An Introduction to Bug Bounty Hunting
From Microsoft to Dyson to Tesla to Bumble, almost every company in the world relies on computing technology to deliver its goods and services.
This reliance also means that companies face the threat of being hacked and having their funds stolen, networks held for ransom, or sensitive data leaked or sold. In the series of cyberattacks on hospitals during the pandemic in 2020 and the Colonial Pipeline ransomware attack in 2021, we witnessed the havoc these hackers can wreck offline.
As society creates and participates in new technologies online, and especially with the rise of cryptocurrency and smart contracts, there’s a real risk of users falling prey to hacks that result in the loss of substantial amounts of wealth – often in a blink of an eye.
This is why companies across all industries invest heavily in their cybersecurity, and that includes launching bug bounty programs, to help speed up the discovery of vulnerabilities in their systems. Today, most companies with a bug bounty program offer financial rewards to white hat hackers who successfully discover and report these vulnerabilities.
What Does a Bug Bounty Program Look Like?
Through bug bounty programs, security researchers and white hat hackers are welcome to legally poke and prod at various apps, platforms, and services within a set scope. If a vulnerability is found and its impact falls within the scope of the program, researchers should submit a bug report through the relevant channels. Once the company has verified the threat and its impact, researchers will be paid out within the stipulated timeframe.
With bug bounty programs, these are the details that are often provided:
- Targets in scope / Focus Areas - Every program will specify the assets the company would like investigated, the relevant links, and share instructions to log in, if relevant.
- Targets out of scope - More importantly, bug bounty programs will clearly state areas of the product that are not to be investigated, and investigating these assets is illegal. It is also worth noting that hackers and security researchers should not attempt to access, alter, erase, or negatively impact the company, their data, or their users’ data.
- Rewards and payouts - Companies will also list the range of payouts for valid bugs and, where relevant, also show average payouts for previous bounties. They may also include other rewards, like recognition, for hackers looking to build their reputation.
- How to report the bug - While most companies operate their bug bounty programs on platforms like BugCrowd or HackerOne, other companies might prefer to manage their own bounty programs in-house. For these companies, there will usually be instructions for security researchers to report a bug.
Public vs. Private Bug Bounty Programs
Public bug bounty programs are accessible to all hackers and security researchers. Public programs may be advertised on bug bounty platforms or on a company’s own website. On the other hand, private bug bounty programs are invite-only, meaning that companies or the platforms they work only invite a select few bug bounty hunters to investigate their systems and applications.
Companies tend to opt for private programs when they’re seeking confidentiality and prefer to give access only to a select group of trusted and qualified hackers and researchers.
Best Practices for Bug Reporting
A bug report aims to help security engineers quickly understand, validate and assess the reported threat. A clear and concise report can speed up the validation process and help security researchers find out if they qualify for a bounty.
Here’s a general structure of a bug report:
- Bug Description - Share a clear and concise description of the bug. Then, provide an explanation of how the bug could be replicated in the real world, with steps to reproduce the bug.
- Impact - Outline the severity of the bug and the areas of the system that could be compromised in the event of an exploitation or attack.
- Risk Breakdown - Share the likelihood of an exploit and how difficult it is to execute in the real world. Immunefi also asks for the Common Vulnerability Scoring System (CVSS) of the bug.
- Recommendations - Offer practical suggestions to address this vulnerability.
Depending on the severity of the bug, you might also need to submit a Proof of Concept (PoC). According to Bug Bounty Guide, PoCs are used to demonstrate the impact of the bug you’ve discovered. It should help companies quickly understand the issue while ensuring that you do not harm any of their users or services in the process.
- The title of your report should be straightforward about the bug discovered.
- Formatting is important. Keep paragraphs short and use bullet points or lists where possible.
- Don’t shy away from technical terms. The teams responsible for bug triage are experienced in web security and are familiar with technical terms like "XSS" and "PII". Write with them in mind.
- Include technical details like URLs and HTTP requests in your reports.
- Remember to highlight the requirements for an attack or security breach to take place. For example, if multiple users are required to perform a series of actions, or if a mobile number is required to sign up for an account.
- Do not send a video recording or add unnecessary attachments like PDFs. Keep all the important information in the body of your email.
The Importance of Impact
When searching for bugs and highlighting the impact of these bugs in your report, consider the business you’re working for and what’s important to them, as it differs across companies.
In an interview with YouTuber NetworkChuck, Stök Fredrik, former full-time bounty hunter, emphasized that security researchers need to understand the businesses they work for to better understand the impact of the bug they’ve discovered.
He gave the example of an information disclosure incident occurring at Uber, where Personal Identifiable Information (PII) of drivers have been accessed. He noted that while driver data might not be as interesting, if someone gained access to drivers’ customers’ data, that would be a cause for concern. Uber definitely does not want customer data like their names, credit card details, or home addresses leaked or sold to the highest bidder.
How Much Could You Earn from Bug Bounties?
As a rule of thumb, the more severe the vulnerability or threat level, the higher the financial reward will be.
BugCrowd, one of the oldest bug bounty platforms, created a Vulnerability Rating Taxonomy to categorize common vulnerabilities. Ratings start from P1 to P5, with P1s being the most critical issues and P5s being informational findings that often go unrewarded. In the lower end of the market, rewards for P5s range from $150 to $2000, while on the higher end, rewards for P1s can go up to $20,000 for truly critical vulnerabilities.
Immunefi, on the other hand, is a bug bounty platform created exclusively for Web3 applications that lists bug bounty programs ranging from $1000 up to millions of dollars. In 2022, MakerDAO, the company behind crypto-backed stablecoin DAI, introduced their bug bounty program on Immunefi and announced a whopping $10 million reward for critical vulnerabilities in their smart contracts.
In general, though, HackerOne reported that the median payout for critical bugs increased from $2500 in 2020 to $3000 in 2021 and the payout for medium-severity bugs increased from $450 in 2020 to $500 in 2021. Meanwhile, the average payout for low-severity bugs is $150.
Can Bug Bounty Hunting Replace a Full-time Job?
According to Michael Skelton, a full-time penetration tester who previously earned a substantial amount through bug bounty programs, there are a few factors to consider before arriving to a sensible conclusion.
First, do you have a deep understanding of the internet and the different technologies common in most companies’ tech stacks? Learning all these different technologies and how they work together is time-consuming. Having prior experience and understanding can help quicken the learning process for new technologies.
Second, do you have enough experience as a bug bounty hunter? Seasoned hunters are more likely to be invited to private bug bounty programs, offering them a wider attack surface. With more experience also comes better severity ratings from previous reports and a higher quality of reports written. These in turn also lead to more opportunities to choose from. Building a reputation can take time, but doing so makes it easier to maintain a steady stream of work.
Third, what’s your cost of living and, do you have any responsibilities or commitments? It’s important to consider the financial impact of transitioning into full-time bug bounty hunting. Most bug bounty programs are paid in USD which could be a substantial amount if you live in a low-cost city or country where the exchange rate is favorable. However, if you live in America and also have a family, relying on bug bounty hunting as your only source of income might be a risky decision.
One last thing to consider is the number of opportunities available in the market today. While there was a 34% increase in customer spend on bug bounty programs between 2020 to 2021, in a 2022 interview, Casey Ellis, CEO of BugCrowd, noted that there’s currently more hunters in the market than there are bug bounty programs for hunters to join.
Where to Start?
For "security curious" folks, there are quite a few resources online that can help kickstart your bug bounty hunting journey.
Online courses are a great way to get started, and this blog post would not be complete if I didn’t mention HackerOne’s online course, Hacker101, for beginners. There’s also the Cybersecurity Specialization offered by the University of Maryland on Coursera, which you can join for free. You could also check out Udemy’s wide range of courses on ethical hacking and cybersecurity.
There are also a lot of content creators on YouTube who share their knowledge and experience in hacking and cybersecurity, including NetworkChuck and Stök Fredrik (who also happens to sell sunglasses and beanies).
If you can afford to, attending a hacker conference in person is another good way to learn about the industry and grow your network. Popular conferences include DEF CON in Las Vegas and HacktivityCon by HackerOne. There are also Live Hacking and Capture the Flag events that you can attend in-person or tune in online.
Seriously Though, Start by Having Fun!
For most bug bounty hunters, the excitement and fun of hacking something and breaking the rules is what motivates them to start down this path. Whether you turn this into a full-time career or start bug bounty hunting as a fun side project, it is definitely a challenging and rewarding aspect of software engineering.
Have fun and good luck!