Recently I was interacting with some young infosec enthusiasts, They were asking me some questions but there was one commons question that the majority of people were asking me “What is bug bounty? Is it a good career option? How they can learn bug bounty ?” and a lot of other related questions. So today in this blog I will share all the required information which you need to know about bug bounty or bug hunting.
So first thing first “What is bug bounty ?”
Bug bounty programs are crowdsourcing initiatives by many businesses and organizations to reward individual security professionals and researchers who report bugs and vulnerabilities into their IT environment ( Web app, Mobile App, Network, Systems etc).
Bug bounty programs often initiate to support the organization’s internal security team as part of organizational vulnerability management programs.
With bug bounty programs some companies also look for cheap or free labor to test their web/app platforms.
The second thing is “What skill sets are required to become a bug hunter? “
You need to have a sound understanding of the core concepts of penetration tests such as Reconnaissance, Finger Printing, Scanning, Enumeration, Exploitation, etc.
Along with that, you just need to have a sound understanding of web/mobile application architecture, application vulnerabilities and exploitation techniques, OWASP Top 10, SANS Top 25, etc.
You must need to have sound knowledge about the programming concepts and at least one programming language.
How much money bug hunters can make?
People are pretty much interested in bug bounty because most of them think that they can make handsome about of money while sitting at their homes.
So the bounty amount completely depends on the company to company some companies will pay you thousands of dollars and some will give you t-shirts and goodies, some will just write a thank you email to you and some won’t even do that.
But some big companies like Google, Facebook, Mozilla. These companies pay a really good bounty amount if the bug/vulnerability fits their criteria.
Such as Mozilla pays between $3000 to $7500 each bug, while Facebook starts with $500 and can go up to $50,000. Google can give you up to $100,000 and sometimes even more, depending on the criticality of the vulnerability.
What are some good bug bounty platforms?
There are so many but some of them are :
And a lot more other platforms are also available just google it.
What are the key things one should keep in mind while doing bug hunting?
Always read the term and conditions of bug bounty program before hitting the application for the bug, sometimes you may perform activities that were prohibited by the bug bounty organizer and this may lead to some legal trouble. I am sure you don’t want any legal trouble, so do read the terms and conditions before doing anything.
If you have discovered any bug or vulnerability then report it as per the policies and don’t disclose it publicly or don’t write any blog about it until you have been allowed to do from the respective organization or company.
Don’t expect anything after reporting a vulnerability, you may get or you may not get any bounty or reward but that does not mean that you perform any illegitimate activities.
Only invest your time in bug hunting when your sole motive is learning. If you are doing it to make money then don’t do it as you will not get paid every time. Sometime you will report bugs that the internal security team of the respective organizations won’t be able to reproduce. Some times your reported bug will be duplicate.
Can bug hunting be a good career option?
Some people will show you the figures that Google paid $10 million of bounty last year, Facebook paid $7 million and a lot more other figures but the fact is you will not get paid every time. Some times you can make thousands of dollars and some times you will end up making nothing.
You will not get paid for the time that you will invest, you will get paid for the bug that you have found and the bounty amount will be finalized by the criticality of the bug.
So someday it will be $1000 and someday just $50 or just a t-shirt. It all depends on your luck.
So the better option is to get a full-time job and do bug hunting in your free time to learn and make some extra money.
I hope I have answered all of your questions if I have missed anything feels free to comment down your questions and our team tries their best to answer all of your questions.
I wish you all the best and happy learning.