Bug bounty hunters can make big bucks with the right hack
Back in 2002, Tommy DeVoss had some undesirable visitors at his entrance door: FBI brokers, able to raid his house.
He’d been main a hacking crew by way of a yearlong run attacking authorities web sites and web giants like Yahoo.
A decade and a half later, he is the one knocking on the door of a few of the greatest web sites on the market, and the companies behind them are gladly paying him hundreds of for his hacking efforts.
DeVoss is a part of a uncommon group of full-time bug bounty hunters, hacking consultants who dedicate their days to discovering vulnerabilities on web sites in hopes of big rewards, the digital equal of Indiana Jones. These bug hunters have been useful to smaller corporations that do not have sources to rent full-time consultants to check their safety, and even to big tech corporations seeking to increase their safety efforts. They can assist discover flaws that would forestall main hacks by cybercriminals.
At a time when malicious hackers are exploiting vulnerabilities in a big means — take into account the 145 million people affected by Equifax’s breach, or the — corporations are extra vigilant about the want to guard themselves. For DeVoss, which means enterprise is nice.
Indeed, he went from struggling to discover a job, given his conviction document, to quitting a snug, pedestrian job as a software program developer that paid $90,000 a 12 months. That was in late 2016, when he turned his focus to attempting to find software program bugs full time.
DeVoss and different bug hunters been busy. Companies like, , , and , in addition to authorities businesses together with the , usually launch bug bounty applications to reward hackers who discover safety flaws earlier than criminals do. In 2016, corporations and businesses paid out $6.three million for 52,000 found vulnerabilities, in accordance with Bugcrowd, a bug bounty useful resource.
“Our bug bounty program is an essential pillar of our security strategy,” a spokesperson for Oath, a unit of Verizon to which Yahoo now belongs, mentioned in an electronic mail.
It’s like paying a housebreaking skilled to return to your home to inform you all the methods somebody might break in. The larger the vulnerability, the larger the reward.
While these applications are standard, of the greater than 53,000 bug bounty hunters lively since March, solely 15 % are thought-about full-timers like DeVoss, in accordance with Bugcrowd.
Some of them strike it wealthy, like Mark Litchfield, a veteran who makes greater than half 1,000,000 a 12 months on bug bounties. Others have extra humble ambitions, like India’s Jasminder Singh, who nabs bounties to fund his startup.
Here’s what it is prefer to be a bug bounty hunter, from their very own perspective.
As a teen, Tommy DeVoss defaced greater than 160 authorities web sites underneath his alias, DawgyG. DeVoss ran the World of Hell hacking group and thought he was untouchable.
Then the World of Hell fell aside. Agents arrested each member between 2002 and 2003.
He was gradual to study his lesson. DeVoss had three completely different stints in jail for hacking over the subsequent a number of years.
After lastly straightening out and getting a decent job as a software program developer for a small startup, he saw an article about a bug bounty program for Facebook. He brushed it off at first — in any case, a decide had informed him his subsequent conviction would deliver the most penalty.
“It seemed too good to be true, that people were going to pay me to hack them and not call the FBI again,” DeVoss mentioned.
Then in 2015, he went to Defcon, the large annual hacker gathering in Las Vegas, the place bug bounty hunters informed him how a lot cash they had been making. He determined to provide it a shot, out of each boredom and envy.
DeVoss even returned to the scene of his final crime: Yahoo. He’d been hacking the web site since 1997 and thought practically twenty years of expertise would give him a bonus.
He was nonetheless nervous about hacking his outdated foe. DeVoss figured he’d do one thing easy, one thing that would not get him in bother with federal brokers once more.
He discovered Yahoo’s gist — a collection of private codes — publicly obtainable on Github, by way of a easy search, no hacking concerned. He did not assume it might be price something, however it will be sufficient to check the waters of a bug bounty program.
The firm paid him $300 for it.
“I got $300 for finding something through a Google search,” DeVoss mentioned.
From there, he was hooked. He’d spend most of his time at work attempting to find bugs as an alternative of doing his precise job and ultimately simply give up.
He’s been paying off his pupil mortgage debt and injunction charges from his previous crimes with bug bounties. It pays off once you can make $9,000 in 15 minutes, as DeVoss did in June for locating a single bug.
His purpose for 2017, the 12 months he got down to be a full-time bug bounty hunter, was to make $100,000 a 12 months. By July, he had earned greater than $84,000 in bounties.
“I would have to be the CEO of a Fortune 500 company to make the same hourly wage that I make while working on bugs,” DeVoss mentioned.
The excessive curler
“If you’re not first, you’re last.”
It’s not solely a goofy quote from “Talladega Nights,” however the mantra that helped Mark Litchfield turn out to be the highest-earning bug bounty hunter, making $600,000 in 2016.
When you are not the first to ship in a bug, you can lose out on $10,000, Litchfield mentioned. He remembers, as a result of he’d hit the jackpot in 2015 after discovering a serious bug in PayPal’s code that allowed for distant code execution, which supplies an attacker probably damaging management over a web site.
The flaw earned the Las Vegas resident a fast $15,000. A pair days later, one other bug hunter discovered the identical coding error, since PayPal hadn’t fastened it but. The late-comer received solely $5,000, although by bug bounty requirements, that is beneficiant.
“If you come in second, it’s a duplicate and you’re not going to get paid,” Litchfield mentioned. “It happens to all bug hunters, and it can be extremely frustrating.”
Litchfield determined to turn out to be a full-time bug hunter in 2014 by way of HackerOne, one other bug bounty service, after he turned assured he might pay all his payments by way of hacking. Like DeVoss, Litchfield felt bored at work and figured he might make much more cash by going all-in after bounties.
To Litchfield, each bug bounty program is a race. And over the final 12 months, he is received a number of. He’s attempting to find main bugs, not small-time flaws that each different bounty hunter is selecting up. If a bounty is lower than $500, Litchfield mentioned, he would not even trouble touching it. His targets can be price as a lot as $50,000 a month.
The trick is to search out exploits for companies that corporations assume are vital. When he joined Yahoo’s bug bounty program, he went after its commercials and electronic mail — the firm’s bread and butter.
Instead of working a scanner that can robotically detect bugs, Litchfield takes the handbook strategy. He combs by way of vital functions, looking for something that may give him administrator-level privileges. He’ll dig by way of code, the way it’s constructed and methods it could possibly be damaged.
“It can be time-consuming,” he mentioned. “But if it’s done right, you can find the issues you’re there for, and the payouts are normally very high.”
He’s continually afraid that each one his work may have been for nothing, a serious disappointment that is occurred greater than as soon as. But he would not let it get him down.
“I enjoy what I do. Sometimes things get a little bit frustrating, but I’ve chosen to do this, so I’ve just got to move on,” he mentioned.
Not all bug bounty hunters are swimming in riches. For some, even a small payout can imply so much.
At the average daily wage in India of $4.25 a day, it will take Jasminder Singh greater than six years of nonstop labor to make what he did in 4 days from bug bounties.
Singh, an entrepreneur in India, by no means noticed himself as a bug bounty hunter, a lot much less a hacker. He’s an internet developer, making apps and web sites for any purchasers that may pay him. He solely received into safety as a result of he wanted to maintain his personal creations secure.
But generally enterprise was gradual. When he could not rely on his startup to pay the payments, Singh discovered a profitable backup plan in bug bounties.
Google and YouTube have offered a gradual circulate of revenue for Singh, who makes use of all the earnings to construct his firm. If he is ever in a bind for money, he’ll flip to their two applications.
“If you want to make money quickly, and you’re good, bug bounties are definitely the way to go,” Singh mentioned.
The first time he tried out Google’s bug bounty program was in December. Singh had been quick on money and realized about the tech large’s Vulnerability Rewards Program. In 2013, Google had given out $three million in rewards for hackers who discovered vulnerabilities in Android and Chrome, and Singh figured he might discover bugs for some fast money.
The first bug he found was a problem with YouTube — a essential flaw with cross-site scripting that would permit a hacker to take management of the web site with out permission from Google.
“Google is very concerned about guarding their access,” Singh mentioned. “If you find a bug, it’s usually five grand, guaranteed.”
By Litchfield and DeVoss’ requirements, that is not so much. But for Singh, it is sufficient to fund his personal firm.
Full-time bug bounty hunters are uncommon however steadily rising in quantity, Litchfield mentioned. Talented hackers are studying they can earn some huge cash for basically breaking into an internet service, whereas main corporations determine it is simpler to pay bounty hunters to search out their flaws than spend hours looking for it themselves.
As lengthy as the money retains flowing in, hackers have discovered a respectable option to earn a residing and make a distinction at the identical time — in the event that they’re keen to place in the work.
“There’s a lot of people that have small families and can make $150,000 as security analysts,” DeVoss mentioned. “It’s not worth the risk for a lot of them to try to do it full time.”
CNET Magazine: Check out a pattern of the tales in CNET’s newsstand version.
Tech Enabled: CNET chronicles tech’s function in offering new sorts of accessibility.