Back in the day, curious hackers would report security bugs to companies, only to end up on the wrong side of the law. But the world is different. Now, most major companies (and even many startups!) operate bug bounty programs. These allow hackers to make money with bug bounties by finding exploits in products without breaking the law.
While this is great news for hackers who want to hack networks, systems and just break stuff, it’s also good news for techies looking for a novel way to make a buck. After all, wouldn’t it be nice to find a bug, make a thousand dollars, and then add that to your resume?
No boss, no freelancing portfolio, just you hacking into computers and make money. Sound interesting? Then keep reading.
Finding profitable bounty programs
Most bug bounty activity occurs on one platform: HackerOne. It’s a great place to start. I made my first $500 USD on this platform after finding a bug in GitHub’s login system. However, being on more platforms gives you more opportunities. Therefore, you should sign up for BugCrowd and Intigriti as well to maximize your chances of finding a great company that needs bug-squashing.
Some huge companies, like Google, run their own independent bug bounties. They tend to respond much slower, but pay generously. I once found a bug in Chrome where service workers weren’t properly secured in browser extensions. They took months to confirm the bug, and over a year to pay out. But when they finally did pay out, it was worth the wait!
Lastly, you can find website with a security.txt file. This file allows orgs to publish info about how they get security reports to the public, not relying on a bug bounty platform. You can find these easily with a Google or Github dork. For example, here is the file for flowcrypt.com:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Contact: mailto:security@flowcrypt.com
Encryption: https://flowcrypt.com/pub/security@flowcrypt.com?show=pubkey
Preferred-Languages: English
Canonical: https://flowcrypt.com/.well-known/security.txt
Policy: https://flowcrypt.com/docs/technical/bug-bounty.html
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEigMLq0LK2X/yaqJeKD3dmnetavIFAl+Qdr4ACgkQKD3dmnet
avJOrBAAgxm/NYTfahoxWg0Qeg40MCE0PyjJAsMVHkYmcTPorDItzPIPRAj40mPB
WRJx6v3KIKwxA1bKGYXqXLT+wivtl2sy9oNNkBp8n4p/72fmDHvQOTIBEs9025wO
ygeJpjCANISmGukTo4fnrw4CTuexHQTzVpCqmCnr/QMRXtVQutEA8viBbmU2rEw8
sOnRdKBSxH0XrDAdYWSOnHTYP1GxSsjIEIqWwmdPx5GSg/2Pm60Gt9WMPeq+1ee3
4kb13LFPNgbYCFZHGErsKZ5FufoCKneYLp1ONMNcg/CAaJTysDcPjkdgRSVcXt2c
FNXfywMzYSk420S6c49K2v41LULDIKbZTOJVTlDUBbRClva+wyFrRHzAB4sdSZSz
CAQMZLBzaLV7Q9PevVAconm0d0LXhvTfU3W2VdRq+kS9Ld9vo42XUAGHhy2w3eUw
oM7ZOu7Z+FpsXIrQRRhNOr4X2EJb4vJg0oDQ9PGm+j6Df4RA1Ulxih7ox0+3E9+C
B6UMQYy801l+jeZ1zLgo+92G4NstgqhB3pLKt9MIbF8wfei3TDFhqS0f+3Uomqot
vV13UbXqyEKah3Jtm2trfpJTRps6sw1OWleMckMiCPTlL9IhixmIOxHw5s4hZrdF
2M0LvbX8CYZ69EwKym9reCn3X6BhX1+qmQQk/vJfrbzXO5iw3LY=
=RKDh
-----END PGP SIGNATURE-----
We see that they’ve even cryptographically signed the policy so we know it’s legit. Otherwise, maybe hackers uploaded it and want to trick bug bounty hunters into giving them new exploits!
The file is found at the path /.well-known/security.txt, more info can be found here: https://securitytxt.org/
Going for the big wins
A lot of less sophisticated groups in underdeveloped countries run operations where they automatically scan sites that have bug bounty programs. They use basic pentesting tools to find low impact misconfiguration and other low hanging fruit. They may spam hundreds of thousands of sites with these, even writing code to generate the reports and email them to security managers.
This can certainly be profitable, they are basically small tech startups employing teams of automation engineers and researchers. However, as an individual bug bounty hunter, this strategy isn’t advisable. For one, most companies find this practice annoying and borderline unethical. It damages the profession in the long run. But secondly, one person just doesn’t have the resources to implement the automation and spamming required to make this work at a profitable scale.
Make money with bug bounties by going for BIG FISH
Instead, you should specialize highly in a very specific kind of bug. If you’re a developer or other kind of techie type, you should lean in to that skillset. By using your technical expertise, you’ll look in places that other hunters might have left untouched. In my case, I mastered HTML injection and found tons of these kinds of bugs in major products. Eventually, it morphed into me getting very good at giving weird inputs to find bugs.
Once you find a vuln, don’t just report it right away. Instead, try to chain it with other issues, or escalate any privileges it gives you. See how far it goes, so that when you report it, you can give it a higher impact. The more severe the impact of the exploit, the more you get paid.
Finally, don’t be too afraid to barter and argue. If the bug bounty program manager lowballs you, retort that the vuln has a big impact. Make it clear that your bug is not trivial and you should be paid well. At the end of the day, each bug you find is your hard work.
Obey ethics before you make money with bug bounties
Bug bounties are not actually as morally complex as you may first think. So, there are two golden rules to keep you out of trouble.
First, use tools to adhere to scope. Most programs have a list of sites that are in scope. You can add this list into your tools so you only touch these sites.
Second, social engineering often ruins everything. In a pentest, this is bad, but most bug bounty programs outright ban all vulns that need social engineering. Avoid doing it, and if you need it to do an exploit, downplay the role of soc eng when you write your report.
These two easy rules can be the difference between a thick payout or wasting hours, days, or even weeks worth of hard work. This is a job for pros. If you want to stay lax, try a CTF game instead.
Conclusion
Over the 2 months I took off my normal freelancing work to chase bug bounties, I ended up making $7,000 USD. While this isn’t epic for a technical worker, it was a great reward for what was essentially just fun work. One company, Kraken, even paid me in bitcoin after I found a cryptojacking vuln for them. If I kept going, I could have gotten those numbers higher. But instead, I hope you learn these tricks of the trade and make much more than I did. I still regularly participate in bug bounties as a side hustle. It’s a great way to make extra cash while keeping your hacking skills sharp. If you get really serious, there are even teams of pro bounty hunters you can join to maximize your efficiency while you hunt bugs.
It’s a market that’s growing fast, and it won’t be this easy forever. So get your money, and happy hacking!
Leave a Reply