A freelance white hacker can make $ 200 in 5 minutes, but don’t rush to break everything right away. We will show you how to do it legally with Bug Bounty programs.
Ethical hacking is the bottom line in cybersecurity . Today we will tell you how white hackers can make money hunting for vulnerabilities of world-famous companies.
Bug Bounty is a reward program in which researchers (hackers) look for gaps in a company’s digital security. When a customer decides to use the services of burglars, a special document is developed – the Bug Bounty program. Sometimes it is sewn into other security documents. It describes the conditions, taking into account which you can go in search of bugs.
If the hacker first finds the problem and sends a clear and well-formed report, he is rewarded. Rewards are not always money, so read the policies (programs) carefully if you plan to make money in this way. In Bug Bounty, hackers go for more than material rewards. Some seek experience, earn reputations, and tackle exciting challenges with the services and products that interest them the most.
Sometimes companies publish gratitude to specific researchers (hackers) in their programs, which can also be a reward format or a nice addition to money. As an example: Discord and Netflix .
In turn, for companies, Bug Bounty is a chance to avoid multi-million dollar costs and reputational damage in the event of a real hack.
Important! Don’t confuse Bug Bounty with Penetration Testing. In the second case, a contract is concluded with a knowingly qualified employee who has clear deadlines. Payment is made for time, not for finding vulnerabilities.
Bug Bounty Programs
Programs can be public or private. The former are available to everyone, although sometimes you can stumble upon the requirements for experience and previous results. The company itself selects suitable specialists for private programs. If you were invited to a private program, the number of competitors is significantly less, and therefore the chances of earning are higher.
Customers usually start with private programs. When they are already able to process a large number of reports, some go to the public format. In turn, hackers who had no experience with Bug Bounty start with public programs to build a portfolio and build a good reputation.
Programs are hosted on customers’ own websites and in special platforms (more about them below). Many companies create such programs, so if you want to investigate a specific organization, you should look for information about Bug Bounty in its security documentation.
Platforms For Interaction Between Hackers And Companies
To make it easier for companies to find researchers, and for researchers to find Bug Bounty programs of interest, there are many special platforms. There communication takes place, there hackers send reports, and companies pay through these reward systems.
1. HackerOne is a startup that was one of the first to promote the topic of crowdsourced security. It is now one of the most popular platforms for Bug Bounty programs. To take part in the search for bugs, you just need to register. There is free training for beginners .
You need good metrics to be invited to attractive private programs. In HackerOne, such an indicator is reputation, which is awarded in the format of points, depending on the amount of the reward and the severity of the vulnerability. At the same time, your reputation can be diminished if you send bad reports or spam.
In the “Hacktivity” section , you can examine the latest vulnerabilities found. The company profiles also have a “Thanks” section – something like a board of honor.
You can learn more about all the nuances of work from the documentation . The HackerOne platform itself can also be checked for vulnerabilities: it has a profile on the site.
2. Bugcrowd is a fairly popular platform that is used by a number of well-known companies. They have a taxonomy of vulnerability severity, by which hackers are judged and rewarded. Companies do not need to separately specify in policies which vulnerabilities belong to which severity level.
Educational programs here are more likely for those who already have a base in cybersecurity. They introduce hackers to the peculiarities of working with Bug Bounty. Lessons consist of videos, presentations and laboratories for remote sensing.
In the organization profiles there is a section with announcements (“announcements”), where updates on various issues are published. Those hackers who have submitted at least one relevant report on this program are published in the “Hall of fame” section.
They give points for good reports. There are also badges for achievements, just like in the game.
Badges are earned by tier, with the accumulation of the number of reports sent and vulnerabilities found.
Detailed information on using the Bugcrowd platform can be found here .
3. Synack is a platform that automates the search for exploited vulnerabilities for subsequent investigation by freelance hackers. Unlike previous platforms, hackers are carefully screened here. Only 10% of candidates end up in the Red Team. Read more about the selection process . And they also have a cutie – a small guide for close people of ethical hackers.
4. Intigriti is a European platform. Before registering an account, it is better to carefully read its terms . As for training, the creators of the platform offer to watch a course of animated videos about various vulnerabilities, as well as a guide to writing reports and a selection of hacking tools. The researchers with the best results are published in the leaderboard.
There are many adequate platforms with different conditions. Other options are not difficult on the Reddit community and on GitHub , but the most famous companies publish their programs on HackerOne and Bugcrowd .
What Are The Conditions?
In their Bug Bounty programs, most companies indicate:
- Where to look for vulnerabilities: web application, mobile application, specific domains, etc.;
- Amount and terms of remuneration;
- Requirements for a specialist;
- Issues of disclosing vulnerabilities in the public domain;
- Attacks can only be carried out on accounts you own;
- According to your report, security analysts of a particular company should be able to reproduce the vulnerabilities found;
- Known bugs to minimize repetitions;
- Section safe harbor (legal haven) – conditions for protection from liability for violation of the law;
- Companies are primarily interested in the security of their users’ data. For finding vulnerabilities that can be used to gain access to personal data – the highest reward;
- Social engineering is prohibited.
Examples Of Bug Bounty Conditions From Well-Known Companies
The problem should be found on the latest released software versions. If Apple was not aware of the issue found, then an additional 50% of the specified reward can be earned. The categories have been identified where you can look for vulnerabilities, but it is noted that if a bug is found elsewhere and it significantly threatens users, the hacker will also be paid. Remuneration: from $ 5000 to 1 million
Telegram used to run contests for hacking, but the service also has a Bug Bounty program. If you find vulnerabilities in an application or protocol that entail changes in the code, the service will pay from $ 500 to $ 100,000 and even more.
They have a private program, but you can research and send reports that will be approved or not. It is forbidden to use automated scanning tools and test DoS attacks.
Indicates the specifics of testing different products. Payment up to $ 15,000. You cannot send questions about found vulnerabilities to the support service. This interrupts work.
Only interested in finding vulnerabilities on app.clickup.com. There user data. Relevant and irrelevant vulnerabilities are marked on the list. The reward can only be obtained if you are not from countries that are subject to US sanctions. For the money $ 25-250.
What To Expect From Bug Bounty
- You should have at least a basic cybersecurity base to get started , but even if you’re a beginner, many platforms offer free training materials.
- This is not at all the same as penetration testing. Even if you are already an experienced hacker, you still have to learn a little more.
- It is remote and flexible work.
- For most researchers, this is a hobby and additional income. Only 20% of hackers work full time .
- You may be left without reward. Only the first person to find the bug is paid. If you worked on a vulnerability for a couple of weeks, but a competitor uploaded the report earlier, you will not receive money.
- To be a successful researcher, focus on only a few programs (companies). This way you will be able to find more serious vulnerabilities.
- High-quality reports are very important because you sell your work through them. It depends on the report whether you get paid and how much.
- Read the companies’ Bug Bounty programs carefully if you do not want to become involved in a criminal case!
If you want to improve the skills of such earnings, you can enroll in the Bug Bounty training course of Valeurbit Infosec. In addition to other aspects of cybersecurity, the course program includes a detailed study of the Bug Bounty programs. Among the teachers – an experienced practitioner in the hunt for vulnerabilities.