How bug bounties are fueling hacker entrepreneurs

SAN FRANCISCO—You could call it a hacker gold rush. Maybe the tail end of it; maybe not. For a diverse range of tinkering hacker entrepreneurs eager to sift through mounds of code in search of potentially lucrative software vulnerabilities, bug bounties present a Wild West of opportunity.

Well, maybe not so wild anymore. While the prospects of striking it rich have long convinced fresh-faced hackers to dive into bug bounties like an all-consuming startup, they also serve as a suitable side hustle for hunters like Jesse Kinser, who already juggles a full-time cybersecurity job and motherhood.

Sitting in a conference room at the headquarters for bug bounty management platform Bugcrowd here, Kinser says hunting for bugs has helped her become a better cybersecurity professional. As the director of product security at LifeOmic Health, a cloud services company based in Indianapolis, she focuses daily on the defensive side of cybersecurity. Participating in bug bounties gives her a taste of the offensive side, plus the potential for significant winnings.



READ MORE ON BUG BOUNTIES AND VULNERABILITY DISCLOSURE

China evaluates vulnerabilities for attacks before disclosure
How to attack security issues like Google and Microsoft just did
As bug bounties proliferate, hacking contests maintain strong pull
Why Apple’s bug bounty is a big deal
Bug bounties break out beyond tech
When to disclose a zero-day vulnerability
The dark side of bug bounties


“The day job pays the bills and keeps the lights on. With the bug bounties, I invest in myself,” she says. Using bounty payouts, Kinser recently traded her Tesla S for a “fully loaded” Tesla 3. She cautions, however, that “luck is a huge part” of her success.

Bug bounties have been translating into big payouts for eager hackers since the 1990s. And the opportunities are still growing. Google has awarded hackers with more than $15 million since starting its bug bounty program in 2010, $3.4 million of which it paid in 2018 alone. In July, it raised its payouts for vulnerabilities hackers discover in its Android and Chrome operating systems, as well as its Web services, to $15,000 from $5,000. And it bumped its “high-quality report” upper limit from $15,000 to $30,000—nearly the entire sticker price for a base-model Tesla 3.

Apple, meanwhile, began offering a bug bounty for iPhone vulnerabilities to the general public in August, reversing its longtime practice of vetting each bug hunter. The potential payout for discovering a vulnerability? Up to $1.5 million.

“Everybody who’s a bug hunter is an entrepreneur.”—Casey Ellis, CTO and founder, Bugcrowd.

As the bug bounty business continues to mature, with tech giants running their own bounties, and companies such as Bugcrowd and HackerOne helping organizations well beyond the tech industry manage bounties and vulnerability disclosure agreements, the bounties themselves present opportunities for profit and business skill development. For Kinser, the payouts provide supplementary income; for others, bug bounties are everything.

Three years ago, Sam Curry quit his job at a Dairy Queen in Omaha, Neb., after he more than doubled his biweekly income with a bug bounty payout. Now, at 19 years old, Curry is a full-time bug hunter. He made headlines in July about a bug he uncovered after a rock cracked the windshield of his Tesla 3. Tesla’s payout was $10,000.

“My second year doing bug bounty work, I made $100,000,” he says. As a recent high-school graduate lacking formal cybersecurity training, he says he pressured himself into getting a job in the more traditional cybersecurity field of application security. Alas, the stability didn’t appeal to him, and he says he was learning more (and working less) as a bug hunter.

Curry says his bug-hunting experience is preparing him for a long career in cybersecurity. “I have to be able to negotiate,” he says, while developing a skill set and “presenting myself as comfortable working with people. I have to understand how to work with clients.”

Working productively (and profitably) with organizations you are actively trying to compromise is indeed an acquired skill. A key challenge hacker entrepreneurs face is a “dark side” of the very skill set that makes them excellent hackers, says Adrian Ludwig, chief information security officer at software services company Atlassian.

A “willingness and proclivity to not accept [a security claim] at face value” is an important hacking skill, he explains. But in the corporate world, success requires nuance. “Collaboration is how you scale a business,” he says. “Skepticism ends up being a big obstacle.”

Integrating interpersonal skills with a hacker mind-set is essential to the success of any hacker entrepreneur, says Casey Ellis, Bugcrowd’s founder, chief technology officer, and chairman. That required blend of skills is redefining the hacker stereotype away from the counter-cultural.

“Taking other people’s stuff and tearing it apart is difficult,” he says. He describes the obstacles that entrepreneurs and bug hunters face as “similar.”

“Everybody who’s a bug hunter is an entrepreneur,” he says. “It’s the same for building a business as it is trying to break into a network.”

Correction, September 16 at 9:43 a.m. PST: A previous version of this story misidentified Casey Ellis’ role at Bugcrowd. He is the CTO.