I recently wrote about the Cyber Security Staffing Shortage, and how it meant good things for those interested in careers in cyber security. Here is another - potentially quite lucrative - opportunity: bounty hunter.
I'm not talking about the bounty hunters you see in movies or television shows, though. I'm talking about bug finders. You see, companies pay money to people who find bugs (especially bugs that can lead to cyber security vulnerabilities) in software and web sites. Sometimes the money can be substantial! CNBC reported that some bug bounty hunters can earn over $500,000 a year...
Where Is The Money?
Just last year (2008) the US AirForce paid out around $130,000 to hackers as part of a "Hack The Air Force" competition. Only 30 hackers participated, but they collectively found 120 bugs in about a month. That's not too shabby. It also tells me you have more opportunity to find bugs than it might seem.
Shopping giant Shopify paid a $25,000 reward to a researcher who found a bug with their system last year. They have reportedly paid over $1 million in bug bounties! Again, more opportunities for you to earn.
You might think that by now such bugs and their associated bounties might be rare, but clearly, that isn't the case. Sure, some of the issues can be based on a lack of proper training for software developers, while others can be based on the cyber security staffing shortage. But a big part of the issue is that software is so complex and many interactions are not fully understood.
Today many developers use complex databases, payment gateways, virtual machines, and other back-end tools from multiple sources. The actions are at best complex. Tools to model the interactions are often so complex that developers eschew their use.
Ideally, code reviews and pre-deployment testing would find the issues before code was developed and deployed (and they often do!), but that is seldom enough. The bounty programs provide a direct incentive for people to test the applications and be rewarded in the process.
How Do I Get Started?
If you are interested in cyber security-related bug bounties, the best starts are to learn penetration testing and potentially become a Certified Ethical Hacker (CEH). Learning Tree offers a Penetration Testing course, as well as a CEH exam prep class.
A good next step is to learn as much as you can about the flaws already found and to possibly talk with companies in the bug bounty space. Three of note are Bugcrowd, BugFinders, and HackerOne. (I have no experience or contact with either, and I'm just mentioning them here to help get your research started.)
The final step is to keep up with the bug bounty "industry". Keeping current is essential in virtually every discipline and this is no different. Read the trade press. Follow the bounty companies. Maybe even see what opportunities your employer (if you are employed) has in this space.
I hope you can help make us more secure by finding vulnerabilities and getting paid to do so.
To your safe computing,