Demystifying Bug Bounty Hunting

WRITTEN BY

 Abunsango, Oluseye CISA, CIA, FCCA.

Technology Audit Manager, PwC UK

OCTOBER 2022

Introduction

What comes to your mind when you hear bug bounty hunter? Do you envision a person hiding in a dark bunker, wearing a hood, in front of a black screen, typing incomprehensible lines of codes and causing untold damage to computer systems?

Well, hold the thought and decide if you are correct by the time you are done reading this article.

We will review who bug bounty hunters are, their role within the Infosec community, the rewards, challenges, and how you can get started.

Bug bounty hunters are individuals who are very knowledgeable and highly skilled in cybersecurity and experienced in finding flaws and vulnerabilities within applications and other technological infrastructure. They are also known as security researchers.

Hunters participate in bug bounty programs where they receive rewards for discovering vulnerabilities. How much they receive depends on the criticality of the identified vulnerability (Bugbounter, 2022).  

Why are they needed?

An intelligent approach to managing the inherent risk in using technology is to control the exploiting of vulnerabilities in your systems rather than leaving them to malicious attackers. The mechanism for doing this is a bug bounty program.

A bug bounty program could be open to all registered on the platform or by invitation to specific researchers. It can also be “open season” where you can test for any potential vulnerability in the organization’s attack surface. Sometimes it is specific where certain applications and web pages are considered “in scope”, and vulnerabilities the testers may and may not test for are specified (Hacker_Edu, 2022).

The relationship is, therefore, mutually beneficial for the companies and individual hackers, with both working together to secure the web for all

Rewards of bug bounty hunting

There are several rewards for both researchers and companies who participate in bug bounty programs.

The primary benefit to companies is that their digital platforms can be continually tested. They can therefore improve the quality and security of their platforms on the go while avoiding significant damages associated with security incidents. Other benefits include flexibility and control over the testing process at reasonable costs and detailed bug reports that enable infrastructure owners to prioritize and fix bugs (Stardust CTG Group, n.d.).

For individuals in cybersecurity, bug bounty hunting offers a way out of the constraints of formal employment. Hunters earn between $50 and $20,000 per bug in codefest programs such as

Hackerone. Some hackers make more than $1m in a year or two (HackerOne, 2020). So, it is up to you how much you earn in a year. You can work around your schedule and are more in control of your time and results.

Another advantage for the individual is that your confidence and skills increase as you participate in and get further exposure to these programs. Other intangible benefits include having more time for social engagement, family and friends, which cannot be quantified monetarily. 

Challenges of bug bounty hunting

Like other human endeavours, bug bounty hunting has challenges, and it is critical to understand them before jumping in. First, it might be difficult to find the high criticality bug with a juicy payout because you are competing with the best brains worldwide. Therefore, before depending on this to keep food on the table, it is critical to have a realistic assessment of one’s skill level, what a realistic earning level could be like and if this is sufficient to sustain you (Skelton, 2022).

Another challenge is that you require training and upskilling to be successful. This does not come cheap and is time-consuming. This investment needs to be made up-front and along the way.  Like any investment, there is pressure to make a profitable return on your investment (Skelton, 2022).

It is important to touch on the issue of mental health too. Strong mental resilience and self-awareness are critical due to the sheer amount of failure hackers experience before making successful discoveries. The successes are the tip of the proverbial iceberg, whereas the bulk of the failure is unseen. For many, this has resulted in stress, anxiety, depression, panic attacks and sadly in some cases, suicide (Chloé M, 2020).

For organizations, participating in a program does not automatically fix discovered bugs. They, therefore, must invest in an internal system of securing their infrastructure and view the

program as an additional layer of protection designed to find vulnerabilities (Securebug, 2021).

Getting started

There is no right or wrong way to approach this because the learning curve will vary for each individual as a function of their education, skill level and experience.  The following are helpful pointers:

1. A decent knowledge of Computer Networks and web technologies is necessary for getting started with the bug bounty. Learn.
2. Learn Web Application Security Measures and Hacking Techniques.
3. Practice on vulnerable applications like BWapp, DVWA, SQLoL, and OWASP Webgoat
4. Register on bug bounty programs like those of Google, Microsoft, Facebook, Hackerone, Intigriti, etc (GeeksforGeeks, 2021).
5. Follow top hunters and learn from them (Dabhi, 2020).

Conclusion

So, who do you think a bug bounty hunter is? I hope I have successfully changed that image in your mind. Yes, these security researchers are valuable members of the infosec community who make the web safe for all of us every day. Are you inclined to make this a career? I wish you the very best!