Confessions of a top-ranked bug bounty hunter

From 2016 to 2017 I was very active in the bug bounty space, working almost exclusively with Synack. My first year doing bug bounties I was able to claim a top spot on the Synack leaderboards, all while doing bug bounties part time (I still had a day job as a red teamer at a fortune 50 retailer). As a reward for my efforts I was invited to a few private events, and received access to programs that had exclusive access to top researchers and continued to maintain a first-name basis relationship with some of the program managers at Synack.

Over time those program managers moved on, I lost my intimate relationship with the staff at Synack, and lost interest in working on “those kind” of bug bounty programs in general. So, how does a hacker go from being a top-researcher to being completely idle on the Synack platform? Here are a few things that contributed to the decline that I feel highlight the overall problems with the bug bounty space.

Issue #1 The time/money trade-off

The economics of bug bounty programs are pretty great, for the bug bounty company. When a new customer is onboarded their money goes into a pool, that pool is slowly paid out to researchers over time when they submit bugs. If their pool of researchers are unable to find enough bugs, the bug bounty company risks loosing a client, however they don’t have to give the money back :)

Contrast that with the bug bounty researcher, if you spend 10 hours researching a target, and only find one interesting bug. You may get paid the value of the bug, if… it’s not a duplicate. If it’s a dupe, you get nothing, if you find nothing, you also get paid nothing. Not great!

On the flip side I’ve been able to find RCE bugs in as little as 2 hours, and getting a two thousand dollar bounty, in 2 hours, is not a bad payday either.

This arrangement has an unfortunate drawback. It prioritizes bugs that are “shallow” now a shallow bug is one that is easily found by automation, say for example reflected or stored XSS issues. A bug bounty hunter may only get $300 for a stored XSS bug, but if you can automate your code and find several in a day, the economics work out for you.

If, on the other hand, you want to find high impact bugs like RCE bugs you may need to spend a lot of time researching a hard target. You may find RCE, you may not. But if you don’t you definitely wont get paid!

Issue #2 Target Selection Bias

While issue number one represents the most common issue, another less common issue is what I call target selection Bias. If someone doesn’t want to spend time looking for shallow bugs. If instead they want to focus their skills on deep knowledge of one specific tech stack, they can usually find some pretty high impact bugs. One example of this would be a researcher that focuses on finding java deserialization bugs. The issue here for a customer is, what if you don't run a tech stack that many researchers are familiar with? Does that mean that you have no deeply hidden vulnerabilities? probably not, it’s just that the talent pool at bug bounty programs isn’t usually selecting for your tech stack.

Bug bounty programs therefore prioritize the discovery specific vulnerability classes, these may or may not be in your perimiters tech stack.

Issue #3 Scoping

This one may or may not be obvious but real attackers don’t follow scoping guidelines, so if you are considering a bug bounty your entire enterprise should be in scope. If not you are probably missing out on some key vulnerabilities in systems that will likely be exploited by the actual bad guys some day! Some bug bounty programs do a better job of supporting larger scopes than others. Synack for example had host-based programs in which an entire range was in scope. I liked those the best because I could look at every system in scope and find the weakest, or most interesting link.

Bug bounty programs therefore are lacking authenticity in reproducing the adversary perspective.

So what does a former top bug bounty hunter think are better options?

If you are a researcher yourself: In the last 2 years I switched my focus to private vulnerability disclosure and acquisition programs. Personally the Zero Day Initiative is a great program in which a researcher is paid enough to spend hours upon hours doing deep research on hard(er) targets to find high impact vulnerabilities.

I’ve competed in Pwn2Own a few years in a row and disclosed some high impact RCE vulnerabilities in ICS/SCADA systems and NAS devices.

If you run a security program: I’ve launched Adversary Academy a research focused offensive security company. We set aside funds from every engagement to target devices and systems we encounter during penetration tests, and vulnerability assessments for clients. After an engagement is complete we spend our own research hours on finding vulnerabilities in our clients information systems. We then notify our clients of high-impact exploitable vulnerabilities before anyone else. In my mind this does what no other pentest-shop is doing currently which is breaking out of the point-in-time nature of pentesting and delivering value even after the reports are delivered.