Meet the bug bounty hunters making cash by finding flaws before bad guys

Bug bounty using computer
Many security researchers make a living with security companies, but not everyone likes the rigidity of a corporate environment. Some work on a freelance basis. Like vigilante outlaws, they dig up bugs and exploits in some of the world’s most popular platforms, hoping to gain a reward for their efforts.

Offering a bug bounty is one of the best ways for software companies to find problems with their applications and services before they can be exploited. Offering a reward means those who find a flaw may opt to cash in, instead of selling it to those who would use it for nefarious purposes.

Companies can offer tens, or even hundreds, of thousands for specific exploits, but it’s not easy money. Bug bounty hunters must be an expert in all manner of security features and exploit mechanics. They must replicate the bugs and document them, communicating that information to the relevant company. And – most important of all – they must be first.

Profile of a bug bounty hunter

Markus Fenske is a 28-year-old penetration tester and sugar wax trader. That may seem like a surprising combination of roles, but as a fan of Tim Ferris’ “4-hour Workweek” book and outlook, he operates a business that generates a nice passive income for him while he indulges his greater passion — bug bounty hunting.

Bug bounty using mac

“I was always interested in hacking. I remember wanting to become a hacker from a very early age,” he told Digital Trends. “I read the – somewhat outdated – How to become a hacker HOWTO of the Chaos Computer Club when I was 10 years old.”

“I found one of my first bugs around four years later. It was a sci-fi based browser game where you could build space ships and attack other players to loot their resources. I noticed a cross-site scripting issue in the internal messaging system, so I quickly crafted a Javascript worm. If you’d open the message, it would execute a script that renamed all your planets to “Vollpfosten” (roughly translates to “fuck muppet”), forward the message with the code to all neighboring planets, and delete itself. The admin was not amused.”

Netscape was among the first to encourage employees to find problems with its software and offer monetary rewards to them.

During that era of software development, bounties didn’t exist like they do today. Netscape was among the first to encourage employees to find problems with its software, and began offering monetary rewards to them, and external testers, in 1995. Although the effort was a success, it took years for the idea to catch on with other companies. Many companies were skeptical about encouraging outsiders to look for flaws.

“[Finding bugs] wasn’t always well received,” Menske told us. “Some thanked me for helping to improve the software, but others just had their legal department send me letters, which scared my parents.”

It took Fenske many years to earn his first bug bounty payout. He discovered an exploit in the Github Enterprise management console in January 2017, which netted him $18,000, and a spot on the company’s hall of fame. While Fenske’s business allowed him the chance to pursue bug bounties for income, the long road to his first big win shows how difficult the profession can be.

Everyone starts young

Uranium238 was just 17 when they received $10,000 for their discovery of a flaw in Uber’s internal email system. This early payout certainly helped pave the way for their career in bug bounties. Yet Uranium insists the interest in hunting bugs comes from the same place as their elder colleague. Curiosity.

uber jobs wages png

“I wanted to test out applications. I would see a weird response and think to myself, ‘what if I change this to that?'”

They take their role as a bug bounty hunter seriously, and see it as a great responsibility. By discovering a major flaw in a system, Uranium feels they have a duty to report the problem, rather than put the security of users at risk.

“You need to make sure that if you find something severe, you report it right away, rather than exploiting it,” they told Digital Trends.

That responsibility is reinforced by Uranium’s profession. Even at such a tender age, they are employed as a security analyst. This, they believe, gives them a unique perspective on the industry, because it allows them to see how each side of the bug bounty system operates.

“The way I do bug bounty hunting is, in my opinion, is different in comparison to others because I am on the both sides. If a company does not respond in two to five days, I do not ask for updates. I usually wait for 20 days or so, and then ask if they need any help or have any questions for me.”

Easy bugs often don’t offer the same rewards as deeper, more complex flaws.

While bug bounty hunting is important to Uranium, they claim to have little interest in low-hanging fruit. Easy bugs often don’t offer the same rewards as deeper, more complex flaws. And, just as importantly, they don’t offer the same sense of pride.

“I do not go after just simple XSS (cross site scripting) or CSRFs (cross-site request forgery). My goal is to find at least one or two critical bug in a program that I am hacking. Thinking out of the box is key for me.”

Creative thinking is a crucial skill for any hunter. Those who choose this profession must learn to make leaps of thought that the original developers didn’t. A breakthrough doesn’t always rely on finding a convoluted oversight in code. Instead, it can be as simple as not assuming developers would avoid using their own personal email address during the creation of software services. Finding a loophole like that requires imagination, and demands that a hunter constantly re-evaluating the assumptions they’ve made about the software they’re trying to exploit.

No easy money

The payout figures for bounties appear incredible, and sometimes, they are earned. Bounties of more than $100,000 for a single bug do occasionally happen. Major bounty projects like HackerOne, which is supported by Facebook, Microsoft, and Google, pay out millions each year.

Even so, most bounty hunters do it as a hobby, or as part time work. Finding a $100,000 bounty is a bit like winning the lottery. It could happen, but it probably won’t, and it’s nearly impossible for hunters to plan on such a discovery.

For Uranium, bug hunting supplements and supports their day job as a security analyst. Menske, meanwhile, believes it’s impossible to earn the money he’d need to make it a full-time job without more direct access to low-level code.

“Most bug bounty hunting is black box testing. You don’t get the source code,” he told us. “That’s bad for me, because instead of just reading the code and spotting the bug you have to do many educated guesses and waste your time on trying things. It’s also bad for the client, because they can’t be sure that the bugs will be found.”

He even suggested that, for a lot of companies, bug bounties aren’t even about making their software as secure as possible.

“I think it’s mainly an insurance for them, that if someone finds a bug, the finder will go the easy and legal way and claim a bug bounty instead exploiting the vulnerability.”

As for the elusive full-time bug bounty hunter, Menske has yet to hear of one himself. It’s possible, he said, that with ever increasing financial incentives for the discovery of exploits, that it might be possible to make a living off of them. However, the lack of guarantee a hunter will ever find the critical bugs that would deliver big, life changing reward money, means that most white hat hackers stick to more stable security jobs. It’s enticing to imagine a band of digital bounty hunters finding clever exploits from the back of a coffee shop, but even hackers have bills to pay.

Movies & TV

You should read these epic sci-fi novels before they become blockbuster films

You can get ahead of the next crop of science-fiction movies coming out of Hollywood by picking up the books that inspired them. We compiled a list of books you can add to your reading list now to get a glimpse of the future.
Computing

Enjoy Windows on a Chromebook with these great tips and tricks

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so in case you're looking to nab some Windows-only software.
Mobile

Need a date for Valentine's Day? Cozy up with the best dating apps of 2019

Everyone knows online dating can be stressful, time-consuming, and downright awful. Check out our top picks for the best dating apps, so you can streamline the process and find the right date, whatever you're looking for.
Movies & TV

The best movies on Amazon Prime right now (February 2019)

Prime Video provides subscribers with access to a host of fantastic films, but sorting through the catalog can be an undertaking. Luckily, we've done the work for you. Here are the best movies on Amazon Prime Video right now.
Computing

Think crypto’s dead? JPMorgan to offer first cryptocurrency backed by a U.S. bank

J.P. Morgan Chase is making history by rolling out a trial, over the next few months, of the first cryptocurrency, dubbed JPM Coin, which is backed by a large United States bank.
Computing

Opera web browser targets enhanced accessibility with major redesign

The browser wars are heating up. In the latest move for Opera, a new development release pushes it even closer to Chrome with a redesign and overall goal of redefining the modern web browser. 
Computing

Breaking: Amazon won’t build headquarters in New York in face of opposition

Amazon has canceled plans for a New York City headquarters afer citizens, civic groups, and politicians pushed back on Governor Andrew Cuomo and New York City Mayor Bill de Blasio's exclamation of economic joy over Amazon's earlier…
Computing

DLSS is finally arriving in games, but how does Nvidia's super-sampling actually work?

Nvidia's new DLSS technology is exciting, but what is it and how does it work? It's not quite anti-aliasing and it's not quite super sampling. It's a little bit of both and the end results can be impressive.
Computing

A new Mac Pro is supposedly coming in 2019, but what will it be like?

Our Mac Pro 2019 rumor roundup covers all the top news, leaks, and rumors about the new Mac Pro set to be announced sometime in 2019. Here's what Apple has said, what the experts think, and what's likely to show up with the new Mac Pro.
Gaming

Take to the virtual skies with these free flight simulators

You don't have to spend the entirety of your paycheck to become a virtual ace, at least when it comes to flight simulation. Our list of the best free flight simulators will let you unleash your inner Maverick.
Gaming

Wage war on a budget with these fun and free first-person shooters

We all know about Halo and Call of Duty by now, but what about quality titles that won't cost you upward of $60? Check out our picks for the best free first-person shooter games from Paladins to Quake Champions.
Computing

Switch your WMA files for MP3s with our quick conversion tips

The WMA codec may be great when it comes to multi-channel surround sound, but unfortunately, it falters in terms of compatibility. Check out our guide on how to convert WMA files to MP3 via web-based or desktop methods.
Computing

Looking for a new laptop? These 5 notebooks are on sale through Presidents’ Day

If you're ready to ditch your aging notebook, you can score some fantastic Presidents' Day savings right now on Microsoft's Surface Pro 6, Dell's XPS 13, HP's Spectre x360, Lenovo's Yoga C930, and Dell's G5 15 Gaming laptops.
Virtual Reality

Getting into VR is spendy. Which headset is truly worth your hard-earned cash?

Virtual reality has finally gone mainstream, but how do you find the best VR headset for you? Check out a few of our favorites, whether you want the best of the best or a budget alternative for your mobile device.