In our recently published report on the bug hunting community, we asked all kinds of bug hunters what motivates them to participate in bug bounties, and how they decide what programs to participate in. Amongst several of the groups identified in the report, time was a huge factor. With a full-time job, family and a social life, how does one fit bug bounty hunting into their busy schedule?
I recently spoke with a few of our top bug bounty hunters to learn how they work bug bounties into their lives, as well as some tips to maximize your hunting ROI with higher payouts and fewer duplicates.
Brett Buerhaus, Senior Red Team Specialist at Blizzard Entertainment (also ranked 16 on Bugcrowd with a 99.54% submission acceptance rate), had this to say:
“I’ve got a full time security job and a two-year old son, so I don’t have a lot of spare time. I see this used as an excuse a lot – but the truth is, you have a few hours every night when your family is sleeping. It’s a small price to pay if you’re passionate about what you’re doing. I spent a lot of time as a teenager programming websites and learning application security, so I already had a lot of passion for bug bounty hunting before it was even a thing. I think that passion is what drives me to keep hunting for bounties the few hours I have a night. The other way I look at it is that it helps me stay relevant and up-to-date on the latest application security techniques. Being able to look at many companies allows me to expand my knowledge to applications and infrastructure I may have never looked at otherwise. Also, being able to see the reports that other bug bounty hunters write allows me to bring a lot of knowledge and new techniques back to my company. There’s also the added incentive of making money. I’m currently saving to buy a house, so this helps motivate me a lot.”
“I’ve got a full time security job and a two-year old son, so I don’t have a lot of spare time. I see this used as an excuse a lot – but the truth is, you have a few hours every night when your family is sleeping. It’s a small price to pay if you’re passionate about what you’re doing.
I spent a lot of time as a teenager programming websites and learning application security, so I already had a lot of passion for bug bounty hunting before it was even a thing. I think that passion is what drives me to keep hunting for bounties the few hours I have a night.
The other way I look at it is that it helps me stay relevant and up-to-date on the latest application security techniques. Being able to look at many companies allows me to expand my knowledge to applications and infrastructure I may have never looked at otherwise. Also, being able to see the reports that other bug bounty hunters write allows me to bring a lot of knowledge and new techniques back to my company.
There’s also the added incentive of making money. I’m currently saving to buy a house, so this helps motivate me a lot.”
Luke Young, ranked 10th on Bugcrowd with a 100% submission acceptance rate, has a very proactive and pragmatic way of balancing his life with bug hunting:
“At the moment I view bug bounties as a hobby and a source of discretionary income so I have to be very careful to treat the time I spend on bounties accordingly. If the time I spend on bug bounties is starting to have an impact on other parts of my life like school or work it’s probably a good sign to cut back a bit. But that’s the best part about bug bounties, you have complete control of the amount of time you commit to them. You can work exclusively on bug bounties for a week or go on vacation for the entire week and the only person it directly affects is you.”
Due to the nature of bug bounties only paying for valid bugs, for many there is a tight connection between time spent and money earned. This is a paradigm shift for many penetration testers and can cause doubt around ROI, or in some cases a researchers can feel discouraged that they might not be able to find a valid bug. But fear not, there’s opportunity out there!
From an outsider’s point of view or a novice bug bounty hunter’s perspective, it can be easy to doubt the possibility of making a positive return on investment when bug bounty hunting.
“It’s already proven that some bug bounty hunters are making several hundred-thousand dollars a year doing this full-time. I personally wouldn’t commit to it full-time, but every year for the past few years, I have nearly matched my full-time salary just doing part-time bug bounty work”, said Buerhaus.
“If you are new to application security, you’re going to have some ramp up time before you can start making serious money,” continued Buerhaus. “If you commit a few months to learning, you should be able to start finding those thousand dollar vulnerabilities.”
Mico, ranked 7th on Bugcrowd with a 92.45% submission acceptance rate, had this to say about bug bounty earnings potential:
“A skilled Hunter can easily make anything between $5-$15k a month if they diversify. Meaning that they become active on multiple platforms and work on big targets like Facebook and Google.” “Start early if you are not a seasoned hunter. This way you are likely to find low hanging fruit that have not been reported yet. If you can’t start early (for example because of your work schedule) still check every program bug try to look for more complicated bugs like Logic Flaws, IDOR, RCE and SQL Injection bugs. It’s really surprising how often people look for low hanging fruit and never check the ‘High hanging’ ones.”
“A skilled Hunter can easily make anything between $5-$15k a month if they diversify. Meaning that they become active on multiple platforms and work on big targets like Facebook and Google.”
“Start early if you are not a seasoned hunter. This way you are likely to find low hanging fruit that have not been reported yet. If you can’t start early (for example because of your work schedule) still check every program bug try to look for more complicated bugs like Logic Flaws, IDOR, RCE and SQL Injection bugs. It’s really surprising how often people look for low hanging fruit and never check the ‘High hanging’ ones.”
Submitting a duplicate of someone else’s submission, or “dupe” as they’re commonly referred to, results in a researcher not receiving a payout. Since bug bounties work on a first-to-find model, most successful researchers have implemented a methodology to decrease the likelihood of submitting a dupe. Each researcher has their own tactics, and our three researchers today shared some of their best practices.
Luke Young has found success targeting programs that may not be as popular with researchers and private programs that invite fewer researchers. He added, “As a result of this, in my entire history on Bugcrowd I’ve had only 8 bugs closed as duplicate. On the other hand, sometimes having a bug closed as duplicate isn’t a big deal: it means you’re already on the right track and just need to work a little faster next time. Just take it in stride and keep hunting!”
Researchers are often encouraged to be creative in their approach. Mico echoes that: “[I try] to think outside the box and find issues that others have missed. Remember, as a bounty hunter you should not follow the application flow, instead, you should try to break it!”
Brett went into further detail:
“For Bugcrowd, I have found that most of the duplicate submissions I have received are from submitting low-hanging vulnerabilities on on-demand programs with 50+ researchers. I’ve found that in on-demand programs, it’s better to hunt for critical issues – unless you want to risk getting duped on most of your submissions. It seems like the first 30-45 minutes of almost every on-demand program is a race to see who can find and submit the most obvious p2-p3 issues as fast as possible. Another thing I do is look for vulnerabilities in flows that I know scanners aren’t going to get to. I’ve rarely been duped on an XSS that Burp couldn’t find via spider and active scanning. That’s not to say everyone is relying exclusively on Burp or scanning, but they’re spending a lot of time submitting reports for issues that everyone else is also working on. This isn’t to say you shouldn’t hunt for and report all types of vulnerabilities. You have no way of knowing it’s a dupe until after you’ve reported it. There’s just a high chance that you’re going to get duped if you’re bogged down reporting easily discovered common vulnerabilities.”
“For Bugcrowd, I have found that most of the duplicate submissions I have received are from submitting low-hanging vulnerabilities on on-demand programs with 50+ researchers. I’ve found that in on-demand programs, it’s better to hunt for critical issues – unless you want to risk getting duped on most of your submissions. It seems like the first 30-45 minutes of almost every on-demand program is a race to see who can find and submit the most obvious p2-p3 issues as fast as possible.
Another thing I do is look for vulnerabilities in flows that I know scanners aren’t going to get to. I’ve rarely been duped on an XSS that Burp couldn’t find via spider and active scanning. That’s not to say everyone is relying exclusively on Burp or scanning, but they’re spending a lot of time submitting reports for issues that everyone else is also working on.
This isn’t to say you shouldn’t hunt for and report all types of vulnerabilities. You have no way of knowing it’s a dupe until after you’ve reported it. There’s just a high chance that you’re going to get duped if you’re bogged down reporting easily discovered common vulnerabilities.”
Brett went on discuss how he approaches bounty programs when they first launch, as well as the value of writing high-quality bug submissions. We’ll include this in a follow-up blog post tomorrow.
Bug bounties continue to be a great way for researchers and penetration testers to increase their skills, practice on a wide array of targets, and earn extra income. If you’re interested in learning more, I invite you to read more tips for getting started and to join the #Bugcrowd community on Freenode IRC or tweet at @Bugcrowd on Twitter.