Bug hunting is a lucrative pastime that can potentially earn cybersecurity professionals thousands of dollars for finding just one vulnerability in a website or application. But it’s not just the financial rewards that make bug hunting a valuable activity for those in the cybersecurity field. The skills and experience gained from bug hunting can help professionals grow and advance their careers.
Vickie Li, a senior security engineer at grocery delivery service Instacart, started out as a college student when she found and reported her first bug, a low-severity vulnerability on a social media platform. The bounty was $100, but the thrill of seeing the security team triage and fix a flaw she had discovered on a website she used daily was priceless. Li became hooked and kept hacking, eventually becoming a full-fledged security researcher who has reported vulnerabilities to major enterprises, including Starbucks, Facebook, and Yelp.
In her book, Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities, Li aims to teach aspiring ethical hackers how to become a bug bounty hunter. Here, she shares some advice on how to get started in bug hunting, how to choose a bug bounty program, and which asset types are best for beginners.
Breaking into bug bounties is becoming more difficult, says Li. When looking at popular programs on bug bounty platforms like HackerOne and Bugcrowd, there is a lot of competition. It can be frustrating because you really need to have some early success and positive feedback to keep you going. “Try to see bug bounty hunting as a starting point and as a learning experience, instead of the be-all, end-all,” she advises.
Li suggests avoiding focusing on the money at first. “Instead, focus on gaining skills and building a reputation by hacking on nonpaying programs,” she suggests. While many people want to do bug bounties to earn money, it is very difficult if you do not have the knowledge or skills to find bugs in popular programs. So building up your skills in nonpaying or charity programs first, and then moving on to bigger programs is key. Plus, it can lead to other opportunities, such as landing a side job doing technical writing for a bug bounty platform or even getting some penetration testing contracts.
When choosing a bug bounty program, besides the popularity of the program and the amount of competition you are likely to face, Li advises considering response times. “Try to find a program that will give you feedback right away so you don’t have to wait several weeks just to know whether your submission was valid or not,” she suggests. It is also helpful to find a program that devotes time to helping researchers learn. Some engineers are passionate about security and will discuss bugs with you and explain why something is valid or not, as well as how you can improve your skills and find better bugs in the future.
Using bug bounty platforms has pros and cons, according to Li. On the plus side, if you build up your reputation points on the platforms, you can get noticed and invited to private programs that are less crowded and have less competition. Also, using a bug bounty platform can expose you to a lot of different areas of cybersecurity. On the downside, though, there is a lot of competition, particularly in public programs, and it can be hard to get traction in the beginning.
As for which asset type is generally best for beginners, Li says to choose whichever type you have experience with. If you have experience building something, you will have a better understanding of what kind of security issues could manifest in that type of application or product. For those with no experience, web applications have the lowest barrier of entry into the bug bounty world and also make a good starting point from which to explore other asset types.
For those who hit a dry spell when bug hunting, Li suggests thinking of it as a learning experience and trying to learn a new bug type to hunt. Step back, shift your focus, learn something new, clear your mind a little bit, and then come back to whatever you are working on. Even when not actively finding bugs, hunting and trying to improve your process is a good learning experience that can eventually lead to a successful career in cybersecurity.