Many security researchers make a living with security companies, but not everyone likes the rigidity of a corporate environment. Some work on a freelance basis. Like vigilante outlaws, they dig up bugs and exploits in some of the world’s most popular platforms, hoping to gain a reward for their efforts.
Offering a bug bounty is one of the best ways for software companies to find problems with their applications and services before they can be exploited. Offering a reward means those who find a flaw may opt to cash in, instead of selling it to those who would use it for nefarious purposes.
Companies can offer tens, or even hundreds, of thousands for specific exploits, but it’s not easy money. Bug bounty hunters must be an expert in all manner of security features and exploit mechanics. They must replicate the bugs and document them, communicating that information to the relevant company. And – most important of all – they must be first.
Profile of a bug bounty hunter
Markus Fenske is a 28-year-old penetration tester and sugar wax trader. That may seem like a surprising combination of roles, but as a fan of Tim Ferris’ “4-hour Workweek” book and outlook, he operates a business that generates a nice passive income for him while he indulges his greater passion — bug bounty hunting.
“I was always interested in hacking. I remember wanting to become a hacker from a very early age,” he told Digital Trends. “I read the – somewhat outdated – How to become a hacker HOWTO of the Chaos Computer Club when I was 10 years old.”
“I found one of my first bugs around four years later. It was a sci-fi based browser game where you could build space ships and attack other players to loot their resources. I noticed a cross-site scripting issue in the internal messaging system, so I quickly crafted a Javascript worm. If you’d open the message, it would execute a script that renamed all your planets to “Vollpfosten” (roughly translates to “fuck muppet”), forward the message with the code to all neighboring planets, and delete itself. The admin was not amused.”
Netscape was among the first to encourage employees to find problems with its software and offer monetary rewards to them.
During that era of software development, bounties didn’t exist like they do today. Netscape was among the first to encourage employees to find problems with its software, and began offering monetary rewards to them, and external testers, in 1995. Although the effort was a success, it took years for the idea to catch on with other companies. Many companies were skeptical about encouraging outsiders to look for flaws.
“[Finding bugs] wasn’t always well received,” Menske told us. “Some thanked me for helping to improve the software, but others just had their legal department send me letters, which scared my parents.”
It took Fenske many years to earn his first bug bounty payout. He discovered an exploit in the Github Enterprise management console in January 2017, which netted him $18,000, and a spot on the company’s hall of fame. While Fenske’s business allowed him the chance to pursue bug bounties for income, the long road to his first big win shows how difficult the profession can be.
Everyone starts young
Uranium238 was just 17 when they received $10,000 for their discovery of a flaw in Uber’s internal email system. This early payout certainly helped pave the way for their career in bug bounties. Yet Uranium insists the interest in hunting bugs comes from the same place as their elder colleague. Curiosity.
“I wanted to test out applications. I would see a weird response and think to myself, ‘what if I change this to that?’”
They take their role as a bug bounty hunter seriously, and see it as a great responsibility. By discovering a major flaw in a system, Uranium feels they have a duty to report the problem, rather than put the security of users at risk.
“You need to make sure that if you find something severe, you report it right away, rather than exploiting it,” they told Digital Trends.
That responsibility is reinforced by Uranium’s profession. Even at such a tender age, they are employed as a security analyst. This, they believe, gives them a unique perspective on the industry, because it allows them to see how each side of the bug bounty system operates.
“The way I do bug bounty hunting is, in my opinion, is different in comparison to others because I am on the both sides. If a company does not respond in two to five days, I do not ask for updates. I usually wait for 20 days or so, and then ask if they need any help or have any questions for me.”
Easy bugs often don’t offer the same rewards as deeper, more complex flaws.
While bug bounty hunting is important to Uranium, they claim to have little interest in low-hanging fruit. Easy bugs often don’t offer the same rewards as deeper, more complex flaws. And, just as importantly, they don’t offer the same sense of pride.
“I do not go after just simple XSS (cross site scripting) or CSRFs (cross-site request forgery). My goal is to find at least one or two critical bug in a program that I am hacking. Thinking out of the box is key for me.”
Creative thinking is a crucial skill for any hunter. Those who choose this profession must learn to make leaps of thought that the original developers didn’t. A breakthrough doesn’t always rely on finding a convoluted oversight in code. Instead, it can be as simple as not assuming developers would avoid using their own personal email address during the creation of software services. Finding a loophole like that requires imagination, and demands that a hunter constantly re-evaluating the assumptions they’ve made about the software they’re trying to exploit.
No easy money
The payout figures for bounties appear incredible, and sometimes, they are earned. Bounties of more than $100,000 for a single bug do occasionally happen. Major bounty projects like HackerOne, which is supported by Facebook, Microsoft, and Google, pay out millions each year.
Even so, most bounty hunters do it as a hobby, or as part time work. Finding a $100,000 bounty is a bit like winning the lottery. It could happen, but it probably won’t, and it’s nearly impossible for hunters to plan on such a discovery.
For Uranium, bug hunting supplements and supports their day job as a security analyst. Menske, meanwhile, believes it’s impossible to earn the money he’d need to make it a full-time job without more direct access to low-level code.
“Most bug bounty hunting is black box testing. You don’t get the source code,” he told us. “That’s bad for me, because instead of just reading the code and spotting the bug you have to do many educated guesses and waste your time on trying things. It’s also bad for the client, because they can’t be sure that the bugs will be found.”
He even suggested that, for a lot of companies, bug bounties aren’t even about making their software as secure as possible.
“I think it’s mainly an insurance for them, that if someone finds a bug, the finder will go the easy and legal way and claim a bug bounty instead exploiting the vulnerability.”
As for the elusive full-time bug bounty hunter, Menske has yet to hear of one himself. It’s possible, he said, that with ever increasing financial incentives for the discovery of exploits, that it might be possible to make a living off of them. However, the lack of guarantee a hunter will ever find the critical bugs that would deliver big, life changing reward money, means that most white hat hackers stick to more stable security jobs. It’s enticing to imagine a band of digital bounty hunters finding clever exploits from the back of a coffee shop, but even hackers have bills to pay.