Life As a Bug Hunter

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Sunday June 19, 2011 @08:05AM from the bug-bounty dept.

An anonymous reader writes "Bug Hunter Aaron Portnoy claims to have earned $60K in 3 months as a bug hunter when he was 19 years old. Pretty impressive. Tighter company budgets and increased pressure to get a product ready by its release date means code isn't checked so thoroughly and bug frequency rises. From the article: 'Mozilla — makers of the Firefox web browser — were first to start a bug bounty programme in 2004. Their top prize is currently $3,000 (£1,800) and they have paid out about $40,000 (£25,000) per year since then. Their top earner is a student in Germany who has bagged more than $30,000 (£18,000) from a series of discoveries.'"

68 comments

Min score:

Reason:

Sort:

I do the opposite by Anonymous Coward · 2011-06-19 08:12 · Score: 5, Funny

I make a decent amount producing new bugs.
1. Re:I do the opposite by Jah-Wren+Ryel · 2011-06-19 08:24 · Score: 0
  
  I make a decent amount producing new bugs.
  +1 LOL
  
  --
  When information is power, privacy is freedom.
2. Re:I do the opposite by MobileTatsu-NJG · 2011-06-19 11:46 · Score: 1
  
  I'm gonna write me a new minivan!
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
3. Re:I do the opposite by Anonymous Coward · 2011-06-19 12:09 · Score: 0
  
  Pah. You'll never top these guys, who have been at it for over 50 years.
Payment to coders? by statusbar · 2011-06-19 08:13 · Score: 1

Do they pay the coders this much too? or are the code submissions all donated?

--
ipv6 is my vpn
1. Re:Payment to coders? by vlm · 2011-06-19 08:29 · Score: 2
  
  Do they pay the coders this much too? or are the code submissions all donated?
  They could:
  1) coder will submit a javascript parser provided by me in an envelope containing both half the cash bounty and a buffer overflow
  2) ....
  3) Profit!
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
2. Re:Payment to coders? by TheCycoONE · 2011-06-19 09:11 · Score: 1
  
  Reminds me of something... http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx
3. Re:Payment to coders? by ninetyninebottles · 2011-06-19 09:20 · Score: 1
  
  Do they pay the coders this much too? or are the code submissions all donated?
  Coders are paid by Mozilla if they are employees. Coders are paid by other companies or organizations to code for Firefox, as necessary to meet that employer's needs. I could certainly see Mozilla offering a bounty for coding a specific feature, but this is usually called a contract and is exclusive to one or one group of reputable, vetted coders. The only reason they are offering money for exploits is because they don't know what, exactly, needs to be done and because the community hasn't jumped on the issue and put time/money into it (or because others are offering money for them to not contribute work and sell the exploits on the black market). I'm sure, however, if you start paying coders to not donate code to Mozilla, they will respond by countering (or suing your ass).
4. Re:Payment to coders? by AvitarX · 2011-06-19 09:21 · Score: 1
  
  Honestly, it sounds like the company made back it's money, and cancelled in time.
  I mean, it was only a week, and only 2 days of abuse. The first three days appeared to pay off, and things were better in the code-base going forward.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
5. Re:Payment to coders? by Anonymous Coward · 2011-06-19 12:06 · Score: 0
  
  Eat shit, hacker. What the fuck is going on?
Impressive compared to what? by Anonymous Coward · 2011-06-19 08:18 · Score: 1

Don't get me wrong; $60k in 3 months is not a bad haul for anybody. But as the single biggest payout (over time) fluke ever, it kind of sucks, and is reflective of the average pay one can expect pursuing this career, which also sucks.
If you want to shoot for the moon, you might as well just play the lottery.
It's another thing if you hack for fun, and can collect a little money on the side for it. But this is not a sustainable career for anyone and slashdot in particular needs to stop acting like these guys are rolling in money. They may well be independently wealthy for other reasons, which gives them time to pursue hacking in the first place, but they aren't getting rich or even gainfully employed from these activities.
1. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 08:30 · Score: 0
  
  New model of society: govt pays ppl a basic income and govt and biz hold challenges to stimulate individuals to create and innovate and provide services like bug-finding without the need to work for a corporation. The resulting new knowledge and technology that the country as a whole produces allows the govt to make taxes voluntary and print the budget while the currency stays strong. See Japan's 200% debt-to-gdp ratio and too-strong currency for what the future of economics will look like...
  In conclusion, Reagan proved deficits don't matter.
2. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 08:31 · Score: 0
  
  The number of projects which pay for bug discovery is amazingly low; I doubt the entire field could support more than 100 people 'pursuing' this 'career'.
3. Re:Impressive compared to what? by ark1 · 2011-06-19 08:32 · Score: 2
  
  The real money is in the black market of 0days. That is where Intelligence agencies and criminals compete for new vulnerabilities and are willing to throw some major money depending on the severity. If you are fortunate to find a critical 0day - think remote exploitation in a popular OS/application without user interaction then you may pocket 6 or even 7 figures for a single bug. White hat reporting is mainly done as a hobby and/or advertisement of your personal skills or your company and is not really meant to be a full time job.
4. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 08:38 · Score: 0
  
  There is a market for about 6 computers.
5. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 08:42 · Score: 0
  
  You know, I've been producing 0days for about 3 years now, and I haven't yet found this black market people keep talking about. I don't think it actually exists.
6. Re:Impressive compared to what? by Hazel+Bergeron · 2011-06-19 08:44 · Score: 2
  
  New model of society: govt pays ppl a basic income and govt and biz hold challenges to stimulate individuals to create and innovate and provide services like bug-finding without the need to work for a corporation.
  Read Thomas Paine on the basic income guarantee and Thomas Jefferson on copyright.
  Your ideas are as old as the USA, thus dangerously close to revolutionary in today's environment.
7. Re:Impressive compared to what? by BitZtream · 2011-06-19 14:29 · Score: 1
  
  Thats 240k/year and doesn't require you to live somewhere that 240k a year isn't a big salary.
  240k/year is decent pay for anyone doing that job with the exception to that being the jobs doing it in areas where it costs a million plus a year just to pay your rent.
  You're seriously claiming you make 240k/year or more and that that is 'average pay'? What shitty assed city do you live in where thats the case cause there are only a limited number of places where 240k/year is average pay and pretty much none of them are home of software companies that do this sort of thing.
  If you meant to say 60k/year is average pay for this sort of work ... then sure, but thats for a years worth of work, not 3 months of spare time.
  
  but they aren't getting rich or even gainfully employed from these activities.
  You are completely disconnected from reality, you clearly have no idea what the average salary is for this sort of work.
  Do you even have a job and live on your own? The only way I can see someone making these sort of statements is if they are still in high school living at home with absolutely no idea what the real world is actually life when mommy and daddy aren't carrying your weight.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
8. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 15:00 · Score: 0
  
  Since your reading comprehension is so low, I will explain it to you more clearly.
  In other lines of work, such as business, recording, film, architecture, etc. people can be paid "up to" several million a year. Those people are very few, but they exist and could be used as poster children. Here in this story, the amount of $240k/yr (i.e. $60k/3 months) is being touted as a big payoff, and it is for this line of work. But if that's a "big" payoff, then what is the average? Hint: the summary says Mozilla pays $40k per year. That's divided across everyone who received a payment. With just four people receiving payments, that averages less than $10k salary.
  So if you are the one guy in a million who can manage a decent living from this kind of work, good for you. Are you that man, or are you one of the other 999,999 who are better off playing the lottery?
  Since you think that the $60k/3 months represents an "average" payoff for this kind of work, you are the one who has completely and utterly failed to grasp reality. Thanks for the entertaining post though.
9. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 16:24 · Score: 0
  
  Been a while since anyone was even able to carry yours right?
10. Re:Impressive compared to what? by Anonymous Coward · 2011-06-19 18:47 · Score: 0
  
  Obviously no one is going to offer you money if you keep doing it for free.
profit! by Anonymous Coward · 2011-06-19 08:18 · Score: 0

1. write buggy code
2. inform an accomplice of the bug
3. profit
1. Re:profit! by Anonymous Coward · 2011-06-19 08:24 · Score: 1
  
  Don't you mean:
  1. Write buggy code.
  2. Sell support contracts.
  3. Profit.
2. Re:profit! by Anonymous Coward · 2011-06-19 08:25 · Score: 0
  
  4. get fired (and become unhireable) after the fifth such attempt is noticed.
3. Re:profit! by Hognoxious · 2011-06-19 09:04 · Score: 0
  
  LOL. Mannijarz is not soe smeart.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
4. Re:profit! by Anonymous Coward · 2011-06-19 10:23 · Score: 0
  
  It's not managers you have to look out for, it's teammates.
"when he was 19 years old" by Anonymous Coward · 2011-06-19 08:19 · Score: 0

When was that? 10 years ago?
1. Re:"when he was 19 years old" by Anonymous Coward · 2011-06-19 08:36 · Score: 0
  
  "The 25-year-old Aaron Portnoy has been tracking down bugs since he was barely into his teens."
  So, yeah, 10 years ago.
Here I sit all broken hearted by Anonymous Coward · 2011-06-19 08:21 · Score: 0

Tried to shit but only ... ?
Bug hunter? by Anonymous Coward · 2011-06-19 08:23 · Score: 0

Since when have entomologists become so interesting?
Re:With enough eyeballs, all bugs are shallow by Anonymous Coward · 2011-06-19 08:24 · Score: 0

what
Ahem... by bughunter · 2011-06-19 08:24 · Score: 5, Funny

I was not consulted for this article, therefore it must be considered suspect.

--
I can see the fnords!
1. Re:Ahem... by bughunter · 2011-06-19 08:40 · Score: 1
  
  I should add, it's easier when the bugs find you. It takes a special kind of [karma|luck|uncanny statistical influence] to be a real bughunter. You have to be the kind of person who only needs to walk by a piece of dodgy tech in order to induce it to fail. That gives you an inkling of what life as a bughunter is really like.
  On one hand, being an early adopter is just asking for trouble. Don't go there, unless you're being paid to. If it's been half-assed, you're going to find out -- and these days it seems like nearly everything new is also hemi-gluteous.
  On the other hand, the stuff you design and build tends to be rather bulletproof, because you avoid unnecessary complexity, learn to identify and verify your assumptions, and test the living shit out of everything.
  
  --
  I can see the fnords!
2. Re:Ahem... by Anonymous Coward · 2011-06-19 10:58 · Score: 0
  
  So... You use a magnet?
3. Re:Ahem... by Anonymous Coward · 2011-06-19 17:38 · Score: 0
  
  I should add, it's easier when the bugs find you. It takes a special kind of [karma|luck|uncanny statistical influence] to be a real bughunter. You have to be the kind of person who only needs to walk by a piece of dodgy tech in order to induce it to fail.
  Oh, you've met me before...
4. Re:Ahem... by Anonymous Coward · 2011-06-28 14:02 · Score: 0
  
  I used to teach 'the method' to other programmers. But the came to hate me. Now I just keep it to myself. It is not that hard. Most people do not even bother to check their inputs. Overflowing them or breaking out of a sandbox is not that hard. You just need to have a 'ok' understanding of how it works and what you are trying to do. One of the 'easy' ones from a long time ago was my preferred username /HTML with a couple of gt's around it.
  haha my catchpa 'escaping'!
Re:With enough eyeballs, all bugs are shallow by Anonymous Coward · 2011-06-19 08:28 · Score: 0

Did I accidentally go to 4chan's /g/ again?
I create bug.. by Anonymous Coward · 2011-06-19 08:33 · Score: 0

I create bug You find bug give me 50% ok?
Not a sustainable career! by Anonymous Coward · 2011-06-19 08:36 · Score: 0

Talk about writing yourself out of a job!
Whoa by DurendalMac · 2011-06-19 08:42 · Score: 1

So being a bug chaser is now a profession? Who knew?
1. Re:Whoa by Anonymous Coward · 2011-06-19 09:21 · Score: 0
  
  Yes. It's called "the QA team". You're welcome. :P
  Also: What good is a bug bounty, if you're not fixing the bugs, hm Mozilla? (Now I have to re-start my Firefox, who eats up 1.6GB of RAM. NO program should ever need that much RAM, without a massive data set being open! It's like they wrapped a whole operating system, written in a scripting language, inside a virtual machine, written in "as always, leaking left and right" C. ...Oh,wait! They did! It's like "the worst of both worlds". ;)
2. Re:Whoa by hedwards · 2011-06-19 09:29 · Score: 2
  
  Firefox doesn't use that much RAM under normal conditions. Apart from that bug when you load up a whole page of photos, the use of memory is way below any of the major competitors.
  Doesn't mean that it doesn't happen, but it's usually not Firefox, it usually ends up being a plug in or extension that's using up most of the memory. Under normal circumstances you're not likely to ever use more than 500mb.
3. Re:Whoa by Anonymous Coward · 2011-06-19 12:25 · Score: 0
  
  Hello shill, how are you today?
4. Re:Whoa by Ellis+D.+Tripp · 2011-06-19 12:36 · Score: 1
  
  I think you missed the OP's joke...
  http://en.wikipedia.org/wiki/Bugchasing
  
  --
  Remember "News for Nerds, Stuff that Matters"? Help make it a reality again! http://soylentnews.org
5. Re:Whoa by BitZtream · 2011-06-19 14:38 · Score: 1
  
  From what you've said, I can safely deduce without any uncertainly that you have never actually used Firefox at any point in your life.
  As far as it being a plugin or something, I'll tell you the same thing I told our VoIP provider ...
  I don't care WHAT or WHY the exact reason is, when I do A ... B happens. I don't care if its not A's fault, if I don't use it, it doesn't happen so you're choices are to make it so A prevents something else from causing it a problem, or I'll use something else.
  No one gives a shit what the specific reason Firefox eats RAM is, it indicates bad design in general.
  Windows crashes all the time cause Microsoft writes shitty buggy software. That statement is pretty much 100% false. 10 times out of 8 when a Windows PC crashes its related to a 3rd party driver. But no one gives a shit because Windows has still crashed.
  Blame it on other stuff all day long, the rest of us are still going to think of Firefox as wasting a bunch of ram because anyone who uses it finds it wasting a lot of ram. If third party plugins are the problem, and everyone uses 3rd party plugins then the browser is still broken.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
6. Re:Whoa by hedwards · 2011-06-19 16:08 · Score: 1
  
  To be honest, we don't really care what people as fucking stupid as you think about things. I don't represent Mozilla, but it's not helpful to pretend like your situation is typical without actually providing any evidence. You're not going to fix a problem caused by extensions by mucking around in the browser code, sure when add ons get their own processes, it will be a lot easier to know who is responsible for what.
  But, at the moment, only a fucking moron would claim that it's Firefox' fault that other people can't code properly.
  As for MS, it's there fault that their architecture was so incompetently designed for so long. Remermber this is the same outfit that felt that it was OK to ignore the specs for ACPI and put work arounds for known buggy implementations into their code. They long ago gave up any credibility in that regards. Not to mention the fact that when Windows crashed nobody, not even their support people, had any idea what was causing it based upon the error messages. They've gotten better, but that's the way it's been.
  And yes, I do care who's at fault, if it's MS' fault, then that's one thing, if it's the hardware vendor, I'm not going to solve that problem by ditching Windows.
7. Re:Whoa by kyz · 2011-06-20 01:54 · Score: 1
  
  Firefox doesn't use that much RAM under normal conditions.
  Yes it does. Mozilla know this and have an entire team of people addressing Firefox 4 memory usage issues. They're looking at 18 P1 bugs, 84 total.
  My Firefox is has 1.3GB mapped, but is only using 300MB right now (according to the very useful about:memory)... that's a serious fragmentation problem, because as far as my operating system is concerned, that's a 1.3GB program, not a 300MB program.
  
  --
  Does my bum look big in this?
8. Re:Whoa by arkenian · 2011-06-20 05:22 · Score: 1
  
  I just have to say that I use very few plugins, and I'm not sure I've ever actually SEEN firefox come in at under 500 mb. Ever. Now granted, usually I'm up to more than ten tabs by the time a task manager pops up where I might check this, but still....
9. Re:Whoa by Migala77 · 2011-06-20 11:59 · Score: 1
  
  Firefox doesn't use that much RAM under normal conditions. Apart from that bug when you load up a whole page of photos, the use of memory is way below any of the major competitors.
  Doesn't mean that it doesn't happen, but it's usually not Firefox, it usually ends up being a plug in or extension that's using up most of the memory. Under normal circumstances you're not likely to ever use more than 500mb.
  Then tell me which extension it is. Just a simple task manager, then I'll know who to blame.
Real bugs by Lord+Lode · 2011-06-19 08:51 · Score: 1

Ok, so even though I'm a programmer, when I started reaading the article, I was really thinking this was about a vermin hunter, someone who rids people's houses of infestations of insects or something like that... Am I the only one?
1. Re:Real bugs by Anonymous Coward · 2011-06-19 09:01 · Score: 0
  
  No.
2. Re:Real bugs by Anonymous Coward · 2011-06-19 09:02 · Score: 0
  
  It's ok, you're not alone
3. Re:Real bugs by Gaygirlie · 2011-06-19 09:04 · Score: 1
  
  Ok, so even though I'm a programmer, when I started reaading the article, I was really thinking this was about a vermin hunter, someone who rids people's houses of infestations of insects or something like that... Am I the only one?
  No, you aren't. I just thought about someone going Terminator-on-your-ass on cockroaches or something before I read the submission itself.
4. Re:Real bugs by Anonymous Coward · 2011-06-19 09:08 · Score: 0
  
  Did you happen to work on the Mark II in the 40's?
5. Re:Real bugs by Aldanga · 2011-06-19 09:59 · Score: 1
  
  Definitely not. I had flashbacks to Pokémon battles with bug catchers.
OSS promises by gutnor · 2011-06-19 09:22 · Score: 1

The promises of OSS was to have more eyes looking at your code and therefore making better software.
That is var sad that money needs to be involved, but we don't live in the same OMG ponies world RMS lives in, it died in the 80s after our pot smoking parent changed their mind about the value of money. Nowadays, you see leech of the system making money with all sorts of repulsive business model, ... so that is a good thing that security researcher gets rewarded and that student with too much time invest it improving the common good rather than another link farm business.
1. Re:OSS promises by Anonymous Coward · 2011-06-19 09:31 · Score: 0
  
  This is just an incentive program to get more eyes on the problem. Without monetary incentive many people would be bug hunting on applications that they are personally interested. Bug hunting for web browsers doesn't sound much fun to me, so I would spend my time poking at other applications, however add in the chance to make some money on the side I'd be more interested in spending at least some small amount of time poking at FF.
Lite? by ninetyninebottles · 2011-06-19 09:26 · Score: 4, Insightful

From the article:

"When we started out it was $1337 which if you write it down spells out 'lite' which is hacker speak for elite. Since then we've increased the top prize to 3133.70 which spells 'elite,'" explained Rukowski.
Seriously? 1337 spells "lite"? Are the authors of this article really that clueless and have that little competent review of their material? 1337 spells "leet" which sounds like "elite" if you don't really pronounce the first letter. Isn't this explained in "Hackers" or some other pop culture movie?
1. Re:Lite? by mkiwi · 2011-06-19 13:27 · Score: 1
  
  For a brief moment, I had the fancy of thinking entomologists were traveling the Amazon, making new discoveries for large amounts of money. That's pretty l337. I'm going to go back and read xkcd now.
2. Re:Lite? by Anonymous Coward · 2011-06-19 18:08 · Score: 0
  
  Considering leet is marked as a typo, it was probably "corrected" by someone who wasn't paying attention to the topic...
3. Re:Lite? by Anonymous Coward · 2011-06-19 22:10 · Score: 0
  
  And "3133.70" sounds like eleeto which I assume is spanish for Elite!
spec work by kylemonger · 2011-06-19 10:45 · Score: 1

In other creative industries, these contests are known for the exploitative ruse that they are. They fall under a more general class of labor called "spec work." With contests in general, or in this case bug bounties, a large number of people are induced to work while only a few or maybe none are actually paid.
1. Re:spec work by blue+trane · 2011-06-19 11:15 · Score: 1
  
  better that they be working towards some kind of good than that they, for example, be trying to exploit existing bugs or looking for new bugs to exploit...
more outstanding work from the bbc tech idiot team by chewy_fruit_loop · 2011-06-19 20:43 · Score: 1

"When we started out it was $1337 which if you write it down spells out 'lite' which is hacker speak for elite. Since then we've increased the top prize to 3133.70 which spells 'elite,'" explained Rukowski.
honestly their research knows no bounds
I rather going to barbecue by luk3Z · 2011-06-20 03:27 · Score: 0

I rather going to barbecue with my friends than stay in home and hunt for bugs...

--
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)
Article is poorly researched. by Anonymous Coward · 2011-06-20 10:59 · Score: 0

We gave Bug Bounties in the Graphics Forums on CompuServe ca. 1990. A floppy disc full of images was mailed to the subscriber when a confirmed bad graphic was found (not uncommon in those days).