Bug Bounties Are Bonanza, For a Few Persistent Hackers

chicksdaddy writes: Bug bounty programs are all the rage these days, with companies from Asana to Zendesk (http://bugsheet.com/directory) offering cash rewards for finding holes in their web sites. But is spending your weekends fuzzing someone else's application code really worth it? And is anyone really getting rich off bug bounties? The short answer is 'yes.' As this article at The Christian Science Monitor notes, top bounty researchers on sites like HackerOne and BugCrowd are indeed seeing big paydays — often in return for just hours of work perusing buggy websites. Among the eye-popping figures: researcher Mark Litchfield's $63,000 take over Labor Day weekend, which included the discovery of multiple remotely exploitable holes in a major web property, paying $15,000 each through HackerOne. Also profiled is researcher Frans Rosen and Sean "Meals" Melia, the number four ranked researcher on BugCrowd. Both claim to have netted six figure incomes in the last year on bug bounties alone. "It's like finding a gold nugget," Litchfield is quoted as saying. "Sometimes it's like finding my own gold mine."

Bug, the Bounty Hunter

[turkeydance]

next on History Channel, or Discovery, or CSNBC.

Re: "Sometimes it's like finding my own gold mine.

Only the first party could manufacture vulnerabilities in software. Nobody hacks in and creates vulnerability. If anyone is hacking in it is because it was already vulnerable.
In other words, your post doesn't make sense. Not all bugs are vulnerabilities, but all vulnerabilities are bugs.

Yes and no

[hsmith]

I am getting ready to launch one for my company. We simply announced it was coming and got inundated from India with garbage Metaspoilt attempts. Speaking with people that have programs this seems to be standard. Getting to serious issues seems to be a bit harder since it takes a bit more skill than a script kiddie can do. The real keys to success seem to be defining the scope well from the onset. But time shall tell.