A bug bounty program is an established method of reporting security vulnerabilities to companies for several years running.
Despite quality assurance in software development, networking of individual parts and the constantly increasing complexity of systems repeatedly result in error situations that can lead to a complete takeover by an attacker.
Bug bounty programs were created several years ago put the expertise and skills of security researchers to use in an orderly fashion to increase the quality of software and hardware. The researchers have the official permission of the companies offering bounties and also legal cover to analyze their systems. Vulnerabilities that have been identified and reported go through a quality assurance process and are paid for accordingly.
However, these analysts aren’t paid for their working hours, but only for the results. This also distinguishes the world of bug bounties from a classically commissioned penetration test. Even if a vulnerability is valid, if it’s already been reported by someone else, there’s no remuneration. You can imagine how grueling it is to proudly report a vulnerability after hours or days of analysis, only to receive the response that the vulnerability has already been reported by someone else. But even if there’s no money to be won, it can be quite an interesting task to legally check real systems for vulnerabilities.
Large companies like Google and Microsoft run their own bug bounty programs. As a hacker, you report a vulnerability directly to the company. You should also make sure that you have the appropriate permission before engaging in the appropriate testing activity.
We will deal here primarily with programs operated by an entity interposed between the client and the security researcher. The security analyst doesn’t typically come into direct contact with the target company; any coordination and quality assurance are handled by the bug bounty platform.
The two largest providers, based in the US, are HackerOne and Bugcrowd. Founded in 2012, HackerOne is the world’s largest platform with more than 1 million registered users. HackerOne crossed the threshold of $100 million paid out in bounties in 2020.
Some platforms are also operated in Europe: Intigriti in the Netherlands and YesWe- Hack from France are currently the largest platforms in Europe. The companies offer similar services.
The following list offers links to those companies as well as to an extensive list of other providers:
If you register as an interested researcher on one of the numerous platforms, then different programs are available to you. However, not all programs are visible to every user. You must first qualify for special programs. At startup, a number of public programs are visible to you. Most of them are established companies that have been active for years. The chance of finding a new vulnerability here is also relatively low due to the large number of testers for these programs. Nevertheless, large companies are adding new subsystems every day, which may again have new gaps.
Not all programs pay bounties for identified vulnerabilities. In vulnerability disclosure programs (VDPs), vulnerability reports are accepted, but you don’t receive any money as a reward. In some cases, points are awarded instead. For starters, we recommend a VDP for finding your first weak points as the competition here is lower than in other, well-paid programs due to the lack of financial rewards.
If you’ve found a security vulnerability in your search, are the first person to report this vulnerability, and the vulnerability has also been accepted, then you can be proud of yourself: you are now a member of the bug bounty community. With your first accepted report, you’ve shown that you are to be taken seriously. From this point on, you’ll receive invitations to other, private programs. In private programs, the competition is also high, but the invited hacker community is more manageable. This increases your chances of finding a vulnerability.
So-called on-demand programs are a special type: you’ll receive an invitation with a scheduled launch time, at which time a small group of testers will be unleashed on the program. Here the chance is very high that you’ll get a hit.
Other programs not only have a limited number of invited users, but also a limited budget. Typical sizes are $15,000 to $20,000 and a term of one to two weeks. At the end of the test period, the program is closed and the budget is allocated based on the individual findings.
The bounty for a vulnerability is based on the program and the criticality of the gap. For example, Bugcrowd rates findings from P1 (very critical) to P5 (informal), and bounties are usually paid only for P1 to P4 or P1 to P2 gaps. HackerOne, on the other hand, rates vulnerabilities according to the Common Vulnerability Scoring System (CVSS).
But how much is paid now for a security gap? The following listing of bounties is from an average program on Bugcrowd:
- P1, $2,000–$3,000
- P2, $1,000–$1,500
- P3, $300–$500
- P4, $50–$100
Critical vulnerabilities like those in P1 or P2 categories are rewarded quite well. Occasionally there are extra awards ($10,000 to $20,000) for particularly relevant findings. Platforms also like to publish the findings with top rewards to increase the attractiveness of a program.
Critical P1 vulnerabilities include SQL injection, remote code execution, command injection, and hard-coded passwords. One typical P2 bug is a stored-XSS vulnerability. One P4 bug could be the lack of invalidation of a session after logout. The exact assignment of vulnerabilities for Bugcrowd to classes P1 to P5 can be found at https://bugcrowd.com/vulnerability-rating-taxonomy. This also allows you to optimize the direction of your vulnerability analysis according to the potential return.
The first bug bounty millionaire on HackerOne was Santiago Lopez from Argentina, who was only 19 at the time. He reportedly found an enormous number of rather lower-rated vulnerabilities as early as 2019 through high-level automation. Meanwhile, other researchers have also crossed the bounty threshold of one million dollars.
Editor’s note: This post has been adapted from a section of the book Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.