Bug bounties won't make you rich (but you should participate anyway)

Commentary: There's a lot of hype about bug bounties, but here's some truth.

Hacker bug for internet protection. Computer data defense

Image: iStockphoto/ArtHead-

Just in case you were planning to quit your day job to go full-time killing bugs for a living, don't. Sure, some hackers make more than $1 million each year doing that. And, sure, you just might, too. But as experienced bounty hunter Alex Haynes has described, "very few people [squashing bugs for bounties] even earn more than a pest control worker in Mississippi."

Yes, really. Here's why.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)

The highs are high (and the lows are low)

The thing that gets hackers hungry for bug bounties is the dopamine (and five-figure cash) rush when they spend just a few minutes hunting for bugs, find one, report it, and seemingly get "money for nothing." The problem is this rarely happens for most people.

Even when it does, Haynes said, there are all sorts of reasons that finding a bug doesn't equate to finding riches:

  • Duplicates: "This is one of the recurring frustrations in bug bounties--by virtue of the fact that other people are looking at the same stuff as you, not only do they have the audacity to find the same vulnerabilities as you, but they can also find them before you."

  • Mini Bounties: "'You averted the apocalypse. Here's $100.' While it is common to find smaller companies not affording big payouts, it's also commonplace for companies that should have big payouts, but don't."

  • Reneging on payouts: "You find a vulnerability, the asset is in scope, it's valid but the company claims it was a mistake. This will usually enrage you further when you return later and they went ahead and fixed the bug anyway."

  • Weird rules (aka "Synack"): Instead of rewarding the first person to find the vulnerability, "it rewards the first person to find a vulnerability that also writes a 13-page essay as a proof of concept. So you can't just write 'Paste this URL into your browser to see the XSS' you have to break it down into seven steps (I kid you not) with step one being 'Open your browser' (still not kidding)."

  • Slow payments: "Sometimes you can wait weeks and months for your bug to be triaged, and even longer for it to be rewarded."

And more, including haggling over whether serious vulnerabilities are viewed or treated as such by the company paying out bounties. The hacker is somewhat at the mercy of the companies paying out the bounties, without much leverage to ensure she gets paid on time (or at all). 

And yet….

Anyone can play guitar (or hack for bounties)

When I asked HackerOne CEO Marten Mickos last year about what makes bug bounties worthwhile, he pointed to the significant money many hackers make. But he also insisted that this wasn't the most important aspect of such programs. Instead, he said, bug bounties create "opportunity democratized across the entire globe." 

Yes, the few make much more than the many, but this isn't surprising. Those that are most experienced will tend to make more, but the opportunity to gain that experience (and make more money) is always there.

Meanwhile, Mickos said, "Super smart people who are fully engaged in cybersecurity work in their spare time to hunt for vulnerabilities, report them, and help others explain how it was done. The security of the company in question improves. The overall understanding of this type of vulnerability increases in the industry." It's a virtuous cycle, one that should make our software and systems more secure, even as a rising number of hackers get paid for their troubles. (And, as Haynes makes clear, there are real troubles that need to be ironed out.)

Disclosure: I work for AWS, but nothing herein relates directly or indirectly to my work there.

Also see