Sunday, November 28, 2021

Looking For A New Career In Cyber? Become A Bug Bounty Hunter

 


As we soon start to close out this year, one of the common themes that you will keep hearing about even going well into next year is the lack Cyber workers.  I have written about this before, and in fact, I have an eBook that will be coming out on this very topic next year. 

The problem is that there it is not a shortage of people . . . there are plenty of people out there, but hiring managers are extremely picky in who they want to hire.  Anyways, this eBook will address this issue.

But there is one area of Cyber that continues to become red hot, and in fact, there is no shortage of workers, believe it or not.  What am I talking about?  I am talking about becoming a Bug Bounty Hunter.  No, this is not the stuff you see on TV. 

But this is for real.  For the most part, organizations, if they can afford it, will try to hire what is known as a “Threat Researcher”. 

These are individuals that are tasked with researching all of the intel their company gets, and try to research, or project what future threat variants could look like.  Of course, they do not go at this alone, they have other tools at their disposal, such as that of AI and ML. 

But now, they may have a companion at their side that could give them some serious competition, depending upon how you look at it.

And these are the Bounty Hunters. This is essentially where a large technology firm, such as Microsoft, Oracle, Google, etc.  will soon put out a new product or service release.  But before that happens, they of course want to know what all of the bugs are before it hits production. 

In an effort to do this, these companies offer large sums of money for any vulnerabilities that are found, as well as the remediative steps that need to be taken.

These payouts to the Bounty Hunters can be quite lucrative, take account into account these earnings:

*GitLab:  Between $20,000 - $35,000;

*Microsoft:  $100,000;

*Google:  $132,500;

*Atlassian:  $10,000.

Wow, IMHO, these are some very nice payouts.  One of the biggest advantages of a Bug Bounty Program is that it encourages all, who have the skills, to hack the systems, and see where the weaknesses are. 

Of course, there is a background check that is conducted before the payout is made just to be sure that the Bounty Hunter is ethical, not some sort of Cyberattacker who is going to funnel their earnings to launch future attacks.

In fact, the interest in Bug Bounty Programs has increased this year, and is only expected to do so going into 2022.  Consider these stats:

*There has been an overall 65% increase in the total number of vulnerabilities/and remediative solutions submitted;

*Microsoft has a total of 17 different Bug Bounty Programs, in which 1,200+ reports were submitted by Bounty Hunters.

Now, although one may be attracted to this new kind of work because of the large payouts, but keep in mind that it is a lot harder to get in reality.  For example, these big tech companies do not select who the Bug Bounty Hunters will be.  Rather, they put out an advertisement of sorts, and everybody in the hacking community is invited to participate. 

So by the time you get to it, it is quite possible that you may be in competition with hundreds of other hackers, all at the same time.  Second, since the identities of the Bounty Hunters are not given out until the payout is made, it is quite possible that there could be multiple hackers working on finding a resolution to the same bug(s). 

The key here is who submits the best remediative plan to fix the issue.

Also, there is a deadline in which to submit the findings and solutions.  These tech giants will of course take their own sweet time to go over each one, in great detail, to see who deserves the payout.  Thus, it can take quite some time before any sort payouts are actually made. 

Most Bounty Hunters tend to go after what is known as the “low hanging fruit” first. 

These are simply the easiest of the vulnerabilities that can be found, and because of that, the challenges become even greater to find the harder to detect ones.  This could prove to be a boon to those who are more patient, as the payouts in these circumstances tend to be much higher. 

Also, as the obstacles become greater, the competition will obviously become much less.

When you have actually discovered a major bug, simply writing a document on it and writing up on how to correct it is not enough.  Most of these tech companies want an extremely detailed and formal write up, which includes some of the following:

*How did you discover the bug in the first place;

*Detail as to the exact steps that you took to get to that bug;

*The tools that you used to discover it;

*If you worked as part of a team, or if this was purely an individual effort;

*Excruciating details on the remediative steps to be taken to resolve the bug.

Each of these tech companies will probably have their own format for you to follow.  The bottom line is that they are interested in the detail.  Obviously, the more you can provide will separate you from the rest of the competition in getting the payout.

But these tech companies are still trying to find the right balance of how to attract and keep engaged the interest level of the Bounty Hunters.  Some of them even believe that a higher payout may not be the complete solution either.

My Thoughts On This

So you want to become a Bounty Hunter now?  Keep in mind that it is not for everybody.  It takes a very analytical mind and an individual with great software coding skills to become successful at it.  And remember, it is a gradual process. 

Most Bounty Hunters did not get the highest payouts after the first discoveries, but over time, as they built up their skills, they received more, if their submitted reports were selected as the finalist.

Also, it takes a lot of time to become a Bounty Hunter. It could even be years till you get your first payout.  But as you can see the financial rewards could be well worth it, if you have a lot of patience and commitment. 

Heck, if you really are interested in this line of Cyber work, you may even want to reach out to a Bug Bounty recruiter, who could probably get you your first few projects (I think they exist).  Or you could even partner up with other friends to start your brand-new venture in this Cyber industry.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...