Starving IT researcher? Sniff out bugs for cash
The first ever bug bounty program was launched in 1983. The prize for finding a bug in the software? A Volkswagen Beetle (a bug – geddit?). Such is the pressure on software firms to produce vulnerability-free code that they will offer cash rewards to white hat security researchers who can find and report flaws. Bug-hunting has become an industry, and anyone with the right smarts can try for a slice of the bug bounty pie.
Not only software companies offer rewards for finding bugs. In 2016 the US Department of Defense invited the world to ‘Hack the Pentagon’. Over the three-week bug bounty program, 138 unique valid reports were submitted and the Pentagon paid out a total of $71,200 to the hackers involved.
Dedicated vulnerability–hunters can forge careers out of this industry, or supplement their incomes. To the enthusiastic IT researcher, the satisfaction of finding a bug in Facebook or Google is likely to outweigh any financial returns – but there’s cash to be had. So how do you do it? Where do you find bounties? How do you stay out of legal trouble? How successful can a good researcher be at this game?
A new offering from security professional Troy Hunt introduces you to the world of bug bounties. More of an informal talk than a course, Play By Play: Bug Bounties for Researchers involves Mr Hunt and industry friend Casey Ellis discussing the ins and outs of entering the fray as a bug hunter. At just 36 minutes it’s very digestible, and joins many more of Mr Hunt’s IT security courses on technology learning platform Pluralsight.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security, and creator of Have I Been Pwned?, the data breach notification service used by millions of nervous web users.