Inside the World of Bug Bounty Hunters
While studying computer science in college in 2012, a young software developer who goes by X3n0N started to dabble with bug bounties.
Armed with basic skills that he learned by reading online forums and articles, he tried his hand at white-hat hacking, combing through various websites for vulnerabilities and looking at web pages for user input boxes where cross-site scripting or SQL injection vulnerabilities might be lurking.
Back then, cyber attacks resulting in losses of over $1 million was only one-fourth as prevalent as today, according to the Center for Strategic and International Studies. Although now there are multiple platforms for facilitating bug bounties and a robust bug bounty community, at the time there still wasn’t a lot of infrastructure in place to support white-hat hackers, also known as ethical hackers.
X3n0N’s adventures soon earned him a lawsuit from a large internet service provider. He had come across a security vulnerability that made possible the hijacking of customer accounts, allowing him to change the bandwidth plans for any of the provider’s customers, and he had reported the vulnerability in an email to the company. The company did not have a bug bounty program in place, he said, so he had not asked them for compensation and instead just alerted them to the vulnerability and asked them to secure it.
But the company was far from grateful to receive X3n0N’s email. Pretty soon, he started to receive calls from the company’s lawyers, threatening to take him to court, he said. The whole situation found its way to the principal of his college, resulting in some “uncomfortable scenarios” for him.
Because his actions were clearly not malicious, the whole situation was soon smoothed over. His email reporting the vulnerability helped prove that his intentions were to help the internet service provider be more secure, not to profit from its insecurity. The company dropped the suit, stipulating only that he formally apologize and sign a non-disclosure agreement promising not to go public with the company’s vulnerability.
X3n0N was delighted with the experience. “I felt really, really happy and surprised,” he said. “I never expected $2,000 when I was still studying.” He was so motivated that he not only continued to pursue bug hunting, but also decided to work for Google “at least once” in his career.
The Growth of Bug Bounty Programs
These days, the landscape of hacking has changed dramatically. It’s no longer as easy to stumble across web application vulnerabilities at large internet companies. Bug bounty and bug reporting programs are more commonplace, and companies are also more open to employing the services of specialized penetration testing companies. Pen testers, as they’re called, help to locate flaws in their clients’ systems and operate like traditional consulting companies, with staff specializing in finding security vulnerabilities.
Bug bounty platforms operate differently. These platforms act more like marketplaces that allow free-agent bug bounty hunters and the companies that are interested in their services find each other. They attract companies by giving them access to a large pool of hackers, and in turn attract hackers by providing a list of companies that are willing to pay for their services. Bugcrowd launched in 2011 as the first bug bounty platform of its kind, and many other platforms quickly followed.
“If you have two people doing the assessment, you’re probably going to find more than the one person, and 500 people are going to find exponentially more than one or two individuals.”
“The crowdsource security idea is that if you do a penetration test, you’d normally have one individual doing an assessment,” said Grant McCracken, director of security operations at Bugcrowd. “If you have two people doing the assessment, you’re probably going to find more than the one person, and 500 people are going to find exponentially more than one or two individuals. So it’s taking the power of the crowd and the extensibility of the gig economy to fill the need in cybersecurity.”
It took some time for bug bounty platforms to be accepted into the mainstream. Katie Moussouris, who was the former chief policy officer of HackerOne, another early bug bounty platform, played an important role in helping to grow its program. She even successfully partnered with the famously guarded U.S. Department of Defense to set up its pilot bug bounty challenge in 2016, called Hack the Pentagon. Over a thousand hackers participated, and the government paid out roughly $75,000 for finding a total of 138 valid security vulnerabilities. The pilot was considered a successful proof of concept by the Department of Defense.
“The more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters,” said then-Defense Secretary Ash Carter after the challenge had wrapped. The pilot was subsequently followed by Hack the Army, Hack the Air Force, and Hack the Marine Corps challenges, as well as a continuing vulnerability disclosure program where anyone can report the vulnerabilities they find.
Boosted by efforts like these, and by a larger trend toward taking security precautions more seriously, ethical hacking has become more widely accepted. Bug bounty programs and the companies that hire hackers now refer to them as the more respectable-sounding “security researchers.”
This move into the mainstream has led to more people trying their hand at bug bounty hunting. Today, Bugcrowd boasts 140,000 researchers listed on its platform.
At the same time, companies are increasingly prioritizing security, which makes finding bugs more challenging. Rapid7, a consulting company that offers penetration testing services, reported in its 2019 annual survey that, when penetration testers were hired to test a company’s systems from outside the company network, they were able to break into the network only 21 percent of the time. Success attacking company websites was even more limited, resulting in total access of a company’s systems 3 percent of the time.
These numbers may seem far from the ideal zero, but are encouraging because pen testers are highly trained to break into systems. This is great news for everyone, but it does mean that the bar for successfully finding bugs — and getting paid for them — has risen in the last decade.
A Welcoming Community
Considering that bug hunting has become more difficult, with the large pool of participants and the more security-minded landscape, it’s a bit surprising how welcoming the community can be.
Wesley Wineberg has a cybersecurity background, and has been doing bug hunting for six years.
“More often than not, if I reach out to someone and ask for help or want to share some techniques, people are really open to that and quite friendly,” Wineberg said.
“If I reach out to someone and ask for help or want to share some techniques, people are really open to that and quite friendly.”
He explained that most of the vulnerabilities researchers uncover fall into a few categories, which can be found using techniques that are widely known and well documented, such as on the annual OWASP Top Ten list of most critical security vulnerabilities for web applications. Of course, that does not apply to more complex and innovative methods that researchers develop themselves.
“There is a bit of a balance. If someone’s got a technique that no one else could be using, and they’re getting tons of findings and getting paid tons of money, they’re not going to really want to share too much about that technique,” Wineberg said.
But for the most part, people are willing to help each other. Even with more people looking for bugs, there are still plenty left to go around.
“Every year, there’s more and more people doing bounties, but every year there’s more and more targets,” Wineberg said. “If someone wanted help on a target, I would assume that it’s not the same target as I’m working on this week, just because there’s so many different available ones.”
In addition to researchers learning from one another on an individual basis, there are also plenty of resources for people who are just starting out. Those learning the basics can download purposefully insecure web applications (because hacking live websites without the owners’ express permission is a federal crime), follow along on live hacking tutorials, and even play hacking games geared toward turning K-12 students into burgeoning hackers.
Another great way to learn is by reading blog posts by researchers writing about their successful exploits. After Teddy Katz was awarded a $25,000 bounty from GitHub in 2019 — at the time the highest award ever from GitHub — he posted a step-by-step explanation of how he discovered the vulnerability, which bypassed GitHub’s checks in its authorization flow.
Full-Time Bounty Hunting Is Difficult, but Rewarding
Wineberg made the switch to hunting bug bounties full time a year and a half ago, after working in the cybersecurity industry for 11 years and doing bug bounties on the side for the past six.
“In the last few years it’s really taken off, and there’s just tons of work available if you have the time to do it,” Wineberg said. “I was consistently seeing that if I spent the time I would find stuff. More often than not, time would be worth spending on the bug bounty [when I] get paid.”
When he switched, he happened to be moving and needed to look for a new job anyway, so it seemed like a good opportunity to try out doing bug bounties full-time. “I figured if it wasn’t working out I could always go job hunting again,” Wineberg said, although he hasn’t yet felt the need. “I’m really enjoying it so far.”
Every week, he picks a couple of targets to test out, usually new products that recently got launched from companies that offer bug bounty programs.
“If I find maybe a low-impact vulnerability immediately, that’s often a good sign that there’s going to be more to find.”
“I always try and look at things that are new that haven’t had bounty testing done on them before, because there’s always the most to find on those,” Wineberg said. “Usually I would do maybe half an hour of testing on a site that I’m considering, and then if it looks like it’ll be worth doing more testing, then I’ll spend a few days or a week or so, just testing that one site.... If I find maybe a low-impact vulnerability immediately, that’s often a good sign that there’s going to be more to find.”
Wineberg said he spends about a quarter of his working time reading security news and documentation of vulnerabilities that other researchers have found. This helps him keep on top of new bugs to be on the lookout for and learn about technology stacks he lacks experience navigating.
“With bug bounties, every different target you’re looking at is almost always using a slightly different set of technologies to run its website or run its systems,” he said. “Often what I’ll do is, if I come across a technology I haven’t used a lot before, I’ll go back and I’ll look for any people who have reported security issues in the past with that. I’ll read about previous problems and then either look for those and see if they apply to the target, or think of new ways that I might be able to find things.”
Some researchers also build their own tools that automate part of their process, which takes time to set up in the beginning but can be helpful down the line. Wineberg sometimes builds his own tool when he notices he’s repeating the same task, but for the most part hasn’t focused on a specific method enough to make use of automation.
“I’ve enjoyed just looking at a wide variety of things,” he said. “A whole bunch of different customers, a whole bunch of different types of vulnerabilities.”
Read the Fine Print Before Participating
Built In reached Wineberg through Synack, another platform that connects security researchers with companies that want their services. The platform pushed back against the “bug bounty” label.
“We don’t really call ourselves a bug bounty platform,” said Jay Kaplan, the CEO and co-founder of Synack. Like HackerOne and Bugcrowd, Synack is built on a model of crowdsourcing talent from independent security researchers, but its scale is not as large, and researchers are paid for some work apart from successful bug reports.
One plausible reason why Synack may not like the term is that bug bounty platforms have gotten some bad press as of late. CSO Online reported in April that companies sometimes avoid fixing reported bugs, which they know researchers can’t discuss openly because of non-disclosure agreements.
As Ars Technica reported, security researcher Varun Kakumani experienced that recently with a Netflix vulnerability he submitted through Bugcrowd’s platform. The bug he uncovered allowed anyone sharing a local network — say, a public Wi-Fi access point — with a user to access the user’s account by stealing a session cookie.
Kakumani told Ars Technica that, after he submitted the bug report to Bugcrowd, when the company was determining whether it was a valid submission before passing it on to Netflix — a process called “triage” — it was determined that the submission was invalid due to being out of scope.
With bug bounties, the client company decides which parts of the system security researchers can search for vulnerabilities in and which parts are off limits. The areas open to researchers are “in scope,” while other areas are “out of scope.” Parts of the system that are not public-facing and code that lives in third-party libraries the company doesn’t own are commonly out of scope.
Kakumani posted about the vulnerability online instead, but ended up having to take the post down because he had signed a non-disclosure agreement. A few days after the Ars Technica article published, however, Netflix realized that it had mislabeled Kakumani’s bug report and rolled out a patch.
Kakumani’s challenges illustrate a problem for bug bounty programs writ large. With scaling up, as developers well know, comes new problems. For bug bounty platforms, scaling up means that both the companies and the researchers involved are more of a mixed bag. Researchers have disparate experience levels, resulting in a large portion of low-quality submissions that still need triage — eating into the limited time bug bounty platform employees have for evaluating each submission.
At the same time, client companies need to have infrastructure in place ready to handle valid bug reports when they are submitted. If they don’t have procedures for fixing and rolling out patches, the experience isn’t helpful for them, nor is it particularly pleasant for researchers, who prefer to see the vulnerabilities they’ve found fixed instead of concealed.
Kaplan said that some companies simply aren’t robust enough to handle intensive testing across their entire systems, but that doesn’t mean they shouldn’t be able to take advantage of crowd-sourced security research in other parts of their systems.
“There are production environments that are a little bit more fragile, and when you start throwing 100 testers at that environment, it could potentially cause impact,” Kaplan said. He added that it is important to take into account the “sensitivities of [testing] with respect to the data and with respect to making sure that environment stays up and running.”
“Not every company is positioned to fix every vulnerability in an incredibly fast time frame.”
“Not every company is positioned to fix every vulnerability in an incredibly fast time frame. Some of them are not resourced enough to be able to jump on those vulnerabilities and fix them in a time frame that we as security people would agree is probably appropriate,” Kaplan said. “There are situations where there’s a backlog, and it’s going to take them several months to get to an issue.”
Synack tries to overcome the problems caused by too many submissions by limiting the pool of security researchers using their system, which currently numbers under 2,000. Kaplan said the interview process to be a security researcher on his company’s platform includes a background check and a capture-the-flag exercise where applicants have to find vulnerabilities in a live environment. Synack also pays researchers for certain tasks by unit of work performed, such as verifying vulnerabilities on client systems that automated tools caught and performing compliance checks, all of which can help to supplement security researchers’ income.
Bug Bounties Can Supplement Development Skills
Doing bug bounties can be a fun way to build more skills for developers, even if they’re just doing it on the side.
“You’re not going to make it rain with vulnerabilities and you’re probably not going to get any findings or payouts for a little while,” McCracken from Bugcrowd said. “But all that investment that you’ve put into learning security will pay off dividends in terms of your career, as well as your understanding and the way you build things and also make you know how to build more secure applications.”
“All that investment that you’ve put into learning security will pay off dividends in terms of your career, as well as your understanding and the way you build things.”
Wineberg agreed. “All groups of people can benefit a lot from this, especially if they’re doing it part time,” he said. “Full time, you need to have some consistency and some strategy and know how your payments are going to line up.”
Developers can tend to not think of the security aspect of their applications, and sometimes approaching their own applications from a security researching point of view can be beneficial.
“Developers understand their product in terms of how they intended it to function, but they often wouldn’t be testing the deployed production instance of it,” Wineberg said. “Back when I was consulting, we would work a lot with the development team. If we would find an issue, sometimes we would describe it and the developers would say, ‘No, it doesn’t work like that, that’s not going to be a problem.’”
“What we found was often if they were just given the opportunity to do some of the offensive type of testing that we’re going to do in a bug bounty against their own applications, they would come away with a bunch of issues,” Wineberg said. “It gives a lot of insight if you’re a developer as to how things are really functioning in the real world.”