Future of Bug Bounties (completely personal opinion)

1 year ago 109
BOOK THIS SPACE FOR AD
ARTICLE AD

Currently in 2022, I am not a top hacker.

This is just my biased opinion as an intermediate level bug hunter.

No human can predict the future perfectly.

But if I can give some hope to beginner hunters starting out on their daunting journey.

2010 decade of bug bounties

Started to grow around 2015 and later.First hunters had to deal with lots of negative reactions/legal risks/etc.Limited scope to hack on.Very limited resources to learn from.Limited tools etc.Google search engine was pretty low quality. To succeed as hunter needed connections with other good hackers to really learn useful skills.Also need a lot more trial and error to find valid bugs, with no real success examples to look up to…

If you read the old write-ups, there was still lots of competition, the applications were simpler so not as many vulnerability types, many duplicates even back then, other negatives etc.

I have a lot of respect for the hackers who endured during those starting times. I probably would’ve just given up back then with so much uncertainty…

With any field especially in IT, first movers have advantage but also uncertainty of real future profitability. It’s always a tradeoff…

2020 decade of bug bounties

Very good search engines to find the right information efficiently.A lot of bug bounty write-ups to learn from, other hacking resources to practice with.Good tools of low cost to work with, many alternatives to choose from.Web2 is only going to keep growing exponentially, meaning more good data/ever-growing attack surface to hack on.A lot more programs to choose from.The complexity of applications is constantly increasing, meaning more evasive vulnerabilities.More types of devices to hack on e.g. mobile/VR/blockchain dapps and smart contracts etc.Bug bounty platforms are becoming better with support for hunters.Different platforms for different types of hunters.Higher bounties for really skilled hackers, bug hunters with actual high level skills is going to be rare for quite some time (There are a lot of hackers on bug bounty platforms, but mostly beginner types. Currently hackers with real skills who can produce results in this world is probably about 1,000? To find critical evasive vulnerabilities, need a lot of time investment and manual hacking, humans have limited time and energy).

Biggest downside is lots of high competition, so for hunters starting out, very hard to stay motivated. But if can break through, very rewarding for long term.

Leaderboard is constantly changing, hackers who stay on top for long time are very rare. If consistent enough can rise up, especially in IT/bug bounty world where things are constantly changing/evolving.

Side note, I personally think depending on content creation is a bad strategy for the near future, because value of information will continue to drop. Not to mention machine learning has so much data to learn from and will eventually build better technical content than humans…

But actual process of finding bugs, there’s pretty much no good data source. Meaning, machine learning is going to have a very hard time learning hacking skills. No good data means no learning. To outlive ML, should find a field where machines can’t just extract lots of data and learn. Anything relatively easy to do for humans, should just avoid altogether if you want to survive in near future…

2030 onwards

I have no idea. Pretty scared how advanced machine learning will become…

Also climate crisis… I think the only way to fix this is when Ethereum blockchain technology is “complete” and we have actual good automation tools for human coordination rather than the current poor centralized corrupt systems… If blockchain technology was at an advanced state during the Covid crisis, it definitely shouldn’t have been that big of a problem…

If you’re really interested in hacking, I believe getting into bug bounties now is a great timing overall. Definitely not saying it is easy, it will take a lot of time investment but if one really wants it.

Even a normal (remote) job, never know when can get cut off by whim of people you work for…

If really have core bug bounty hunting skills, can pretty much survive any kind of worst case, anywhere in the future… In extreme circumstances, all you need is a decent laptop with Linux terminal and decent Wi-Fi… The top bug hunters have an extremely powerful skill for survival…

After Covid/Ukraine war, I just see a lot of uncertainty in this world. And with corporate corruption I just have a hard time trusting humans. The climate crisis is just getting worse, seems like everything else in the world is just getting entangled and messed up. The best move is always to think and prepare for worst case (I was pretty optimistic when growing up, but now complete opposite mindset).

If bug bounties just completely crashes in near future for whatever reason, I’ll probably just focus on blockchain, nothing to really lose then…

Read Entire Article