Bug bounty is one of the hot topics nowadays. If you are actively following cybersecurity people on social networks (especially Twitter), you had probably noticed this. Once in a while you could see that one or another person found high severity vulnerability, and was rewarded with a significant bug bounty.
On the other hand, this is pretty rare. Many people are participating, but only a few are succeeding.
So how perspective are the bug bounties? Is it just a way to kill your time, without earning anything or is it a legit way to make living?
I guess it is something in between. At least that’s my opinion. But for the curiosity and for the learning purposes, I’ve decided to try it myself.
That’s why I am starting 160 hours bug bounty challenge.
This is an introductory blog post explaining my motivation and goals. I will update my progress periodically, and you could expect the next article after about a week or two. In my next post, I will talk about the targets I’ve worked with and what strategies I’ve used.
Why?
I’ve had this idea for a while.
There is a popular opinion that by participating in bug bounties you are free to decide how much you work, and when you work. Even though I have a very realistic view of the bug bounties and I understand that only a few makes a living from it (compared to the many of those that are trying), I’ve wanted to check if this is true.
I am not dreaming of becoming a full time bug bounty hunter, as it has some drawbacks, that I am not amazed with (I’ve explained them in my other article). But of course, earning some pocket money would not hurt.
The reason why I am really going to do this, is to become a better penetration tester and to grow my skills.
So, I will be dedicating part of my free time searching for the bugs.
I know this will not be easy mentally, as I will be doing this in my free time, so every hour spent will be a significant personal contribution to this challenge. Also, being a bug bounty hunter is similar to being a professional poker player – it requires discipline and specific mindset.
Goals of the Challenge
I probably spend more time than needed planning and strategizing how I am going to execute this. Now looking back it would be wiser just to jump into bug bounties.
Anyway, this is what I want to achieve:
- Understand the potential RoI bug bountying with my current skill set (time spent vs money earned)
- Learn a lot. As I can work on anything I want, I can choose the targets where I will learn the most.
- Have a bugs found under my name that I could add to my portfolio. Being employed at the company, I can‘t disclose my accomplishments to the public (because of the NDA). But having publicly disclosed vulnerabilities would benefit my career in the future as I will be able to add it to my portfolio.
- Give back to the community by documenting my journey on my blog. I would be happy if my journey will inspire at least one person to start participating in bug bounties.
Some other things that I want to emphasize:
Financial goals: I have none. By setting financial goals I would put myself under unnecessary stress. This would have negative impact for my productivity, and I would potentially miss possibility to learn from interesting targets („this one does not pay that much, I should not pay attention to the program“).
Challenge duration: 160h. This number is not based on anything specific. But I believe that in order to see some results you need to spend some time on the craft. After some time, ex. after 160 hours, you can draw conclusion. The 160h equals to working for a whole month full-time (8 hours a day, 20 days a month). So, it is interesting to investigate what can be achieved in a month.
When I am going to hunt: “at night”. Well maybe not literally. I am aware about the burnout possibility when doing this after my 9-5 job. So, I will try to spend at most couple of hours each working day, and will hack for a little longer during the weekends.
Platform: Intigriti. While there are many different platforms out there, I‘ve decided to start on the Intigriti. Even though I am not very familiar with it, I like the platform. I also expect there to be less competition, compared to the HackerOne or other bigger players.
My Strategy
I am going to spend some time on one program, try all the things I know and can, then move to another one after a while (after 5h, 20h, 40h, etc. This really depends on the size of the target).
What I mean by “trying everything I know”:
- Using open source recon tools and scanners
- Checking for IDORs, and other OWASP vulnerabilities
- Using OWASP checklists and assessing functionality manually
- Executing other relevant to the target security checks
- …
Nothing too fancy.
I could go with one of the approaches:
- Choose one type of vulnerability and and look for it on different targets that are in scope of the vulnerability disclosure programs.
- Choose a target and thoroughly look for different types of vulnerabilities
As for this project I am heavily focused on learning, I will be focusing on testing different targets. So I will do my best with my current skills and knowledge. Of course, reading vulnerability disclosure reports will be a part of the journey, but I will try to spend as much time hands on as possible.
As an example – if I‘ve found that the target is using Oracle database, I wont‘ spend days after days reading everything about Oracle databases configuration, I will rather check if the software is up-to-date, if not, what are the vulnerabilities and how it can be exploited.
My Background
I’ve started my career 3 years ago, when I was still at the university (I had finished IT studies at the Vilnius University). I got a job at the company creating custom software. At the beginning of my career I was working part time as a QA, but at the same time I was learning penetration testing.
So, right now I have almost 3 years of experience working as a penetration tester, and I am working with different clients of our company. During my career I’ve mostly performed penetration tests for web applications. However, once in a while I have to perform internal penetration testing.
I am not a superstar pentester, and during the day to day testing I often rely on commercial tools (so, my manual pentesting skills are not on a high level), but I am not a newbie also. I still have so much to learn, and I consider my knowledge average at most.
Why Making a Full Time Living From Bug Bounties Is Not My Goal
First of all, I find it highly unrealistic that I will be able to earn the same while bug bounty hunting, as I am earning being employed as a 9-5 penetration tester. There aren‘t many people doing bug bounties full time instead of the traditional 9-5.
I would be happy to disprove this. But in order to earn while doing bug bounties full time you have to constantly deliver. And if you are a 9-5 worker you get paid for the hours. So, it means you are also being paid for participation in the useless meetings and working with the dull documentation.
Also, the beginning of participating in bug bountying is hard. There is a lot to learn and there is a lot of competition. Even if I‘ve managed to find vulnerabilities, I have to be faster than the other to get paid.
And of course, cost of living in Lithuania where I am based is not very low. It is not that high like in the western countries, but far higher than in some countries, such as Pakistan, or India, where you could potentially make better money from bug bounties than 9-5 job at a local IT company.
Another reason why I am not thinking about going full-time on bug bounties, is that I want to keep it fun. And the easiest way to start hating your hobby, is to do it full time.
Even though I will not be looking at financial numbers while doing this, I expect this to pay it off in the long term. I will be building skillset and creating a track record of bug bounties. With the solid knowledge that I can prove I will be able to progress my career. Certificates, blogs, bug bounties – everything helps you to stand out from the competition. I strongly advice you to be working on your side projects if you want to progress your career.
Part Time Bug Bounties vs Full Time Bug Bounties
Let‘s start from the advantages of spending your whole time on bug bounties:
- You learn at a fast pace. As you can choose what vulnerability disclosure programs to work on, you can learn dozen of things along the way. You can test different systems having various tech stacks, use different testing tools, methodologies.
Disadvantages of the full time bug bounty hunting:
- If you are thinking of doing this instead of a „normal“ 9-5 to job, you are facing an unstable income. This can be pretty stressful as you do not know if your effort will get rewarded. You might not find anything after spending a month on a target, or your findings might be rejected as duplicates.
- Chance of burning out. This is a serious problem not only for the cybersecurity professionals, but for the other professions too. However, cybersecurity specialists are often facing the chance to burn out. If you spend day after a day searching for the vulnerabilities, which is a pretty technical job, you might soon face the consequences.
What are the advantages of doing bug bounty hunting part time:
- If you are doing this on your free time, you are not restricted to anything and you can have an open and well rested mind. Bug bounty hunting for 2 hours each day might be beneficial compared to the grind of 8h+. You might be more creative and have better ideas during the splitted sessions on different days. Different things, such as your mood and level of energy are a huge success factors. And while you are sitting on the same task for a prolonged period of time, being creative might be harder. On the other hand, if you are digging to find one specific vulnerability, focused and undisturbed time might be better instead of 4 separate sessions.
Final Words
As this is public challenge, I am going to periodically release updates. I have not decided how frequently I am going to share my progress, but I will try to write every 20-40 hours spend on bug bountying (of course, if anything major happens, more frequently).
I am also not sure how long the journey would take. But I believe it will take at least a few months, as the 160h is not a calendar time, but the actual time spent working. So, maybe some weeks I will not feel like doing it, and will spend only 10 hours. But some other weeks I might dedicate more time on this.
What I promise you, is that I will not step back and I will finish the challenge.
Wish me luck!
Update no. 1 – https://bughacking.com/bug-bounty-challenge-update-1/
Highly passionate about cyber security (penetration testing, bug bounty hunting, cybersecurity in general), and blogging. I am experienced in vulnerability assessments, penetration testing, various security audits, had worked with various clients, most of them were in finance sector. Currently holder of CompTIA Security+, CEH, CEH Practical, and CEH Master certificates.
Looking forward to how this goes
You got this!