Bug Bounty Platforms are a Scam [Mostly]

I know the title of this blog post may sound vitriolic or even bombastic. However, I do feel that it’s justified — stick with me for a few minutes and let me try to explain why. There are fundamental elements of the bug bounty platform industry which are broken. It’s important to those who are either inexperienced or those who idealize this working arrangement understand the truth behind the glamorous “I made a million hacking in 4 months” Youtube promotional b-s and other snake oil salesmen telling hackers they can be millionaires by buying their courses, learning the ropes and getting onto these platforms. Question: if they’re making so much cash from bounties, then why are they pumping out content on Youtube to supplement their income? Smells like bulls**t doesn’t it?

So what are Bug Bounty Platforms?

In essence, they are an intermediary between companies looking to bolster their security posture, and those in the cybersecurity industry who wish to use their ethical hacking skills to make money or increase their visibility within the online hacking community. Bug bounty programs are offered by businesses in either a public (anyone can join) or private (certain criteria must be met) format. Hackers/ bug bounty hunters will then put their skills to the test, find bugs and report them. From here they are sent to a triage team to be verified and if the bug has met the criteria of impact, and it’s the first time it’s been reported then the bug hunter will get a reward, from $300 to $20,000 or more depending on how serious the impact of these bugs are to the company in question.

Sounds good doesn’t it? So, what’s the problem with this model? Turns out, a lot.

There are numerous issues surrounding bug bounties for hackers and I will discuss what I think are the major issues below (there are more, but these have the biggest impact).

0 — Financial — on Bugcrowd ( a popular BB Platform) less than 3% of the hackers ever get paid. I can’t imagine that that number is much higher on other platforms offering similar programs. So over 96% of hackers are just wasting their time.

1 — Scope — companies are notorious for either changing scope or writing them ambiguously so that hackers waste a lot of time looking at endpoints which, even if are demonstrated as vulnerable will not lead to a payout (but the company can still read all of these reports for free, how convenient).

Let me share a personal example: on my last bug bounty program (private, large commercial retailer) they advised that 3rdparty systems were out of scope. 2 lines later they mentioned that 3rd party systems without a proof of concept were out of scope. So, which is it? It turns out that this company had integrated over 90% of their online system with 3rd party systems, which had never been secured, and everything had just been left on default settings. I submitted a proof of concept for hijacking their web sockets — which allowed me to escalate privilege to an admin user and access user conversations yet none of these findings were accepted.

Then there are the ever-expanding lists of what cannot be accepted. These lists usually fill a screen and include some of the most impactful bugs which could damage the c-i-a of an organization. The same example from above had deemed xxs out of scope, yet when looking at their packets. None had any sort of xxs protection enabled, and most of their impactful pages (account pages etc) were vulnerable to xxs. Spoiler alert: a genuine threat actor doesn’t care and will exploit whatever they can, therefore aside from brute force, these lists should be very small. Why is the brief smaller than the lines and lines of OOS items in many cases?

2 — Automation — There are so many people using automation to find low hanging fruit on programs now (via nuclei for example) that hours into a program being released, the only bugs left are very advanced, niche bugs. This is fine if you’re into manual testing and love digging into the nuts and bolts of programs, but with so few people getting paid and so many duplicates being reported — is it worth your time to spend months or weeks looking deeply into programs? How much could you earn as a consultant?

3 — Duplicates — No bug bounty platforms (that I am aware of) show which bugs have been reported already or have been submitted, this means that if you’re lucky enough to find a bug, there is a large chance someone else has too, and you’re not going to get paid. The lack of a duplicate update system just shows me that these platforms only want to have massive amounts of hackers on their platforms to exploit them, and to beef up their numbers when they give presentations to companies hoping to be selected to host their bug bounty programs.

4 — The power dynamic — All of the power lies in the hands of both the Bug Bounty Platform and the companies operating their programs. There are no statistics for hackers to apply and moderate companies, triage members or give feedback to other hackers. As a company offering a bug bounty program the responsibility to your shareholders is to maximize profit by any means. Do you think there is an incentive for companies to pay for services which they have already received and can loosely interpret as to whether it will impact them “enough”? Let’s make a comparison. You go to a restaurant, you order the most expensive steak you can from a very skilled chef and eat it. Then only have to pay for it if you feel it met your expectations. How many people would pay? Less than 3%? Sort of looks like the figures available for those earning on bug bounty platforms doesn’t it?

Final thoughts: I said that Bug Bounty Platforms are mostly a scam. I say mostly because some people are getting paid, it’s just vastly less than these companies and influencers make out. If you are interested in hacking, learn some skills, get certified and work for a company that give a s**t about you. F**k these companies and double-f**k the Youtubers selling you dreams about bug bounties. What certs should you get? I’ll save that for my next post.