“In IT, you won’t stay hungry” is a proverb of new realities that has long justified itself. And it’s not a secret for anyone that even a basic education in the field of digital technologies allows you to work in several directions at once in the future. Therefore, if you are looking for additional income, then you may be interested in such an extraordinary phenomenon in the digital world as bag hunting – a real hunt for “treasures”.
The essence of the phenomenon
“Not all criminals are villains,” and not all hackers work on the Dark Web. Many developers or just people who have enough knowledge about the operation of servers are ready to help make the Internet safer and have found their calling in finding errors and vulnerabilities on well-known sites and applications. The phenomenon itself was called Bug Bounty (“reward for a mistake”). Bug Bounty programs have been implemented by many well-known companies, such as Facebook, Google, Yandex, Vkontakte, and in principle any server will be grateful to those who help them identify errors in the operation of their digital products.
The most famous Bug Bounty platforms:
Basically, all bug hunters are freelancers, and sometimes just “volunteers”, so they do not have any restrictions in their activities, and can look for any vulnerabilities that they can find. They are also free to choose the place of their earnings: look for orders on special platforms, or take their own initiative and test any sites or applications they like. All that is needed after identifying bugs is to send a detailed report to technical support and get a well-deserved reward.
More about income
HackerOne and Bugcrowd are considered to be the most popular platforms among bug hunters, as new orders appear on them most often. The site policy protects the interests of both customers and performers, so the first ones do not have to worry about the safety of their data, and bug hunters can be sure that they will definitely receive their fee for the work performed.
The amount of the salary depends on the level of criticality of the vulnerabilities found. On these sites, performers have a rating that increases with the number of tasks completed. For bug hunters with a high rating, access to a private program is opened, where large companies place more serious tasks, which means that a more generous reward is assigned.
Earnings on these sites start from $50 and can reach up to $50,000
Russian analogues of sites have also recently appeared: BugBounty.ru and The Standoff 365. Earnings on these platforms can range from 0 to 400,000 rubles.
Many sites, such as Yandex, for example, have special reward programs for bug hunters on their resources. Yandex pays from 5,000 to 170,000 rubles for found errors.
And, as it was written earlier, you can go into absolute freelance and look for errors on any sites and applications, and then independently contact those support and negotiate a price.
How to become a hunter
What knowledge do baghunters need and where to learn all this? Both the work itself and training in this direction involve independent search and self-education. But anyone who has enough knowledge and skills can start – hunters only need a competent report with the errors found, and there is no need to attach diplomas, certificates or a certificate from the last place of work to it.
In order to be able to find errors, and the more diverse and complex they are, the better, you need to understand the following areas:
All about testing: methods, types and types, be able to work with different design patterns;
Understand the architecture of web applications;
Understand how HTTP, DNS, TCP protocols work;
Know programming languages (Python, Java, MySQL, PHP, etc. – again, quantity is an advantage here)
Practice on simulators, for example, “Hack The Box”;
Read additional literature and study open reports on vulnerabilities found (they are also on the HackerOne website);
Develop non-standard thinking – logical simulators will definitely help you approach the search more carefully.
The website “HackerOne” has launched a free course “HACKER101” that anyone can take. It teaches:
How to identify, exploit and fix major web security vulnerabilities, as well as many other hidden bugs;
How to properly deal with cryptography;
How to develop and analyze applications from a security point of view;
How to start working as a bughunter
The world of superheroes: how baghunters differ from other specialists
In the digital fantasy world, there are also white and black wizards. White hackers work for the benefit of humanity and use their hacking abilities only out of good intentions. They wear white hats, and their activities also include identifying bugs and vulnerabilities. Unlike bughunters, “civilians”, white, ethical hackers act as an attacker, therefore, the specifics of the problems they usually deal with affect only certain segments. In addition, for hackers, hacking has become more of a competition or a separate type of cybersport. And most often they compete in their hacking skills on the CTFtime website.
Testers, who have official jobs with a stable salary, also have a limited scope. In their work, the main orientation is on the needs of users, therefore, first of all, they monitor the serviceability of those programs and functions that are most often used by site visitors. With such a workload, it is impossible to trace all the errors that arise, and there is no time to think about the plans of attackers.
Baghunters are birds of free flight, and unlike related areas, they can choose the mistakes they want to deal with, and there are no restrictions on their activities.
Baghunting will not be able to become a stable monthly income. You can only take on high-paying orders, but the tasks and the time required to solve them will always be different. During the execution of one task, it is quite possible that other errors or vulnerabilities will be revealed.
And sometimes you can win the lottery one-time or hit the big jackpot on one mistake. And there are many examples of such lucky ones among baghunters.
Belarusian Android developer Dmitry Lukyanenko (about the correct spelling of the surname: Lukyanenko is indicated on the Google website and on the check, in all Russian media they write about him as Lukyanenko) in 2018 received grants from Google for bugs found 12 times in a row. One grant is $ 1337, this payment was even named “1 dmitry” in his honor. Now Dmitry is in the top 20 best corner baghunters (now in 13th place).
And for one found bug on the Facebook website, he immediately received $15,000.
Another successful story with the Facebook company happened to the Russian programmer Andrey Leonov: the company sent Andrey a check for $40,000 for finding a mistake. At that time, in 2017, these were the record payouts for Facebook baghunting.
In Russia, there are also cases of “accidental” rewards: for a vulnerability found on a website for its client, PIK sold an apartment at the original price, and even made an additional discount of 100,000 rubles.