Bug bounty programs are growing in popularity worldwide. But what are they really about? Can anyone become a bug bounty hunter? Cybersecurity consultant by day, bounty hunter by night – Nixu’s cybersecurity expert Tomi lets us in on the secrets of bug bounty hunting.
Voluntarily allowing hackers to attack your organization’s systems may not sound like the best idea but it is actually one of the most efficient ways to improve cybersecurity in an organization. Bug bounty programs, where organizations let anonymous white hat hackers search for vulnerabilities in their software, play a crucial part in the security testing of big global companies. Behemoths such as Google, Facebook, Verizon and Microsoft routinely organize or join in on bug bounty programs with stellar results. There’s no such thing as a free lunch, of course: in the biggest programs, the single-shot bounties vary from 50,000 to 100,000 dollars.
"Sounds like easy money, but it really isn’t. The skills and time you need to put into the hunt is something else. Let’s just say that I won’t be quitting my day job any time soon," Tomi says.
Tomi is a bug hunter. He spends his days keeping the digital society running at Nixu and his nights finding bugs in various programs. When asked why he would devote his free time to what some might call a second profession, Tomi doesn’t have to think long.
"I just love the sport of it; the excitement of hunting down something which doesn’t yet exist, chaining multiple bugs for even bigger business impact and finally writing the final report about it all, is intriguing. I constantly get to learn and develop my professional skills. And of course, there’s the possibility of rewards, but personally, I enjoy the Hall of Fame credits and swag more. And don’t get me wrong, I love to get bounties too!"
One instrument in an orchestra
Although anyone could theoretically start one, the organizations running their own programs are usually bigger, more established and better-prepared security-wise than an average business. One way for smaller companies to get in on the action is to join a bug bounty platform, an online marketplace connecting clients and hackers. The bigger ones, like HackerOne, have more than 300,000 researchers.
Before taking the leap, however, Tomi has a few well-informed tips for companies interested in the programs:
"When you join, you need to be ready for it. There are some rather sad examples of companies taking a real hit after not being fully prepared for being exploited. Not a pretty sight, I assure you."
Nevertheless, for the prepared ones, bug bounty programs are a good way to put an organization’s security to the test. To top it off, they’re more affordable than people might think.
"From the company’s side, bug bounty hunting is actually pretty cost-effective because you only pay for valuable findings. The rewards are determined by the potential business impact that could have happened if someone with ill intentions had found the bug. If you think about it, the rewards are a small price to pay for avoiding the risk."
Still, despite their many advantages, it should be kept in mind that bug bounty programs are not a substitute for traditional security testing:
"They all go under one security umbrella. Bug bounty programs are just one instrument in the orchestra and a good way to complement the mix of security operations. The added value bug hunters can bring is the mass: the more eyes you have, the better you are covered. Accordingly, a big mass of bug researchers can produce a lot of time and energy-consuming ‘false positive’ reports of minor observations with no real business impact. Either way, with bug bounty programs, you need to both keep your eyes open and your mind sharp."
Nixu encourages its employees for personal skill development also in the form of off-time Bug Bounties. When a nixuan is rewarded in a Bug Bounty competition, he or she gets an extra reward from Nixu as well.
Interested in working with one of the top cybersecurity experts in the field? Check out our open positions here: https://nixu.verismohr.com/jobs