How to Make Money As a Bug Hunter
Are you a programmer or hacker in a white hat and want to make some money? Insect hunting can be the perfect activity for you.
What is Bug Bounty Hunting?
Bug Bounty Hunting is paid to search for vulnerabilities in software, websites and web applications. Large companies’ security teams do not have the time or manpower to fix all the bugs they have, so they turn to private contractors for help. Basically, you use your tools to break things (or hack things), file a vulnerability report for the company that assigned the bounty, and then you get paid. Some hackers make tens of thousands of dollars a year looking for bugs.
However, to do this, you need to have at least some basic programming and computer skills. Luckily, we have tons of great resources to help you get started , and programming is fairly easy to learn on your own . However, if you don’t understand what this all means while you read, bug hunting is probably not for you.
Do a little research and get your tools
Once you have mastered the basics of coding, you need to dive deeply into web applications and how they work. Luckily for you, there are tons of great resources to point you in the right direction. Start by reading:
Then get the right tools. You’ll need:
- Kali Linux (free)
- Burp Suite ($ 349 per year but very popular)
- OWASP Zap (free Burp Suite alternative)
Then, take a look at the OWASP WebGoat Lab , where you can practice finding bugs and vulnerabilities in web applications, and take a look at Google Bughunter University . They have a lot of great information about finding bugs and how to write reliable vulnerability reports that you get paid for. These sites like Bugcrowd and HackerOne, also can help in this aspect.
Find Bug Bounty Lists and Go Hunting
Once you are armed with the knowledge and the right tools, you are ready to look for bugs to fix them. Companies often have a link somewhere on their website offering error rewards, but these can be hard to find. You’d better check the bulletin board where hackers read publicly disclosed vulnerability reports and update the active list daily. Like this:
HackerOne also offers information disclosure assistance where a hacker can report any vulnerability to any organization. Even if an organization does not have a vulnerability program, they can contact them and deliver a report. It is also helpful to join the bug hunter community forum – such as the sites listed above – so you can keep up to date with new rewards and trading tools. To hunt for bugs, you also need to be willing to constantly learn on the go. The web apps and bug finding tools are constantly being updated, so you need to be aware if you want to do it right.
Update: A HackerOne spokesperson has reached out to us to acknowledge their “Disclosure Assistance” program. The text above has been updated with this information.