Bug Bounties Are Bonanza, For a Few Persistent Hackers

chicksdaddy writes: Bug bounty programs are all the rage these days, with companies from Asana to Zendesk (http://bugsheet.com/directory) offering cash rewards for finding holes in their web sites. But is spending your weekends fuzzing someone else's application code really worth it? And is anyone really getting rich off bug bounties? The short answer is 'yes.' As this article at The Christian Science Monitor notes, top bounty researchers on sites like HackerOne and BugCrowd are indeed seeing big paydays — often in return for just hours of work perusing buggy websites. Among the eye-popping figures: researcher Mark Litchfield's $63,000 take over Labor Day weekend, which included the discovery of multiple remotely exploitable holes in a major web property, paying $15,000 each through HackerOne. Also profiled is researcher Frans Rosen and Sean "Meals" Melia, the number four ranked researcher on BugCrowd. Both claim to have netted six figure incomes in the last year on bug bounties alone. "It's like finding a gold nugget," Litchfield is quoted as saying. "Sometimes it's like finding my own gold mine."

Bug, the Bounty Hunter

[turkeydance]

next on History Channel, or Discovery, or CSNBC.

Re:Bug, the Bounty Hunter

Bear-mace that guy!

"Sometimes it's like finding my own gold mine."

Playing Devil's Advocate here:

I'm curious if vulnerabilities also count as bugs, and if these guys don't manufacture a few of their on just to hunt them down later for profit.

Re:"Sometimes it's like finding my own gold mine."

[KGIII]

No XKCD but, how about a Dilbert?

http://dilbert.com/strip/1995-...

Very much on topic. ;-)

Re: "Sometimes it's like finding my own gold mine.

Only the first party could manufacture vulnerabilities in software. Nobody hacks in and creates vulnerability. If anyone is hacking in it is because it was already vulnerable.
In other words, your post doesn't make sense. Not all bugs are vulnerabilities, but all vulnerabilities are bugs.

Bounty definition

Doesn't a bounty procedurally function as so:

1. Buyer lists requirements
2. Worker fulfils requirement
3. Buyer verifies fulfilment of requirement
4. Buyer pays Worker?

This doesn't seem like a site of bounties, unless I missed a link on the page. It seems like a list of companies that may or may not have agreed to be put on a website and may or may not be willing to pay you for finding unknown bugs particularly in web security.

I actually don't even see any comments from the companies listed. Only their security policies which do not mention anything about a Bounty.

Honeypot.

[zenlessyank]

I was under the assumption that these 'bounties' and 'contests' were just bait so the Power(s) that Be could make a nice list of peeps who have skills.

"A"

Bug Bounties Are *A* Bonanza

Re:"A"

[Dahamma]

So, you have never read a headline before? Dropping indefinite articles in headlines dates to centuries before you or I were born.

Re:"A"

Not in the middle of a sentence. Compare

"[An] Area Man Pretends To Give A Shit"

"[An] Area Man Pretends To Give [A] Shit"

The second one means he's faking the donation of manure. The first one doesn't.

Re:"A"

[Dahamma]

Bad example, since "give a shit" is a colloquialism, but "bonanza" and "a bonanza" mean the same thing.

wow

And here I provided this type of stuff to companies between 2000 and 2003. Worse I had to fight a few to get shit fixed, usually a well worded email to a reporter did the trick :)

Re:By Torvalds Beard

All attempts at humor are dismissed. Learn to use an apostrophe.

Re: "Sometimes it's like finding my own gold mine.

> all vulnerabilities are bugs.

That's not necessarily true. Sometimes a vulnerability is something else. A side effect of a mandate or mandated to not be addressed. Bugs are unintended functionality (or lack thereof).

Yes and no

[hsmith]

I am getting ready to launch one for my company. We simply announced it was coming and got inundated from India with garbage Metaspoilt attempts. Speaking with people that have programs this seems to be standard. Getting to serious issues seems to be a bit harder since it takes a bit more skill than a script kiddie can do. The real keys to success seem to be defining the scope well from the onset. But time shall tell.

Re: "Sometimes it's like finding my own gold mine.

Sometimes a vulnerability is something else. A side effect of a mandate or mandated to not be addressed. Bugs are unintended functionality (or lack thereof).

Requirements can be bugs, too. Chalk it up to how buggy people are.

Re: By Torvalds Beard

I hope you entertained yourself writing that. No one else was.

tymothy

[beni1]

thank for info...

Re: tymothy

Your welcome.

Sincerely,
Timohty.

Is mining for gold worth it?

Yes, to the people who are really good at it and know just where to look. To the many, many others, no.

If you are reading this thinking you can make a lot of money finding bugs, you're likely in the "no" column. However, if you don't mind doing free labor and it's fun for you, go for it.

I'll have to get in on this

Considering in the past I've already found security holes in 2 of the top 10 websites on the planet, one of them extremely serious.

Re: "Sometimes it's like finding my own gold mine

Still counts as intended operation of the code. Pointing out a backdoor they put in on purpose won't get you a bounty.

Re: By Torvalds Beard

Lies! I chuckled, twice.

is anyone really getting rich off bug bounties? NO

[xxxJonBoyxxx]

If you need to be in the "top four" (TFA) to make a six-figure income, that's not getting rich. If you're in IT security and not pulling down six figures just showing up to the office by nine, it's probably time for the next job.

Buggy drones

[penguinoid]

What's the bounty for finding remote exploits in military drones?

Re:Buggy drones

What's the bounty for finding remote exploits in military drones?

A million dollars, that's the bounty you'll get [on your head].