The year 2020 has affected everyone in some way or the other. While some of us have the advantage to work from home, there are individuals like labourers who can hardly find 2 meals a day. The large scale industries like the automobiles industries have also been badly affected. On the other hand, the IT companies and MNCs have not only managed to survive but they have shown significant raise in their sales and profit. One of the companies that has become popular is Zoom. According to the data provided by Zoom, the revenue for the financial year 2018 was $121.5 million and in the year 2020 it has raised to $622.7 million (till the month of May). Not only the companies, but the individuals have also earned some huge profits this year.
Recently I read an article where they talked about online hackers and hunters who have earned rewards and prices in lakhs amid this lockdown. Bhavuk Jain – a guy from Delhi managed to earn $10,000 from Apple for finding a critical bug in their system. For identifying a bug in Facebook’s social networking platform, a guy from Ahmedabad managed to bag $31,500 as reward. So a question might arise: who are these hunters and how do they earn by hacking? To find answers, continue reading.
Who are these hackers?
These hackers are called hunters who find bugs in a system and report a security weakness to the organizations. In return, the organization pays them monetary rewards. Being a bug hunter has its own benefits. They are the ones who disclose their discoveries to a company or organization and get paid with a good amount or rewards. It’d require good observation skills, good technical knowledge and good documentation skills to win a bug bounty.
Earlier, the hackers used to find a bug and report it in hope that they could get a lucrative job offer from the company. At that time, an entry in the company’s Hall of Fame was a good enough offer for most of the hackers back then. Today, all these bug hunters are looking for is payback in the form of monetary rewards so they can move to their next hacking project after completing one. Ever heard about the term “Bug Bounty Program”? Under these programs, the organizations & software companies offer deals & rewards to an individual who finds a bug or vulnerability in their systems and reports it to them. Companies & organizations like Microsoft, Google, Facebook, Reddit, etc. have implemented bug bounty programs to discover and resolve the bugs in their system in order to prevent any unwanted incidents.
Trending platforms for Bug Hunters
Now let us talk about various tending bug bounty platforms providing the opportunities to the individuals to earn some extra cash. These platforms are not the same as the traditional freelancing platforms like Upwork, Fiverr or Freelancer. On the freelancing platforms, you need to bid on the projects and make a proposal that can convince the client. One of the most important things that attracts the client and can possibly convince them to give you the project is your profile and ratings. Even after so much of the procedure, it is not guaranteed that you will be given the project.
On the other hand, the bug bounty platforms are simple. The companies and organizations upload their projects and name the module or the project that needs to be taken care of. The hunters, researchers and hackers can go online, check the project and report the vulnerabilities. Also, multiple researchers can work on one project and vice versa. If your submitted report is valid and credible, then you will be rewarded based on the severity of the bugs. One can say that these bug bounty platforms are open for everyone and any deserving candidate can earn from these platforms. Upwork itself is inviting the researchers on the Bugcrowd platform to test their freelancer platforms and to ensure that the platform is secure and free of vulnerabilities.
The following are some of the well-known bug bounty platforms:
It is a security platform based in San Francisco. Its business model is completely based on crowd-sourced security and cyber security researchers. This platform works in a simple and straightforward manner.
- The software company or organization uploads their project or module on the Bugcrowd platform and mentions the possible attack surfaces that need to be more secured. It is upto the organization that they need to keep the program private or open to the crowd community.
- Once the program is live, the crowd community can uncover the vulnerabilities and can report them.
- Based on the validity and severity of the report, you will be rewarded.
They have different levels to identify the severity of the program: P1 to P4; P1 being the most critical one.
Bugcrowd allows a researcher to collaborate with other researchers to work on a particular project and to report it on the platform. It is fun to keep track of your bug discoveries. So, Bugcrowd does this for you. Your all-time points and rank among the other researchers is maintained in your profile. If you are of competitive nature, you will definitely enjoy this.
HackerOne – a San Francisco based company has its office spread in many cities like London, Singapore and Netherlands. Its hacker community is best in class. It has more than 6 lakhs hackers registered in their community. The companies or organizations at HackerOne get access to a diverse & talented community of hackers. The U.S. Department of Defence, Google, Intel, Lufthansa, and many other global companies around the world have partnered with HackerOne.
The hackers at HackerOne can gain and maintain status and reputation on the leaderboard. If you manage to crack the leaderboard to be among the top hackers of the community, then you can get opportunities to access the confidential targets and get invited to private programs. This can boost your rep and get you some good amount of cash.
HackerOne is also known for arranging the live hacking events around the world. There are Mentorship Programs at their live events. These events allow the new hackers to partner with the skilled hackers. You can work in hand along with the skilled hackers and can accelerate your learning and bug hunting techniques.
Synack – a California based company is a crowd-sourced security platform. Synack is not as simple as HackerOne or Bugcrowd. You need to follow a procedure and apply to become a part of the Synack community. The Syncak community has security researchers from across 82 countries that are part of their Synack Red Team.
At Synack, a hacker or researcher can earn money in 2 ways. The first is by tracking down a bug or vulnerability and reporting them. The other way is to complete the missions and get paid. For this, you need to be a member of the Synack Red Team. You have to apply and clear different rounds to become a member of the Red Team. The very first round is the skills assessment, then you will be invited to an interview. After that, your background check will be done. Only after clearing these rounds, you can be a part of the Red Team. They do not accept the candidates who have been working for the other companies like Bugcrowd, HackerOne, etc. You can see this list from Synack policy itself.
Recently, it has launched Hydra Technology platform. This technology acts as a force multiplier for the Red Team. Hydra Technology looks for new attack areas and reports its data to the Red Team. This has been a blessing to the Red Team. They provide vital security intelligence at a faster rate.
The other bug bounty platforms are:
Aarogya Setu App
There are very few companies in India that have bug bounty programs and offer monetary rewards to the hackers and researchers for reporting bugs or vulnerability. Some of the companies offering the bug bounty programs are PayTM and BigBasket.
Recently, the IT Ministry declared “Aarogya Setu – the CoVID-19 contact tracing app” as open source and announced a bug bounty scheme of Rs 3 lakhs. NITI Aayog CEO Amitabh Kant said that the app has become the world’s fastest app to reach 50 million downloads in just 13 days.
Even though Indian software companies and organizations are not known to offer bug bounties, the hackers of India are reporting bugs and vulnerabilities in a large scale.
Can bug hunting be a career option?
The large number of bug bounty programs are being offered world wide on various platforms. Many of the hunters have earned tens or hundreds of thousands dollars just by their knowledge and keen eye for bugs and vulnerabilities. This has led many of the individuals to concentrate on the bug bounty programs and opt it as their full time career.
This is without a doubt a great opportunity to earn some extra cash and to buy PS5 or Xbox. But for someone who has a well paying job with family responsibilities, they should not dive for bug hunting as their full time career.
Hunting down bugs and reporting vulnerabilities takes lots of learning, efforts and time. You must be thorough with the documentation, read security articles, and practice writing reports. Adopt a strategy that fits you.
Sometimes it may happen that you work hard enough to discover a bug, document and report it just to know that some other hacker has reported the same bug a few hours earlier. Santiago Lopez – bug hunter from Argentina earned $1 million from HackerOne platform. He said that it must have been a waste of time if somebody else had reported the bug earlier then him. This point should be kept in mind before going for a full time career in bug hunting.
Personal point of view
Nowadays, most of the devices are smart devices and are connected to the internet. The companies are prioritizing their user’s privacy and security. So they would like to keep the threat surface lower by welcoming anyone who can help them secure their system.
Still it might not be a good idea to become a full time bug hunter if you are not familiar with its working. I suggest that before making the major switch, you should work part time as bug hunter for a year or two.