Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Bounties Are Bonanza, For a Few Persistent Hackers (csmonitor.com)

Posted by timothy on from the ducks-in-a-row dept.

chicksdaddy writes: Bug bounty programs are all the rage these days, with companies from Asana to Zendesk (http://bugsheet.com/directory) offering cash rewards for finding holes in their web sites. But is spending your weekends fuzzing someone else's application code really worth it? And is anyone really getting rich off bug bounties? The short answer is 'yes.' As this article at The Christian Science Monitor notes, top bounty researchers on sites like HackerOne and BugCrowd are indeed seeing big paydays — often in return for just hours of work perusing buggy websites. Among the eye-popping figures: researcher Mark Litchfield's $63,000 take over Labor Day weekend, which included the discovery of multiple remotely exploitable holes in a major web property, paying $15,000 each through HackerOne. Also profiled is researcher Frans Rosen and Sean "Meals" Melia, the number four ranked researcher on BugCrowd. Both claim to have netted six figure incomes in the last year on bug bounties alone. "It's like finding a gold nugget," Litchfield is quoted as saying. "Sometimes it's like finding my own gold mine."

11 of 27 comments (clear)

  1. Bug, the Bounty Hunter by turkeydance · · Score: 4, Funny

    next on History Channel, or Discovery, or CSNBC.

  2. Re: "Sometimes it's like finding my own gold mine. by Anonymous Coward · · Score: 2, Interesting

    Only the first party could manufacture vulnerabilities in software. Nobody hacks in and creates vulnerability. If anyone is hacking in it is because it was already vulnerable.
    In other words, your post doesn't make sense. Not all bugs are vulnerabilities, but all vulnerabilities are bugs.

  3. Honeypot. by zenlessyank · · Score: 1

    I was under the assumption that these 'bounties' and 'contests' were just bait so the Power(s) that Be could make a nice list of peeps who have skills.

  4. Re:By Torvalds Beard by Anonymous Coward · · Score: 1

    All attempts at humor are dismissed. Learn to use an apostrophe.

  5. Yes and no by hsmith · · Score: 2

    I am getting ready to launch one for my company. We simply announced it was coming and got inundated from India with garbage Metaspoilt attempts. Speaking with people that have programs this seems to be standard. Getting to serious issues seems to be a bit harder since it takes a bit more skill than a script kiddie can do. The real keys to success seem to be defining the scope well from the onset. But time shall tell.

  6. tymothy by beni1 · · Score: 1

    thank for info...

  7. Re:"A" by Dahamma · · Score: 1

    So, you have never read a headline before? Dropping indefinite articles in headlines dates to centuries before you or I were born.

  8. Re:"Sometimes it's like finding my own gold mine." by KGIII · · Score: 1

    No XKCD but, how about a Dilbert?

    http://dilbert.com/strip/1995-...

    Very much on topic. ;-)

    --
    "So long and thanks for all the fish."
  9. is anyone really getting rich off bug bounties? NO by xxxJonBoyxxx · · Score: 1

    If you need to be in the "top four" (TFA) to make a six-figure income, that's not getting rich. If you're in IT security and not pulling down six figures just showing up to the office by nine, it's probably time for the next job.

  10. Buggy drones by penguinoid · · Score: 1

    What's the bounty for finding remote exploits in military drones?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  11. Re:"A" by Dahamma · · Score: 1

    Bad example, since "give a shit" is a colloquialism, but "bonanza" and "a bonanza" mean the same thing.