I’ve been weighing up my options and am thinking of going freelance to do both contract based work and then bug bounties a bit more fulltime,
Is anyone willing to share any tips, things that have worked for them or ideas for maintaining a steady flow of work, any input would be appreciated. This info could help others as I’ve seen the question appear on IRC a few times?
maK,
I feel like Bug bounty work is not as steady and reliable as it used to be. I’d focus more on doing contract based work and use bug bounties to score a few extra bucks a month. One of the things that always helps me is looking for patterns. I have made a few talks about this in the past due to the fact that in some cases an attack vector or a vulnerability might be exploitable on different applications/subdomains or even different programs.
@Nahamsec: I’d be interested in hearing how bug bounty work isn’t as steady as it used to be with bounties appearing everywhere. I understand the reliable part, because we don’t know which new bounties will actually pay or not, but that’s sorta off-topic for this thread.
@planetzuda
By not being steady I meant: you don’t know if you are getting paid, and if you are you don’t know when the payment is going to happen due to the fact that it all depends on the patch and when it is deployed. It’s also not steady, because there may be times when there aren’t any new/good paying programs out there or you may not be able to find something new (duplicates or just getting stuck).
Having your own circle of clients might be better. Bug bounties has not became the “best” way to make money. Within only last year, Bugcrowd researchers has increased to 3x. Meaning that it has became more difficult for both researchers and companies to keep up with submissions. Beside that, most start-up companies budget for security isn’t enough for receiving professional work.
That’s my opinion, and I hope this help!
My main tip is that it feels really scary to be walking the tightrope without a net, until you do it and realize that if you pass the POC||GTFO test there’s literally an unlimited supply of freelance work out there.
The hardest part is balancing the business pieces (i.e. finding new clients, billing clients, getting referrals, managing expectations) with actual billable work. Finding a good practice management platform (I used to use Freshbooks back in the day) and getting comfortable with it right now will save you a crap tonne of time .
Thanks for the input folks, is interesting hearing the different perspectives.
The way I see it, I’d only need 2 or 3 days contract work a month to earn what I’m on working full time as a consultant. Which seems easily achievable.
The past 4 months I’ve made pretty close to what I’ve earned working in a full time position only through doing the bounties on the weekend and maybe an hour here and there.
Going freelance seems like it could free up a lot of my time to do more bounties which I think may pay off, I suppose it really is just a matter of trying it while I’ve savings and see if it works.
@nahamsec I agree there aren’t a lot of new public bounties, but there is a steady flow of non-public bounties. Everyone should avoid bounties that don’t patch quickly or pay before they fix the issue, not because of profit but because customers need the patch ASAP.
Have about 6mo in the kitty to live off of when things go south…stock away 20% of what you make for the ‘legal fund’…or go befriend some starving law school students. They may not be good now, but all you need them for at this point is contracts – grow that friendship – and their respect and down the road when you need them for litigation they will either be there for you, or know somebody that can help you in a pinch…I’d say only about 20% of going freelance is actually the work – the other 80 is trying to secure the next gig and keep the food on the table, and the lights on. Dont hire employees until you absolutely have to – and even then, take on 1099 until legally you cant (California is weird about that shit) - always pay taxes…