Bug Bounties: Can You Really Make Money From Them?

Hacking has evolved. No longer does hacking only encompass the nefarious activities of a bored teenager or a Russian spy. People are hacking for good, or ethical hacking, now. An entire field has developed around ethical hacking — penetration testing or pentesting — which involves hackers being paid to test a company’s cybersecurity defenses. Getting a full-time job as a pentester isn’t easy, nor do many companies have the resources to hire one. The solution? Bug bounties. Bug bounty hunting works a lot like regular bounty hunting, but the targets are software vulnerabilities instead of bail-jumpers. Over the past several years, bug bounties have become popular. They’ve also made some ethical hackers rich. How exactly do bug bounties work and can you make any decent money from them? When a company wants to test the security of their software or other digital assets, they can set up a bug bounty program. The company asks ethical hackers or security researchers to try and hack into their systems, looking for any gaps or vulnerabilities. In return for finding and submitting a vulnerability, the company rewards the bug bounty hunter either monetarily or with free products, recognition, or some other prize. Bug bounty programs can be either internal or crowd-sourced. Companies can host their own program, where they recruit security researchers to test their software. With a crowd-sourced bug bounty, a company posts their bounty on a platform, such as HackerOne, where members of the platform can attempt it. Bug bounty programs and platforms have become popular because they allow white-hat hackers and pentesters to improve their skills and get paid for it. Even if a bug bounty hunter doesn’t succeed at finding a vulnerability, they’ve still gained valuable experience that they can later apply to their job search in cybersecurity. Bug bounties benefit companies as well because they identify security issues that in-house teams might not catch. And the more people who vet software or digital assets, the more secure they will be. You can search for bug bounty programs hosted by companies or join a platform for crowd-sourced bug bounties. Joining a platform is probably the easiest way to find bug bounties, as they’ve already been searched out and vetted. Some platforms also host bug bounty programs, where security researchers submit results and are paid through the platform. The most popular bug bounty platforms currently are: With some platforms, you have to apply and demonstrate your expertise before you’re accepted. Others award you points for submitting vulnerability reports, and you convert the points into cash payouts. The big question is: how lucrative is bug bounty hunting? There are successful bug bounty hunters, according to HackerOne . On the HackerOne platform alone, the number of resolved vulnerabilities doubled between 2019 and 2020, and $44.75 million in bounties has been awarded to hackers across the globe. At least nine individuals have made $1 million or more on the platform since its founding. The average bounty paid for critical vulnerabilities reached $3,650 in 2020. So yes, you can make money from bounty hunting, but it may not become your new full-time job right away. Also, as it’s become more popular, bug bounty hunting has become more difficult. The more people find vulnerabilities in large companies, the fewer vulnerabilities there are left. Only the most difficult bugs, which require more advanced skills to crack, will be available. Even so, working on bug bounties may not give you the financial payout you’re looking for, but it definitely gives you a chance to work on important job skills for the cyber security sector. To be a successful bug bounty hunter, you need more than just hacking skills. You also need organizational skills, and should be prepared to teach yourself what you need to know. Many bug hunters started out with only basic knowledge and worked their way up to full-time bug bounty hunting. Participating in the ethical hacking community is also part of a bug bounty hunter’s success. Collaboration, both assisting others and receiving help, is fundamental to being a bug hunter. If you’re excited by hacking, want to improve your skills, and don’t mind earning some money in the process, then participating in bug bounties is a great use of your time.