More than anything, Sergey Toshin wanted to gun a Ford Mustang up and down an American highway. It was a bold ambition for the cash-strapped programmer, but Toshin had a solution. “Bug bounty,” he thought, “is the way to fix the problem.”
Bug bounties are prizes offered in exchange for discovering cybersecurity flaws and are an increasingly popular way for organisations to crowdsource penetration testing. Toshin had been introduced to the concept by colleagues at a cybersecurity firm where he worked part-time. These men and women, he says, claimed bug bounty hunting was supplementing their income by as much as $5,000 a month. So, he tried it.
To begin with, Toshin had little success. “I got 95% of my bug bounty reports rejected,” he recalls. Privately, Toshin despaired as his reputation tanked on the leaderboard of HackerOne, one of the most prominent bug bounty platforms. “I think it’s my character [that when] I fail, I feel I cannot do anything, but after a week or two weeks, I think, ‘No, I can – stop thinking in that way!” he says. When, in his mind, Toshin linked his forthcoming US road trip to the success of his bug bounty hunting, his luck started to turn: one by one, his reports began to be confirmed. “The highest bug bounty pay-out was $3,000,” he recalls. “I got multiple of them. And, of course, I had a good trip.”
It wasn’t until Google expanded its list of bug bounty programs in 2019 that Toshin contemplated becoming a full-time bug bounty hunter. “It was summer, I was at a bar,” he recalls. After stepping outside for a smoke, Toshin read the news from Google with glee. “I thought, ‘I’m going to be rich.’” He was right. Toshin claims to have earned up to $900,000 in total from Google bug bounties alone – enough to fund the creation of his own security start-up without any seed money.
Stories like Toshin’s are increasingly common. Once a niche area of cybersecurity, bug bounties are exploding, with organisations large and small running programs to root out the flaws in their code. “Right now, even small companies run their own bug bounties,” says Toshin. “There’s a much bigger space to find vulnerabilities.” That has led to a rise of 143% in the number of bounty hunters looking for prizes since 2018, according to one recent survey.
Many of these hackers eye an opportunity to get rich quick. The reality, however, is much harder and riskier, not only for the bounty hunters but also the companies issuing the prizes. For new entrants, the race up the leaderboards of bounty middlemen sites like HackerOne and Bugcrowd is as much a path to burnout and crossing ethical lines as it is to striking gold. And for software vendors offering bounties, making late and low payments risks provoking the ire of the hunters.
The invention of bug bounty programs
For as long as there has been software, there have been bugs – as researchers at Harvard University discovered in 1947, when they found a dead moth short-circuiting their brand new supercomputer. Thereafter, sifting through code to spot vulnerabilities became part of the job description for your typical in-house programmer. The idea of offering prizes for this work to outsiders, however, didn’t occur until 1983, when software firm Hunter & Ready offered a Volkswagen Beetle to anyone who could spot flaws in its operating system.
It would take another decade for the concept to go mainstream with Mozilla’s Security Bug Bounty Program. The logic of outsourcing penetration testing was simple, says Lucas Adamski, then director of security engineering at the non-profit. “The strength of any security system, to me, is simply a function of how many smart, motivated people have looked at it over a period of time,” he recently told Decipher. “That’s it. It’s got nothing to do with who wrote it.”
It’s also a cost-effective measure, says bug bounty hunter Justin Gardner. “The ROI is great, in my opinion, for the companies,” says Gardner. Occasionally, a well-crafted bounty program will reveal a potentially catastrophic bug. He cites a case in which he and hacker Sam Curry successfully penetrated a Starbucks customer database containing 100 million records. “That vulnerability would have cost Starbucks millions” had a malicious hacker discovered it, he says.
Gardner’s own path into bug bounty hunting was circuitous, beginning with an encounter with celebrity hacker Tommy ‘dawgyg’ de Vos (“He’s all tatted up, has his hat on sideways, and walks up to me and he’s like, ‘Yo, have you tried this new type of exploit ever on these lab computers?” recalls Gardner, who hadn’t and didn’t.) Like Toshin, Gardner spent several years in steady programming jobs before he started to hunt bounties full-time. He quickly learned how much commitment is needed to turn an occasionally lucrative side-hustle into a career.
“There’s really two main phases,” explains Gardner. The first involves acquiring the relevant expertise in penetration testing, through tutorials and articles, and then the necessary programs to go bug hunting (most bug bounty hunters use application security testing software called Burp Suite or Caido.) The second is coming to terms with the fact that it still takes an inordinately long time to find those bugs. “As a hacker, you’re failing the whole time because people’s job is to prevent you from doing what you want to do,” says Gardner.
Occupational hazards for bug bounty hunters
This high failure rate, combined with the variable quality in bounty programs, mean that most hunters remain part-time. But even these hackers, says Clément Domingo, should be wary of burnout. In his time bug hunting in France and Africa, Domingo has known hunters who have become so obsessed that “they forget to see their friends, their family,” he says. “We don’t talk a lot about this point [in] bug bounty.”
Some thrive off this lifestyle of late nights and hustling. For his part, Gardner values the freedom and generous income that accompany bug hunting, which has paid off his student loans and allowed him to move to Japan with his wife. Nevertheless, he concedes, “it’s not easy”. At the very least, he’s seen bug hunters throw in the towel and return to a normal nine-to-five job. For others, though, “their self-worth plummets, because they’re like, ‘Man, I can’t do this. I’m nothing.’ And this whole piece of their identity starts to wither away.”
It is not just work-life balance that demands discipline on the part of bounty hunters. Would-be hunters should sign up to a basic code of conduct, says Gardner: namely, reporting bugs in good time to official bounty programs. Anything else can quickly lead to ethical lines being crossed, he says, as in the case of individuals who contact companies claiming that they have found a critical vulnerability and demand payment.
Most of these cases of so-called ‘beg bounties’ can be safely ignored, Gardner says. Not only is uninvited penetration testing illegal, but more often than not these are con artists who are “trying to really report low- to no-impact vulnerabilities in the hope of getting money,” he explains.
Conversely, those who are reporting critical bugs with no expectation of payment should probably be given a fair hearing and not be treated as criminals (58% of ethical hackers do not disclose vulnerabilities to companies if there isn’t a clear avenue to do so, according to Bugcrowd.) Both Gardner and Domingo cite the case of a journalist in Missouri, who was threatened with prosecution for revealing how a website listing teachers' credentials was also inadvertently leaking their social security numbers. “Those situations,” says Gardner, “are so sad to see.”
The risks of running a bug bounty program
Bug bounty programs are also risky for the companies offering prizes if they are poorly executed. Awards for critical bugs can run into the tens of thousands of dollars, but the bread and butter for most full-time bounty hunters are the ‘medium’ and ‘low’ vulnerabilities that pay in the hundreds or low thousands. Acceding to this pricing structure should always be accompanied by quick triaging of the bug and payment by in-house IT departments, explains Domingo, signs that the relationship is built on mutual respect. “All of that points toward a good program,” he says. “It will just put you in a position to find more bugs [for them], because you know that people at the site will care about what you’re doing.”
Badly-run programs – of which there are many, according to Gardner and Domingo – carry additional risks to the companies hosting them. Late and low payments, as well as poor communications, may lead hackers to contemplate selling vulnerabilities they’ve discovered to the highest bidder. “The piece about people getting pissed and disclosing stuff? You’re always going to deal with that,” says Gardner. “Hackers, as a group, can be a little bit moody sometimes.”
Hackers, as a group, can be a little bit moody sometimes.
Justin Gardner, bug bounty hunter
Gardner’s advice to companies contemplating a new bug bounty program is simple: “try not to be a jerk” to the people trying to patch your systems. That’s sometimes easier said than done, he acknowledges. “It often happens that [IT departments] can be overwhelmed,” says Gardner. Although he’s only seen a handful of cases of hackers passing on vulnerabilities to third parties, there are nonetheless “ways to stave that off from the company side.”
Automation sophistication
Not everyone is convinced that bug bounties are an effective guarantee of secure code. “[It] is rather convenient for software vendors to transfer the liability of eliminating vulnerabilities in their products to bug hunters, who are much cheaper than maintaining dedicated security personnel,” wrote Oleg Brodt, chief innovation officer at Ben Gurion University’s cybersecurity research division, earlier this year– a dangerous prospect for the companies buying that software.
Gardner treats this argument with scepticism, reasoning that most companies just wouldn’t buy software that would cost thousands in bounties to fix. Neither does he think that the trend of automating vulnerability detection among certain hackers will result in the eventual end of the profession. “There are some amazing programmers and hackers out there that are doing a phenomenal job with that,” he says, citing the example of Eric Head, better known as ‘todayisnew.’ “He’s on the top of the HackerOne leaderboard every month, and has been for years…all he does is external attack surface monitoring and automation.” Nevertheless, Gardner thinks that successfully hunting bugs is as much down to human creativity as it is the tools that they’re using.
Even for those hunters lacking these capabilities, Gardner says new bounty opportunities are appearing everywhere, from unearthing AI biases for social media giants (earlier this year, Twitter ran a bug bounty to detect bias in its image cropping feature) to the vast, untamed wilderness of smart contracts in the crypto-verse. “Almost everything on Ethereum is open source, so it’s really easy for attackers to go in, read code and find bugs.”
For Toshin, the most lucrative area remains mobile apps, which in his opinion are easier to decompile to parse the source code than websites. In 2020, Toshin used the proceeds from his bug bounties to self-fund Oversecured, a start-up that offers automated vulnerability scanning services for those looking for bugs in iOS and Android applications. “Right now, we have a few European banks and multiple cybersecurity consultant companies,” he says, plus a couple of bug hunters.
The demands of running Oversecured mean that Toshin has now largely abandoned bug bounty hunting. That’s not to say he’s been deprived of new and strange insights into the profession. When Oversecured launched, Toshin priced each scan at $10, reasoning that that would capture the market for hunters looking for vulnerabilities at scale. “But nobody used it,” he says. Toshin then raised the price to $250, and sales surged. As such, he says, it’s probable that people don’t believe the marketing material about the scanner. In the wild west of bug bounty hunting, “they believe the prices.”