By now there have been a few articles about security researchers that have crossed the million dollar threshold for rewards obtained in ‘bug bounties’ over the years. Before you give up your day-job, it’s important to understand what you’re in for, and why realistically, very few people even earn more than a pest control worker in Mississippi.
The following are listed in no particular order of issues you run into, both good and bad, taken from my own experience in bug bounties over the preceding eight years where I’ve submitted over and above 1000 valid vulnerabilities. Without further ado, What’s life like as a crowdsourced hacker?
Finding a critical vulnerability - You got system access and you own the whole site. It took you all of 20 minutes and you got a nice five figure payout. This doesn’t happen often, but these highs are what keep you going through all the mud in the trenches.
Finding a duplicate - So you just found a vulnerability and you’ve logged it but someone’s found it before you. This is one of the recurring frustrations in bug bounties – by virtue of the fact that other people are looking at the same stuff as you, not only do they have the audacity to find the same vulnerabilities as you, but they can also find them before you.
The Synack ‘24 hour rule’ - Deserves a special mention here. Bizarrely, it doesn’t reward the first person to find the vulnerability – it rewards the first person to find a vulnerability that also writes a 13-page essay as a proof of concept. So you can’t just write ‘Paste this URL into your browser to see the XSS’ you have to break it down into seven steps (I kid you not) with step one being ‘Open your browser’ (still not kidding). Don’t forget screenshots!
Paltry payouts for company-breaking bugs - ‘You averted the apocalypse. Here’s $100.’ While it is common to find smaller companies not affording big payouts, it’s also commonplace for companies that should have big payouts, but don’t.
Trying to weasle out of payouts but fixing the bug quietly - An infuriating mainstay. You find a vulnerability, the asset is in scope, it’s valid but the company claims it was a mistake. This will usually enrage you further when you return later and they went ahead and fixed the bug anyway. As usual, you get extra points here if the bug bounty platform doesn’t back you up, which leads to…
Feeling like cattle - However good you are, you’ll always be an expendable resource. You’re not an employee, but participating in an Orwellian version of the gig economy, where you largely work for free.
Not being able to talk publicly about that cool vulnerability you found - Frustrating but understandable. A lot of bug bounties are locked down with NDA’s and don’t allow you to talk about vulnerabilities you find to the outside world. Some companies don’t like their technical innards exposed for all to see (even though it shows they have a positive stance on security). You can get around this by talking about the vulnerability anyway and just pretending that no one will know who ‘A leading cloud hosting provider’ is.
Being rewarded with ‘not money’ - You can get rewarded with all sorts of stuff for bug bounties such as (but not limited to): cryptocurrency, stickers, badges, T-shirts, hats, wrestling belts, vouchers of all sorts, sunglasses, frequent flyer miles – you get the picture. This is only a problem if you rely on crowdsourced security for a real income, which you shouldn’t.
Arguing with triage analysts - Sometimes analysts just don’t understand your vulnerabilities. It can range from the infuriatingly simple (copy and paste this payload) but gets worse the more complex or advanced your vulnerabilities get. CDN cache poisoning? No not the HTTP cache header, the Content Delivery Network. Not the server cache! Ugh. Forget it.
Website crashes because everyone’s testing at the same time – When bug bounties are launched at a specific time and lots of people log on – chaos ensues.
Getting paid quickly - Unless your vulnerability was found on Synack (who usually pay out within 48 hours) you’re going to wait anywhere between a few weeks to a few months on average to get paid. Sometimes though you get your bug triaged, rewarded and paid within a day or two. More often than not:
Growing a beard while you wait for your bug to triage and get paid - The opposite of the above - this can be a roll of the dice since a lot of it depends on the what platform and customer you’re dealing with , but sometimes you can wait weeks and months for your bug to be triaged, and even longer for it to be rewarded.
If you’re treated unfairly, well tough - So much stuff falls into this category. Your vulnerability was categorized as low when it’s critical? They didn’t reward you the correct amount? Or nothing at all? Well tough, you’re working for free most of the time (Please refer to ‘feeling like cattle’).
The ‘not a vulnerability’ that is really definitely a vulnerability! - This deserves its own category because there are so many blatant examples. This could also be classed as people weaseling their way out of a payout but some of the reasons you get for not dealing with vulnerability are sometimes schizophrenic. ‘The company’s just not worried about that’ - wait, what? I just extracted their database. ‘They don’t see this as an issue’ is also a popular one – I managed to deface an entire site with CDN cache poisoning and got the equivalent of a shoulder shrug.
Poking around the world’s biggest companies and applications - A definite plus. Being able to poke around the world’s biggest applications and companies is awesome (so is not getting sued). It’s even more interesting when you get to see preview or beta features that aren’t in public release yet.
Hopefully that gives you a taste – sure it’s tough sometimes, it’s also unfair and you’re not given any favors – exactly like real life. If you go into it with the right mindset then you’ll find some enjoyment. What am I saying? Run for the hills. You’re just being exploited!