As we soon start to close out this year, one of the common
themes that you will keep hearing about even going well into next year is the lack
Cyber workers. I have written about this
before, and in fact, I have an eBook that will be coming out on this very topic
next year.
The problem is that there it is not a shortage of people . .
. there are plenty of people out there, but hiring managers are extremely picky
in who they want to hire. Anyways, this
eBook will address this issue.
But there is one area of Cyber that continues to become red
hot, and in fact, there is no shortage of workers, believe it or not. What am I talking about? I am talking about becoming a Bug Bounty
Hunter. No, this is not the stuff you
see on TV.
But this is for real.
For the most part, organizations, if they can afford it, will try to
hire what is known as a “Threat Researcher”.
These are individuals that are tasked with researching all
of the intel their company gets, and try to research, or project what future
threat variants could look like. Of
course, they do not go at this alone, they have other tools at their disposal,
such as that of AI and ML.
But now, they may have a companion at their side that could
give them some serious competition, depending upon how you look at it.
And these are the Bounty Hunters. This is essentially where a
large technology firm, such as Microsoft, Oracle, Google, etc. will soon put out a new product or service release. But before that happens, they of course want
to know what all of the bugs are before it hits production.
In an effort to do this, these companies offer large sums of
money for any vulnerabilities that are found, as well as the remediative steps
that need to be taken.
These payouts to the Bounty Hunters can be quite lucrative,
take account into account these earnings:
*GitLab: Between
$20,000 - $35,000;
*Microsoft: $100,000;
*Google: $132,500;
*Atlassian: $10,000.
Wow, IMHO, these are some very nice payouts. One of the biggest advantages of a Bug Bounty
Program is that it encourages all, who have the skills, to hack the systems,
and see where the weaknesses are.
Of course, there is a background check that is conducted
before the payout is made just to be sure that the Bounty Hunter is ethical,
not some sort of Cyberattacker who is going to funnel their earnings to launch future
attacks.
In fact, the interest in Bug Bounty Programs has increased this
year, and is only expected to do so going into 2022. Consider these stats:
*There has been an overall 65% increase in the total number
of vulnerabilities/and remediative solutions submitted;
*Microsoft has a total of 17 different Bug Bounty Programs,
in which 1,200+ reports were submitted by Bounty Hunters.
Now, although one may be attracted to this new kind of work
because of the large payouts, but keep in mind that it is a lot harder to get in
reality. For example, these big tech
companies do not select who the Bug Bounty Hunters will be. Rather, they put out an advertisement of
sorts, and everybody in the hacking community is invited to participate.
So by the time you get to it, it is quite possible that you
may be in competition with hundreds of other hackers, all at the same time. Second, since the identities of the Bounty
Hunters are not given out until the payout is made, it is quite possible that
there could be multiple hackers working on finding a resolution to the same
bug(s).
The key here is who submits the best remediative plan to fix
the issue.
Also, there is a deadline in which to submit the findings
and solutions. These tech giants will of
course take their own sweet time to go over each one, in great detail, to see
who deserves the payout. Thus, it can
take quite some time before any sort payouts are actually made.
Most Bounty Hunters tend to go after what is known as the “low
hanging fruit” first.
These are simply the easiest of the vulnerabilities that can
be found, and because of that, the challenges become even greater to find the
harder to detect ones. This could prove
to be a boon to those who are more patient, as the payouts in these circumstances
tend to be much higher.
Also, as the obstacles become greater, the competition will obviously
become much less.
When you have actually discovered a major bug, simply writing
a document on it and writing up on how to correct it is not enough. Most of these tech companies want an extremely
detailed and formal write up, which includes some of the following:
*How did you discover the bug in the first place;
*Detail as to the exact steps that you took to get to that
bug;
*The tools that you used to discover it;
*If you worked as part of a team, or if this was purely an
individual effort;
*Excruciating details on the remediative steps to be taken
to resolve the bug.
Each of these tech companies will probably have their own
format for you to follow. The bottom line
is that they are interested in the detail.
Obviously, the more you can provide will separate you from the rest of
the competition in getting the payout.
But these tech companies are still trying to find the right
balance of how to attract and keep engaged the interest level of the Bounty
Hunters. Some of them even believe that
a higher payout may not be the complete solution either.
My Thoughts On This
So you want to become a Bounty Hunter now? Keep in mind that it is not for
everybody. It takes a very analytical mind
and an individual with great software coding skills to become successful at
it. And remember, it is a gradual
process.
Most Bounty Hunters did not get the highest payouts after
the first discoveries, but over time, as they built up their skills, they
received more, if their submitted reports were selected as the finalist.
Also, it takes a lot of time to become a Bounty Hunter. It
could even be years till you get your first payout. But as you can see the financial rewards
could be well worth it, if you have a lot of patience and commitment.
Heck, if you really are interested in this line of Cyber
work, you may even want to reach out to a Bug Bounty recruiter, who could probably
get you your first few projects (I think they exist). Or you could even partner up with other friends
to start your brand-new venture in this Cyber industry.