Big money for small effort? 4 common bug bounty hunting myths busted

May 16, 2019 at 12:19

Bug bounty programs have proven to be a great addition to an organization’s cybersecurity palette. Yet, the concept is still rather unknown and faces a lot of prejudice. Is ‘bug bounty hunter’ just a nice new name for a hacker with good intentions? Are bug hunters stealing security consultants’ jobs? Our very own Cyber Security Consultant Joosua Santasalo is ready to break some common misconceptions about bug bounty hunting.

bug bounty program money myths

Last time, we introduced you to bug bounty programs and discussed why some companies voluntarily engage in programs where hackers attack their systems to find vulnerabilities. Today, we’re talking with Joosua Santasalo, who took up bug bounty hunting out of pure curiosity last fall. For him, it’s all about capitalizing on your know-how.

With hours of hard work under his belt and some big rewards to show for it, he’s just the man to tell us what it’s really like to be a bug bounty hunter. So Joosua, let’s bust some myths!

Myth #1: Bug bounty hunting is easy money and thus the hunters are all rich.  

“I wish! With only 20 percent of hackers being full-time, that’s not really the case. Of course, the better you are the more money you make – and depending on where you live you might even make a living out of it. But for most of us, it’s more like a hobby. Successful bug bounty hunting takes huge amounts of motivation and patience, and still you can end up finding nothing at all. It’s not easy money, but worth a shot if you have the skills, the resources and the hunger for it.”

Myth #2: Bug bounty programs can replace companies’ existing security operations.

“So wrong. Even if you have a massive number of hunters, you cannot secure your whole operation because bug bounty programs only cover one area of security. Thus, conventional security operations still play a crucial role in the game. Think of the iceberg metaphor: with bug bounty hunting you can conquer the tip, but you still need traditional cybersecurity to manage everything that happens under the waves.”

Myth #3: Hackers cannot be trusted.

“If hackers couldn’t be trusted, bug bounty programs would not exist. The whole idea behind the programs is to prevent vulnerabilities from destroying businesses by compensating white hat hackers for finding and reporting the back doors to companies’ assets. But then again, bug bounty hunters are people too, and like people we come in all shapes and sizes. If you ask me, the dividing of hackers into good and bad is unnecessary. People have different motivations and you can conclude a lot by the way a person behaves. Even if the result is good, you cannot draw any conclusions to the actor.”

Myth #4: Entering a bug bounty program is costly.

“Depends on the way you look at it. The compensation is determined by the real-life business impact of the vulnerability; the bigger the impact the greater the compensation. In my opinion, the rewards are a small price to pay for avoiding the risk of anyone misusing the found logic failure. In traditional penetration testing, a company pays for the actual procedure regardless of the result. In comparison, with bug bounty programs you only pay what you get which are the verified vulnerabilities. However, you shouldn’t think of the two as rival approaches but more like complementary ways of securing your systems.”


Nixu encourages its employees for personal skill development also in the form of off-time Bug Bounties. When a nixuan is rewarded in a Bug Bounty competition, he or she gets an extra reward from Nixu as well.

Interested in working with one of the top cybersecurity experts in the field? Check out our open positions here:

Related blogs