Should you start Bug Bounty in 2021?

image.png

What is a BBP (Bug Bounty Program)?

Bug bounty programs allow independent security researchers to report bugs to an organization and receive rewards or compensation. These bugs are usually security exploits and vulnerabilities, though they can also include process issues, hardware flaws, and so on.

What is VDP (Vulnerability Disclosure Program)

VDP allow you to hunt on a set program that doesn't provide bounties, it allows you to publicly disclose your vulnerability found with a POC (Proof of concept) once its resolved, these programs usually offer points and invites to private programs, with that being said you can then hunt more programs and get on the "hall of fame".

Why do people do Bug Bounties?

Bug Bounties offer a huge range of things to gain such as knowledge, experience, money and fame! Some people like hunting for bugs because they learn something new that they may have thought was impossible and with this they will have a great feeling inside. Others hunt bugs for a few bucks and earn money on the side to put towards projects and other things. In some cases people hunt for the experience of testing a real life application in real time legally with the thought of finding a bug and helping that set company on that set program, this will give a hacker motivation to continue hunting and if the bug is applicable they will be rewarded which is an achievement.

Some interesting Bug Bounty Reports

xyd (saltyyolk) reported an Arbitrary file read during project import to Gitlab and was rewarded $16000

rootxharsh & iamnoooob reported an 0Day allowing them to get RCE to Apple

Yiğit Çolakoğlu (fr1nge) Reported a Web Cache Poising Issue to U.S Dept Of Defense

I will link some more at the end

What others say about doing Bug Bounties

@isira_adithya says

"I am Sri-Lanka and every single dollar is a fourtune for us. $50 is totally enough to live for a month, its fun, its interesting and it brings a great challenge along with knowledge"

@ritiksahni22 aka Deep says

"Security should be given utmost priority. Bringing the crowd together to hack into an organization is a great way to get the awareness of security within an organization."

@Zenaker says

"Bug bounty if not done properly can be really risky, lots of bb hunters get into legal trouble because they don't have legal consent of performing a penetration test on a company's platform, but if done properly and if you're good at hunting, it can be really beneficial financially and professionally"

Josh aka @Sculptor says

"#1 Is Bug Bounty worth it?

Bug Bounty will always be worth it even if you never make a penny from it. They are a valuable learning resource to be able to test live systems in a legal way the amount of knowledge that you can learn from the bug bounty community is overwhelming. Partaking in bug bounties will help sharpen your skills that you can then later apply to other aspects of hacking.

#2 Why is it worth it?

The financial gain and the independence can benefit those who are dedicated individuals this is great for people who may want to escape the idea of working a 9-5 and being stuck in an office. bug bounties allow you to set your own schedule and work from where you want a snow mountain, maybe a sunny beach?

#3 Bug Bounties downfalls

Some programs have limited scope and it is very frustrating to work within this scope you run the risk of being underpaid or not paid at all by some programs when can be very disheartening when you have spent hours finding this bug. Recently automation has been a big controversial topic within the community I do not see this as a threat but more of motivation to help people strive to finding better bugs instead of going for low-hanging fruits.

You can get paid a lot more to do this illegally but you will be caught and is the money worth the paranoia?"

(Doing this illegally is definitely not worth it, he is telling you to not do that and to do it legally)

Extra links/Blogs to read

Conclusion is Bug Bounty Worth it?

In my opinion yes, I have shown above why, there is great opportunities to meet within this line of work! Its never to late to start hunting bugs. 2021 is a great year start hunting today!

RiotSecurityTeam announcement

I'd like to welcome @isira_adithya as an official RiotSecurityTeam Member, he is a great Bug Bounty Hunter. I definitely recommend checking him out.