Slashdot Mirror
Bug Bounties Are Bonanza, For a Few Persistent Hackers (csmonitor.com)
chicksdaddy writes: Bug bounty programs are all the rage these days, with companies from Asana to Zendesk (http://bugsheet.com/directory) offering cash rewards for finding holes in their web sites. But is spending your weekends fuzzing someone else's application code really worth it? And is anyone really getting rich off bug bounties? The short answer is 'yes.' As this article at The Christian Science Monitor notes, top bounty researchers on sites like HackerOne and BugCrowd are indeed seeing big paydays — often in return for just hours of work perusing buggy websites. Among the eye-popping figures: researcher Mark Litchfield's $63,000 take over Labor Day weekend, which included the discovery of multiple remotely exploitable holes in a major web property, paying $15,000 each through HackerOne. Also profiled is researcher Frans Rosen and Sean "Meals" Melia, the number four ranked researcher on BugCrowd. Both claim to have netted six figure incomes in the last year on bug bounties alone. "It's like finding a gold nugget," Litchfield is quoted as saying. "Sometimes it's like finding my own gold mine."
next on History Channel, or Discovery, or CSNBC.
Playing Devil's Advocate here:
I'm curious if vulnerabilities also count as bugs, and if these guys don't manufacture a few of their on just to hunt them down later for profit.
Only the first party could manufacture vulnerabilities in software. Nobody hacks in and creates vulnerability. If anyone is hacking in it is because it was already vulnerable.
In other words, your post doesn't make sense. Not all bugs are vulnerabilities, but all vulnerabilities are bugs.
Doesn't a bounty procedurally function as so:
1. Buyer lists requirements
2. Worker fulfils requirement
3. Buyer verifies fulfilment of requirement
4. Buyer pays Worker?
This doesn't seem like a site of bounties, unless I missed a link on the page. It seems like a list of companies that may or may not have agreed to be put on a website and may or may not be willing to pay you for finding unknown bugs particularly in web security.
I actually don't even see any comments from the companies listed. Only their security policies which do not mention anything about a Bounty.
I was under the assumption that these 'bounties' and 'contests' were just bait so the Power(s) that Be could make a nice list of peeps who have skills.
The Linus Torvald's you know and love is but a figurehead puppet used by the open source conglomerates as clean shaven media representative. This man was born without birth certificates as part of a Middle Eastern slave harem and is commonly known as the Lunix Colonel.
The real Linus Torvald's has not left his mothers basement for 25 years. Nor has he shaved in this time. In March 1994 the Kernel was released as version 1.0.0 to celebrate Torvald's beard reaching 1 foot in length. 2 years later, largely due to a healthy diet of lutefisk they celebrated the milestone of 2 feet.
Unfortunately due to interference by corporate actors such as the Soviet conspiracy, Red Hat, the numbers became stagnated and no longer accurately reflected the true length of Torvald's beard. He was forced to trim.
This event caused Torvald's great sadness and resulted in him spiralling out of control into deep depression like parts of Mark Shuttleworth's Challenger spacecraft. He stopped showering for several years and this corresponding time period contained the greatest number of bugs in both the Linux kernel, and his beard.
The depression and lack of hygiene was contagious and spread to Open Source Wizard Richard Stallman who became known for his podiatric-auto-canibillia and was more likely to be associated with sores and sauce than source. The rival HURD kernel will never be completed as Stallman has forgotten how to program.
Torvald's mean while continued coding until his fingers bled, pushing code into his git under pseudonyms of various nerds around the world who paid the open source conglomerate to keep the sole Linux Mainframe online.
In 2011 Torvald's was able to wrestle control back over his versioning system and matched the released to the length of his beard for the 3rd time. This greatly improved the kernel and led to the development of some of the key technology of the 21st century: System D.
Seeing that his kernel was getting bigger, Torvald's began researching peer to peer Bitcoin block chains and Tor network services as a way to revolutionise the kernel for the first time since Al Gore invented the internet. System D was to use the one true linux mainframes hard drive to store pictures of Torvalds Penis, the system D version numbers were to reflect it's size at any time in some of the first research into Quantum computing versioning. After Jarrod from subway the initial angel investor due to seeing how this technology could be useful for his own interests, Google joined the project with the creation of it's D-wave computer - The first self contained and self replicating System D computer.
This caused a further rift between Stallman and Torvald's, as Linus had turned his operating system into a more advanced version of HERDs naming system. Many gnus were killed in the great battle of recursion.
In 2013 Torvald's beard had grown to a staggering 4 feet, as long as Eric S Raymonds was tall. This also marked the first time that Linux and System-D were the same thing as at the time Torvald's penis was 4 feet long.
Torvald's beard is currently approaching 4.3 feet long. He last had a shower this morning when he nearly got an erection and it is currently free from bugs.
Bug Bounties Are *A* Bonanza
And here I provided this type of stuff to companies between 2000 and 2003. Worse I had to fight a few to get shit fixed, usually a well worded email to a reporter did the trick :)
> all vulnerabilities are bugs.
That's not necessarily true. Sometimes a vulnerability is something else. A side effect of a mandate or mandated to not be addressed. Bugs are unintended functionality (or lack thereof).
I am getting ready to launch one for my company. We simply announced it was coming and got inundated from India with garbage Metaspoilt attempts. Speaking with people that have programs this seems to be standard. Getting to serious issues seems to be a bit harder since it takes a bit more skill than a script kiddie can do. The real keys to success seem to be defining the scope well from the onset. But time shall tell.
Sometimes a vulnerability is something else. A side effect of a mandate or mandated to not be addressed. Bugs are unintended functionality (or lack thereof).
Requirements can be bugs, too. Chalk it up to how buggy people are.
thank for info...
Yes, to the people who are really good at it and know just where to look. To the many, many others, no.
If you are reading this thinking you can make a lot of money finding bugs, you're likely in the "no" column. However, if you don't mind doing free labor and it's fun for you, go for it.
Considering in the past I've already found security holes in 2 of the top 10 websites on the planet, one of them extremely serious.
Still counts as intended operation of the code. Pointing out a backdoor they put in on purpose won't get you a bounty.
If you need to be in the "top four" (TFA) to make a six-figure income, that's not getting rich. If you're in IT security and not pulling down six figures just showing up to the office by nine, it's probably time for the next job.
What's the bounty for finding remote exploits in military drones?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways