Past year, Forbes mentioned that the bug bounty hunting is the career of the future. For supporting that they interviewed an argentinan guy who is part of the h1’s millioare club.
But, is it true?, Scarlett, Do bug bounty hunters are millonares, eat avocado and add cheese to their quesadillas?
This is one of the most common questions that I receive everyday. And, my usual answers are, «it depends», and «it is relative».
Well, as most part of the vogue topics, bug bounty hunting is not all romatic as you can think. If you search in Medium about write ups, sure, you will see a lot of posts related to indian researchers looking for XSS and IDORs getting a lot of money and telling things like «ohhh bug bounty hunting is the best thing in the world, it changed my life, I bought a new car, thanks [Insert here your favorite BBH platform]». Cool, but.. how much is payed for an XSS?.
It varies from platform to platform, but usually a classic alert(1) is around $100 bucks, maybe $200 bucks if you can show a very great impact.
Ok, Scarlett, I can find 10, 000 XSS and get my first million!
Hum… again, it depends, it is relative.
I mean, I’m not telling that it isn’t true that you can buy a car using your bounties. But there is a lot of effort behind. And usually this effort is not showed by the write ups. Actually, I don’t remember read a write up from a millionare bug bounty hunter. Being honest, maybe 90% of the write ups I have read, are so bad; just explaining how someone used XSShunter, Nikto, Nmap, or any other tool to detect a vulnerability, and then copy and pasted a payload in Burp to exploit it.
Ok, it’s fine, this is not a post about the differences between bug bounty hunting, and real hacking. Using automated tools it’s ok; but… you won’t be a millionare researcher doing that.
First of all, all in the millionare’s club are full time on this. And you need to have a very hard mind set for that. I tried it, and I couldn’t. It’s so cool when you receive a monthly payment for you work; and also in your free time get a bounty. It’s not important, if it is a lot o just for pay the tacos, you got extra money, and this is cool.. but you don’t have any to be worried.
Yeah… but when you’re a full time bug bounty hunter, this is very different. If you don’t find anything, you don’t eat, you don’t drink (water, not alcohol), no fashion things there. The stress is a lot.
So, Are you able to work with this escenario?. I’m not. But there are reseachers that can, they are millionares.
I want to speak about my personal experience, and I want to be very clear on that, This is my personal experience, and there are a lot of different points of view. And I want that all the persons who read this understand that this is not like the UVM’s TV advertisement that in 3 months you will be an expert with double career.
A full time bug bounty hunter is a strong person. I’m not. I’m not a full time researchers. Am I millionare?, no, and I’m far a way of that.
But, in perspective with maybe 99% (yeah, 99%) of the persons registered in any platform, I think I have very good performance.
99%?… yes, Why do you think Synack, HackerOne, Intigriti, etc.. have a lot of campaings for recruitment?, Do you want to be cool like Stöck or Nahamsec (coff.. coff.. Barbie Hacker)?… yeah, the platforms have problems to have active researchers looking for vulnerabilities; despite they have thousands registered.
At the beggining my incomes were from juicy bugs, like XSS, IDORs, SQLi.. actually once upon a time I reporeted an info.php as configuration management issue, and I got a bounty. But, nowadays, all my reports are related to business logic, because I think there there aren’t duplicates.
No, I have never got a RCE in a bounty 🙁
What happened?, I started in 2015 in bug bounties. And every monday I received new targets. New targets with a lot of input validation issues, but now, these are very mature projects where if you can find a vulnerability, it will be in a new feature, in a new adquisition or very complicated vulnerabilities that currently are not tested by the average researcher.
Also you need take mind if you’re working in a open platform, in a not very, but actually open platform, or working for private bounties. You’ll have more posibilities to get a bounty where there are less persons working on that, than in public program, like ATT where you are vs 1000 researchers. 1000?, yeap!… 1000, at least, maybe there are more than that.
And sure, there are reachers getting $10, 000 or $20, 000 bucks per bug; but scroll up and see the screenshot I posted. The average are between $100 to $500. So, maybe you will get $10, 000 once, but most part of the times, $100, or a duplicate.