For many, bug bounties present a way to escape the rat race—a way to exchange the handcuffs of employment for the freedom of autonomous control over not only our day but our financial future. As appealing as this future sounds, it’s important to remain objective and methodical about turning something like bug hunting into the way you keep the lights on. It’s not wise to make life-altering decisions without pragmatically considering all the factors. If you’re on the precipice of taking this path, this blog outlines important pros and cons to consider when considering turning bug hunting into a full-time career.
Author’s note: While I haven’t exclusively done bug bounties for a living, I have earned enough in a year (with part-time hunting around a pen testing job) that I easily could have. For seven years, I also played online poker professionally as my only source of income. While professional poker is not the same as professional bug bounty, the mindset and life requirements, environments, setups, and strategies have very direct correlations. I believe that these two shared experiences put me in a unique position to discuss at length the considerations you should make before taking the leap.
The most obvious consideration is prior experience. Not only should you honestly gauge your hacking abilities, but you should also assess your time spent in the industry. This will give you an idea of the kind of return you can expect and how quickly you can expect it. If you’re considering making a run at doing bug bounties for a living without having already put a significant amount of time into hunting, you’re going to be at a distinct disadvantage, for a few key reasons:
Demographic, country, and external factors can work against your dream of becoming a full-time bug hunter. Bug bounties are typically paid in the US dollar, which for many regions means a higher return on your work because many countries have a lower cost of living than the US. By the same token, this can pose a distinct disadvantage to people living in expensive countries, such as the US. This isn’t to say that earning a living off of bug hunting is impossible, but it does mean you have to take stock of different financial considerations, Including cost of living and cost of goods. It’s also important to learn how capital gains tax works with conversion rates—the cash benefit you receive in conversion is still taxed. It’s not “free money.”
Additionally, consider your ability to obtain a mortgage or other financial application needs. Being self-employed brings a different set of financial obligations when applying for loans, and it’s good to be aware of this ahead of time so you can plan appropriately.
Likewise, personal and external factors can’t be ignored. Do you have a high number of expenses? Are you certain you can cover those even in a bad month or if you fall ill? Have you factored in the need to save for retirement, health care, and time off? Finally, who else is going to be influenced by your decision? For me, I began playing poker at a time when I was young, single, and lacking dependents, which suited me very well at the time. I now have external responsibilities, and the decision is no longer my own, given it would impact my entire family. Considering the circumstances, as well as the current and near future, is an important part of the decision-making process.
Although this may sound obvious, I have found that many get caught up in the excitement of early success, often ignoring these kinds of considerations, whether intentionally or unintentionally. Initial success may make you think you’ve got things handled, but later, when you get sick, need a break, or have a difficult conversation with family members who may not agree with your decision, this venture might become one you regret. Planning your career and financial future with these factors in mind is, in my opinion, the most important part of any decision-making process.
In poker, we pass around a shared piece of wisdom: always have at least one year of expenses in savings in addition to your 100 buy-ins of table stakes before even considering playing poker for a living. These two buffers not only mean that you can sustain a losing streak (as happens in skill-based games with elements of luck), but they will also help sustain your mental state throughout those periods because they will afford you the space to think in expected value (EV), not direct value. This freedom is not to be underestimated. Creating this financial cushion will allow you to continue to work at your best and make good decisions without fear that you can’t put food on the table.
EV is the idea that if you make good decisions, the right decisions, they will render into $y return over the long term. Let’s break it down:
Once you’ve arrived at your numbers, you can start to use them to work out your expected returns. You must subtract taxes, health care costs, and other expenses to see if bug hunting could be a feasible living for you. It’s important to be honest with yourself. Here are a few questions to ask yourself before moving forward:
For many, this calculation will show that bug hunting is best left as a lucrative hobby. Others may be facing different life circumstances or have the risk appetite to make full-time hunting feasible. Again, this is a risk you only accept after working out the logistics and understanding how you might be affected by them.
Extending on the concept of EV, another significant consideration is your burn rate. The burn rate essentially refers to how much money you spend each month and how quickly you will go through your savings if you were to stop having an income.
For example, let’s assume that through your bug bounty journey to date, you’ve saved $10,000. You have expenses (including taxes to be paid) and entertainment costs of $2500 a month. With the amount saved, you’d be able to sustain yourself for four months. However, this assumes that you could immediately land another job, should the four months go by, and you don’t make any additional purchases.
A much more prudent approach would be to try your hand at bounties for two months and then reevaluate your position. If you manage to make enough to cover your expenses (of $2500 a month in our example) and enough to save up for four months of expenses, then you can feel confident that you’re starting to find a sustainable approach to earning a living through bug bounties. Regularly tracking your burn rate (aka “cash runway”) and the point at which you may need to consider looking for another job is important in keeping a realistic picture of your financials.
The “what” and “why” will ultimately guide your actions. What drives your decisions? Why do you want to turn bug hunting into a full-time living? If your goal is to hack cool things all day, you might consider becoming a pentester (assuming you find a firm with varied and interesting work), where a lot of the considerations above no longer apply. You’d be able to make a salary while still hunting on the side. In my experience, the biggest benefit of being a pentester is that all your expenses are covered. It’s a full-time day job that gives you the freedom to bug hunt for fun on targets you enjoy. The context switch between bug bounties and pen testing is also different enough, at least for me, that burnout is less likely—not to mention you’ll have paid holiday time where you can take time off from doing anything infosec-related.
Ultimately, if you’ve considered the above and you’ve made accommodations to allow you the flexibility to approach bug bounties skillfully and competently, then I wish you every success available and can’t wait to see you in the queue.
If you enjoyed this article or have any questions, you can find me at twitter.com/codingo_. I regularly post various items of interest to the hacking and bug bounty community and would love to have a chat!