Bug bounty hunters score big dollars and the boom's only just begun

What are you waiting for?

"I would recommend it to anyone," says Mark Litchfield, a security industry veteran who runs the in-house bounty program Bug Bounty HQ. "It is a fantastic entry point into security." In a phone call from his home in Las Vegas, Nevada, the former NCC co-founder says he has made about US$500,000 in bug bounties since February 2014.

The leading HackerOne point scorer reckons he has made some US$350,000 on that program alone, with another US$120,000 from Paypal and US$15,000 each from Google and Bugcrowd. "It clearly pays all my bills," he says.

The money seems easy. In December, the British ex-pat set a goal "over a couple of Heinekens" to make US$50,000 in a month and finished on New Year's Day with US$47,000 from Paypal, Yahoo!, and Bugcrowd. He was paid US$9,000 four days later, but only because staff responsible for making payments took a holiday.

Litchfield has been in the security game for decades. While in London at the turn of the century he and brother David sold their company Cerberus Information Security which they started in 1993 to the burgeoning high profile consultancy @stake, later bought by Symantec. The following year the brothers would set up NGS Software and run the company until it was bought out in 2008 by NCC.

He is now thoroughly invested in bug bounties. Most of the cash he scores in the programs is tipped into Bug Bounty HQ, a platform designed as a just-add-water framework for businesses wanting roll out internal bounty programs. As he puts it he is "a bug hunter who is using bug bounty money to build a bug bounty platform for the bug hunting community".

This reporter has heard of hackers who have used the cash to set up instant investments. One US bug seeker has purchased a house just from the winnings. Another twenty-something has tipped $100,000 into a share portfolio using only bounty money.

Hackers in India, Egypt, and Africa now represent enjoy the lion's share of Google's bug bounty payments and have lifted themselves and their families out of poverty, industry sources reckon; in one account Mumbai parents had dreamed the proverbial dream of their son as a lawyer only to find their financial liberation would come from his successes as a bug hunter.

While Litchfield and others largely chase bug bounty coin, most vulnerability disclosures are handed over for free, with researchers receiving only a word of thanks, a reputation boost, or a tee-shirt from companies nursing the old Netscape mindset.

One Brazil-based researcher known by his hacker handle "Brute" submitted thousands of mostly simple but dangerous cross-site scripting bugs through the XSSposed bug platform over the course of last year. While he has since stopped, his efforts scored him a job at consultancy Sucuri. Brute says the effort helped him learn about the security field while he ran a university tech department, and had benefited small companies receiving the reports which otherwise would lack the resources to identify the vulnerabilities.

"I started to submit XSS to XSSposed to learn about security," Brute says. "I only used a browser and simple bash scripts to find random targets." That method made him the most prolific bug reporter on the platform - which housed hundreds of active benevolent researchers.

Bang for buck or bounty bubble?

It's been five years since Google launched what would become one of the most lucrative public bug bounties. Two weeks ago the technology deity announced it had paid out US$6m in bounties to researchers from across the world since the Vulnerability Rewards Program began. with an average of US$1.2 million paid out a year. That stepped up to more than $2m over 2015. The largest payment was US$37,500.

Facebook last week announced it has paid out US$4.2m in bugs since 2011, or some US$860,000 a year. Microsoft has handed over US$500,000 since September 2014, including top bounties worth US$100,000. Since their inception in 2012 managed bounty programs Bugcrowd has paid out about US$1.4m while HackerOne has handed out some US$6m or a whopping US$1.4m a year.

The money fountain may seem to sceptics like signs of an excited tech sector where the big players are more interested in showboating and public relations than extracting the best bang for bug buck: Certainly Google's $7337 ("l33t") bug bounty prize seems like a figure more rooted in cultivating hacker credibility than on some boring return on investment model.

Roll your own or buy ready made?

Yet it is difficult to find bug bounty critics. This reporter asked the companies paying out the most expensive bugs for comment including Google, Yahoo!, Facebook, and Microsoft, along with other lucrative private bounties by major consumer IT sectors, but all either declined or did not respond.

Security analyst James Turner says businesses need to set bounties according to their individual risk appetite. Turner rates bug bounties an important security tool and a necessity for businesses running high-value internet-facing assets, like money-making apps and websites. "The value of a bug bounty is directly proportional to the importance of the asset," Turner says. "But businesses will need to determine that value in their own right."

There are plenty of businesses in the Antipodes and elsewhere that fit Turner's bug bounty bill; airlines, technology and services, and telecommunications are but a few among those that have millions of customers who would potentially leave for rival firms if a major breach or outage occurred in the absence of security testing. "These businesses need to make sure their interfaces with their customers are resilient and reliable," he says, quoting Bugcrowd founder Casey Ellis that "nothing sobers up an engineer like realising a 14-year-old hacked you".

Ellis brewed Bugcrowd in sunny Sydney but took the idea to the startup capital of San Francisco for a successful run at venture capital funding. The organisation has risen quickly to dominate the managed bug bounty space alongside bounty service HackerOne. For all its success and for all the bounty cash, however, Ellis says having the many eyes of white hat hackers looking for holes is critical to the security online business. "Honestly, we are screwed if we don't do this," Ellis says referring to the role of bounties in filling the shortage of security penetration testing talent. "Bug bounties are more than just wanting to run a hacker program to look cool."

Bugcrowd runs programs where hackers compete in public, private, short and longer term bounties vying to be the first to report the most valuable bugs. He says these bounties can attract return-on-investment up to three to five times the total payment in terms of both the number and severity of bugs reported. "Security has gone from a thing that we had to bang our heads on the wall to get people to care about to something where you can talk about it at dinner and not necessarily be the geek," Ellis says. "And that puts pressure on the execs to invest in it."

Katie Moussouris says bounty programs have become well-oiled with private bounties gaining better signal to noise ratios for more severe bugs and higher quality reports. "There's been a boom of bug bounties between 2010 and 2013," says the HackerOne chief policy officer. "High profiles companies are doing them." Moussouris has been in the security industry since about 1997 hopping through @stake and Symantec to climb the Microsoft hacking rungs where she launched its first paid bug bounty program, and wrote its vulnerability disclosure policy.

She says organisations should gain an understanding of the worth of vulnerabilities according to their own risk appetites while market rates exist. They should also build out security wings noting that are bounties do not operate in isolation and require businesses have enough resources and skills to fix the vulnerabilities that come in should return on investment be achieved.

Forming a bounty scheme that resonates with the hacker mindset will further increase submissions, and therefore profit. This means easy registration processes for bug hunters, straightforward disclosure agreements, and the ability for hackers to retain their intellectual property. "Mature organisations aren't afraid of bug bounties and of vulnerability disclosure after a patch has been applied," she says. "It's a powerful way to demonstrate security."

Next month hackers will compete in Pwn2Own, in Vancouver, Canada, showcasing zero-day exploits against the world's most popular consumer software. Google and Microsoft are shelling out to be one of a list of big sponsors for an event in which their own browsers are up on the hacking target list. Bug hunters there will be surely courted by zero-day exploit brokers like Zerodium which offers US$1 million iOS bounties.

Golden outlook?

The bug bounty boom is one of the biggest changes to the information security business in recent years. It has been an effective advertisement to penetration testing, both elevating the benefit of having corporate assets hacked to executives while also in attracting new hackers to the field.

Those in the bug game and more broadly across the security sector reckon the impressive payouts are sustainable and will continue as bugs keep falling out of code.

So too does Ridlinghafer. "I mean, what a frickin' idiot," Ridlinghafer says of his decision to exit the then infant bug bounty world. "I wish I'd stayed put, maybe I'd be a billionaire by now."

Security professionals have told this reporter they intend to jump on the bug bounty bandwagon to supplement their paychecks. It is unsurprising; corporate hackers and penetration testers can access a vast income stream by merely applying their existing skills to after-hours work. "The second they realise how much money we are making, it's going to get crowded," hacker Wakelam says. "If I'm making three times the amount of money guys are making with 15 years more experience than I am, there's a problem there – and they need to adapt." ®