Hi guys (and gals)… I’ve been in security for 20 years now and have been doing penetration testing for a few years. I never got into bug hunting but I’m now interested. My question is if it’s really even worth getting into it. There seems to be so much competition that I would think finding a bug would be a long shot… I was looking at some lesser popular companies here and on hackerone and like each one had 100-200+ people in the program. How can someone late to the party even get close to competing with that many people?
Let me start by saying, I have no technical background whatsoever ( I am an Oral Pathologist!) and have been never so motivated to start with bug bounty hunting. Its just been 3 months, and am learning and in fact participating in programs at the same time. It is extremely frustrating when I keep poking things around for hours together to find nothing. Competition is in every field, and I think we should give ourselves sufficient time to learn and practice without giving up. With time and sufficient expertise, given you have put in some solid hours of work and practice, competition would not be in your mind. Also, given the fact that you have been in the security field for so many years, please don’t be demotivated. Of course, this is my opinion and hopefully would withstand the test of time and would abide by this opinion I have given you today. Cheers and all the very best! Start hacking!
I am in similar position as you are - a few years in application security including pentesting.
I have decided to try bug hunting. I started off by being very enthusiastic, but quickly became demotivated. If you are ok with spending a lot of time and effort to do research, find bug, compile report just to be told that that bug has been already found by someone else but not yet fixed (which you kinda have to take their word for it) - then sure go for it. For me the experience has been pretty frustrating. This might be a good value for the companies to have a crowd hacking their sites - however I find it very unfair and disrespectful for researchers’ time to have to chase something - which has already been found - and you don’t know that!
Yes, there is an OPTIONAL program that bugcrowd has where companies may choose to adopt where they have the option to disclose some of the bugs that were fixed. I think it is a good step forward, however its optional and so not many choose to adopt. And even if adopted companies would not disclose bugs unless they’ve been been fixed - and in many cases that can drag on based on their business priorities - so you are still in the dark.
So, if you have a lot of time on your hands which you don’t mind wasting, go ahead. I suppose this can be beneficial to learn and practice ethical hacking. But since you are already a seasoned professional - I don’t know if that would be of any value to you. If you still decide to try - my advice is to forget about the low hanging fruit and concentrate on more difficult to find bugs and keep your fingers crossed you are the first one
For me - I decided that I just cannot be motivated to look for bugs when I don’t know if they were already found or not.
It depends of your expectations and your goals. If you want to make money, but you already have a salary above USD 100k per year, maybe bug bounties are a waste of time.
Hey there. I know this is an older post but I just wanted to say, like anything , if you enjoy doing it for free, than you will more than likely enjoy doing it for money.
But if you are in it strictly for the money and don’t have a passion for PC’s or programming or IT in general, than you probably won’t like spending hours researching and looking for bugs.
For me it started out just working on and putting together older computers and then I built a few newer more powerful systems without even really knowing the inner workings. Eventually I was like “hmm i wonder how these things actually work” which with more learning just got me more and more interested and eventually led me to Linux and then recently to this website.
I’ve been finding it super fun to learn about all this stuff as well as brushing up on my programming language knowledge and would keep doing it even if there wasn’t any prospect of money. So i figured I might as well try to earn some on a more formal site like this!
I’m kinda brand new to Bug Bounty Hunting. I have had a hobby-level interest in computer security for time, but I only recently got into the hunting. And it is fun for me - I haven’t found anything yet but I’m enjoying looking.
That’s the thing for me - it’s a hobby, fun, not a money-making venture. As for competition, I’m looking mostly at programs that don’t reward with money but only kudos. I think fewer hunters are on those programs. And if I do find anything, the kudos will make me more attractive to the people who run the invitation-only programs, which will lead to money rewards if I keep at it.
So do it, for fun rather than money. Some people make money for sure. But who cares? One day I might find a serious problem that will lead to more lucrative contacts. But in the meantime keep it as a bit of fun. Don’t expect dollar from heaven.
Good attitude and spot on - start with programs that are old, managed by the platform (in this case, bugcrowd) and that don’t pay out, that way your chances of finding non-duplicates are much higher. And yes, doing it for money is redundant since if you have the skillset you can more just working as a pentester (not to mention you’re paid even if you don’t find bugs!)
