Skip to main content

Meet the bug bounty hunters making cash by finding flaws before bad guys

Many security researchers make a living with security companies, but not everyone likes the rigidity of a corporate environment. Some work on a freelance basis. Like vigilante outlaws, they dig up bugs and exploits in some of the world’s most popular platforms, hoping to gain a reward for their efforts.

Offering a bug bounty is one of the best ways for software companies to find problems with their applications and services before they can be exploited. Offering a reward means those who find a flaw may opt to cash in, instead of selling it to those who would use it for nefarious purposes.

Companies can offer tens, or even hundreds, of thousands for specific exploits, but it’s not easy money. Bug bounty hunters must be an expert in all manner of security features and exploit mechanics. They must replicate the bugs and document them, communicating that information to the relevant company. And – most important of all – they must be first.

Profile of a bug bounty hunter

Markus Fenske is a 28-year-old penetration tester and sugar wax trader. That may seem like a surprising combination of roles, but as a fan of Tim Ferris’ “4-hour Workweek” book and outlook, he operates a business that generates a nice passive income for him while he indulges his greater passion — bug bounty hunting.

Bug bounty using mac
Image used with permission by copyright holder

“I was always interested in hacking. I remember wanting to become a hacker from a very early age,” he told Digital Trends. “I read the – somewhat outdated – How to become a hacker HOWTO of the Chaos Computer Club when I was 10 years old.”

“I found one of my first bugs around four years later. It was a sci-fi based browser game where you could build space ships and attack other players to loot their resources. I noticed a cross-site scripting issue in the internal messaging system, so I quickly crafted a Javascript worm. If you’d open the message, it would execute a script that renamed all your planets to “Vollpfosten” (roughly translates to “fuck muppet”), forward the message with the code to all neighboring planets, and delete itself. The admin was not amused.”

Netscape was among the first to encourage employees to find problems with its software and offer monetary rewards to them.

During that era of software development, bounties didn’t exist like they do today. Netscape was among the first to encourage employees to find problems with its software, and began offering monetary rewards to them, and external testers, in 1995. Although the effort was a success, it took years for the idea to catch on with other companies. Many companies were skeptical about encouraging outsiders to look for flaws.

“[Finding bugs] wasn’t always well received,” Menske told us. “Some thanked me for helping to improve the software, but others just had their legal department send me letters, which scared my parents.”

It took Fenske many years to earn his first bug bounty payout. He discovered an exploit in the Github Enterprise management console in January 2017, which netted him $18,000, and a spot on the company’s hall of fame. While Fenske’s business allowed him the chance to pursue bug bounties for income, the long road to his first big win shows how difficult the profession can be.

Everyone starts young

Uranium238 was just 17 when they received $10,000 for their discovery of a flaw in Uber’s internal email system. This early payout certainly helped pave the way for their career in bug bounties. Yet Uranium insists the interest in hunting bugs comes from the same place as their elder colleague. Curiosity.

Image used with permission by copyright holder

“I wanted to test out applications. I would see a weird response and think to myself, ‘what if I change this to that?'”

They take their role as a bug bounty hunter seriously, and see it as a great responsibility. By discovering a major flaw in a system, Uranium feels they have a duty to report the problem, rather than put the security of users at risk.

“You need to make sure that if you find something severe, you report it right away, rather than exploiting it,” they told Digital Trends.

That responsibility is reinforced by Uranium’s profession. Even at such a tender age, they are employed as a security analyst. This, they believe, gives them a unique perspective on the industry, because it allows them to see how each side of the bug bounty system operates.

“The way I do bug bounty hunting is, in my opinion, is different in comparison to others because I am on the both sides. If a company does not respond in two to five days, I do not ask for updates. I usually wait for 20 days or so, and then ask if they need any help or have any questions for me.”

Easy bugs often don’t offer the same rewards as deeper, more complex flaws.

While bug bounty hunting is important to Uranium, they claim to have little interest in low-hanging fruit. Easy bugs often don’t offer the same rewards as deeper, more complex flaws. And, just as importantly, they don’t offer the same sense of pride.

“I do not go after just simple XSS (cross site scripting) or CSRFs (cross-site request forgery). My goal is to find at least one or two critical bug in a program that I am hacking. Thinking out of the box is key for me.”

Creative thinking is a crucial skill for any hunter. Those who choose this profession must learn to make leaps of thought that the original developers didn’t. A breakthrough doesn’t always rely on finding a convoluted oversight in code. Instead, it can be as simple as not assuming developers would avoid using their own personal email address during the creation of software services. Finding a loophole like that requires imagination, and demands that a hunter constantly re-evaluating the assumptions they’ve made about the software they’re trying to exploit.

No easy money

The payout figures for bounties appear incredible, and sometimes, they are earned. Bounties of more than $100,000 for a single bug do occasionally happen. Major bounty projects like HackerOne, which is supported by Facebook, Microsoft, and Google, pay out millions each year.

Even so, most bounty hunters do it as a hobby, or as part time work. Finding a $100,000 bounty is a bit like winning the lottery. It could happen, but it probably won’t, and it’s nearly impossible for hunters to plan on such a discovery.

For Uranium, bug hunting supplements and supports their day job as a security analyst. Menske, meanwhile, believes it’s impossible to earn the money he’d need to make it a full-time job without more direct access to low-level code.

“Most bug bounty hunting is black box testing. You don’t get the source code,” he told us. “That’s bad for me, because instead of just reading the code and spotting the bug you have to do many educated guesses and waste your time on trying things. It’s also bad for the client, because they can’t be sure that the bugs will be found.”

He even suggested that, for a lot of companies, bug bounties aren’t even about making their software as secure as possible.

“I think it’s mainly an insurance for them, that if someone finds a bug, the finder will go the easy and legal way and claim a bug bounty instead exploiting the vulnerability.”

As for the elusive full-time bug bounty hunter, Menske has yet to hear of one himself. It’s possible, he said, that with ever increasing financial incentives for the discovery of exploits, that it might be possible to make a living off of them. However, the lack of guarantee a hunter will ever find the critical bugs that would deliver big, life changing reward money, means that most white hat hackers stick to more stable security jobs. It’s enticing to imagine a band of digital bounty hunters finding clever exploits from the back of a coffee shop, but even hackers have bills to pay.

Jon Martindale
Jon Martindale is a freelance evergreen writer and occasional section coordinator, covering how to guides, best-of lists, and…
Apple loses AI whiz to Meta with an offer that will make your eyes water
Meta AI widget on Home Screen.

It was just last month that OpenAI boss Sam Altman claimed that Meta had been trying to poach his top AI engineers by offering hiring bonuses of as much as $100 million.

There was renewed interest in the matter earlier this week when it emerged that Ruoming Pang, an esteemed AI engineer who oversaw Apple’s AI models, had jumped ship to Meta.

Read more
I found the best Prime Day deal on a tablet hidden beyond Amazon
Microsoft Surface Pro 12-inch, stylus, and keyboard.

A good tablet can take your productivity to the next level, but a boring one will find a niche use and eat dust on a table or couch for most of its time. I love iPads and have been pushing them – as far as I can — to act as my primary computing machine for nearly half a decade now. It has never managed to replace a proper laptop, like a MacBook Air or a Windows machine. 

Why not buy a Windows laptop, you might ask? Well, Windows-powered tablets, especially those Surface devices sold by Microsoft, are pretty expensive. I love the new 12-inch Surface Pro, but at $799, it felt like a steep purchase despite its impressive specifications. 

Read more
Prime Day is over, but this powerful Dell laptop is still at its lowest price
The Dell Vostro 3530 laptop on a white background.

Prime Day is already over, but that doesn't mean that there are no more laptop deals for you to shop on Amazon. Here's one that caught our eye -- the Dell Vostro 3530 with 32GB of RAM for its lowest-ever price of $649, following a 28% discount on its original price of $899. This limited-time offer of $250 off may not last much longer though, so if you want to take advantage of this bargain, we highly recommend that you finalize your purchase for this device as soon as you can.

Buy Now

Read more