A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs. Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited.
Bug Bounty as a Career
Mozilla paid out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and Microsoft paid UK researcher James Forshaw $100,000 for attack vulnerability in Windows 8.1. In 2016, Apple announced rewards that max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access.
How does one become a bug bounty hunter?
Anyone with computer skills and high degree of curiosity can become a successful finder of vulnerabilities. You can be young or old when you start. You need to keep learning continuously. It’s more fun to learn if you have a buddy to share ideas with. Knowing how to build software gives you direct experience in the field where the bugs you’re going to hunt for are created. Humans make mistakes and learning about how they make these mistakes is a key in becoming a skilled bug hunter.
Indian Bug Hunters and their Success Stories
Anand Prakash, who discovered the bug and informed Facebook about it, was rewarded $15,000 (approx Rs 10 lakh) for discovering the vulnerability which could be disastrous for the Menlo Park-based company. Prakash spends around 2-4 hours in a week, mostly on weekends, discovering bugs. He discovered the Facebook bug, for which he won $15,000, in around 20 minutes. According to him, it was “easy to find”. Apart from Facebook, he has also identified bugs for Twitter, Google, RedHat, Adobe, and many other US based companies, for which he has won rewards at time as well.
Manish Bhattacharya, post his 12th grade (Science) from Bhagalpur in Bihar, Manish Bhattacharya wanted to join an IIT. But, as luck would have it, his family could not finance his coaching for engineering entrances. After two failed attempts to bag an admission at any of the Government colleges, he made up his mind to pursue engineering from a tier-3 college in Meerut and took an educational loan to fund his education. He was still tensed about how he would repay the educational loan.
He was over the moon when he was rewarded with $5000 by Facebook. Newspapers carried his story and he became a celebrity overnight. He repaid his educational loan with the cash prize.
He made his first million in college and got covered by many national and international newspapers. He is a security consultant in a US-based company and earns in lakhs every month. He also freelances by detecting bugs in various other websites. His current ranking on Google’s Bug-Bounty Programme is 62!
Microsoft pays upto $100,000 for “Novel exploitation techniques against protections built into the latest version of the Windows operating system.” There are also security challenges like Pwn2Own where you can win upto $400,000+.
You can have a look at Bug Bounty resources if you want to get into bug bounty.