent, since they can no longer lazily leverage financial intermediaries.
I've made some money doing it, not a lot, and to be honest, most of the submissions I've sent have been to unpaid programs (but through Hackerone, Bugcrowd, and some companies own bug bounty systems). Why? It's fun to be able to poke at large orgs, find issues, report them, and not have some pissy response like I used to get before bug bounties were a thing. You'll actually see them get fixed and you're doing stuff that may prevent unsavory types from screwing people over.
My favorite response though is still the "This is a duplicate from [random date six months ago]". Oh, so you're purposefully just leaving an XSS live on your corporate SSO? Makes sense! Nobody ever tries to phish corporate logins at large organizations.
Ug. I've submitted 2 bugs to Vimeo that gave this exact response. I even followed up a few months later to see if they'd patch it and they responded, "the developers are aware and working on it" ...
Seriously? Leaving 2 XSS bugs open on your website that you run a bug bounty program for?? for a year?
I really wish hackerone would punish this sort of behavior as it's a waste of every hacker's time to find a bug, write a report, only to be told it's a year old known bug so it's not eligible for a bounty.
This article is very poorly written. It leaves out a lot of key details that could sway ones take away. It mentions that he has done a lot of bug bounties and not gotten paid for some of them. Were they duplicate reports? Was he doing these on his own merit and not going through the bug bounty programs?
The staff at hackerone and bugcrowd will make sure you are squared away when you are submitting reports and dealing with payouts. If a company were to refuse to pay you even though you submitted an in scope report that qualified for payment, these sites would help you resolve those conflicts.
This article to me tries to paint a picture of: Here is a hard working bug bounty hunter who's efforts barely go noticed because so many mean companies don't want to pay him, he can only make a meager living.
I take it as someone who doesn't go through the proper programs and sites, so he's playing with fire on getting his findings reported. If you are just some random hacker who emails a company out of the blue with a random vulnerability finding, most will not take you seriously. Companies who want to be hacked, have bug bounty programs and disclosure pathways. If he's as good as the article paints him to be, he should be making a ton more money than it says he is. So either he is getting royally screwed out of payments by not going through bug bounty programs, or he isn't as good of a hunter as he may seem.
a lot of them aren't on H1 or bugcrowd.
With bugcrowd you can get closed as duplicate and never get to see the original report so just have to trust it's really a dupe.
With hackerone you can push for disclosure which puts a clock on companies (unless they completely disappear from the platform which has happened).
Neither feel like a route to riches but both are good for finding companies which probably won't aggressively react to researchers finding something.
Both major platforms feel like they've lost momentum though, on both platforms though it feels like there isn't much in-flow of new companies, and on bugcrowd most companies go through private programs first which really limits how much you can find as a casual well-meaning amateur. The participating companies probably get a better experience that way but the early days of hackerone were more fun.
I have not been impressed with H1. Perhaps my opinion will change as our program matures, but I am not optimistic. I think there's a lot of space in this market for competition.
I suspect if I was driving as much revenue as you are, they might be more responsive. That's life.
I look at H1 like a loot box in a game like, I don't know, Team Fortress 2. Most of the time you get a bunch of lame stuff. Every once in awhile, no matter how you structure your program or how much you pay, you get an excellent bluebird bug. In a twist on how "real" loot boxes work, sometimes you get bullshit that wastes your time.
I wouldn't pay a lot of money for access to those loot boxes, but for what they are, they're fine, and I think H1 does a good job of presenting and managing it.
I am not a believer in the sales pitch that different bug bounty sites have materially different cohorts of testers. The people you really want to attract probably aren't affiliated with any particular bounty site.
I think the true root cause of the payment discrepancy issue we see in this article is the bias towards believing the vulnerabilities that we find are more significant than they may be. It often can be either a matter of pride, or sometimes just a misunderstanding of the severity guidelines as published.
I think there is probably a market for a site where users post the bounties with a detailed and accurate description and their desired price or the community and affected company bid to determine the value of a bug. The affected company could then "purchase" the bug and then the person who filed the report would pay an authoritative trusted third party like a professional security firm to verify the vulnerability. Then the person who found and reported it gets paid if the third party verifies it exists. The company would only get the vulnerability description if the third party verifies it to exist.
Still, it seems low.
What we get is a lot, lot of garbage reports (with public programs) and we spend a lot of time on basic communications with people who barely speak English. At some point we had to mention that we acknowledge the reception of each report and if you do not hear from us then it means that it is not accepted.
And then there are the good reports and, boy, some are really neat. We gladly pay for them and keep having many of the hunters coming back.
Making things clear from the start and keepingvyour word makes a long way. Bug bounties are great when well organized and a hell on earth for the unprepared.
There is a tiered internet nowadays, if you go real name and have a following you are treated quite differently from everyone else. You can't even get a response to emails or forms, much less paid out a bounty if you're not in the former group. The algorithm has made everyone who isn't a minor celebrity irrelevant. I don't care how much it benefits the corporations interested in marketing to me, I don't want a following, thanks.
Fortunately being able to "crash google" at will during cocktail parties and job interviews always impresses people, so I guess I'll just keep on doing that until they fix the problem.
Much like what happens when someone gets banned and posts an article on it, to get someone on the inside to notice and help out.
Or is that too risky even if you censor the juiciest details?