The Bug Hunting Career

Myths and truths about bug hunting, one of the most mysterious and fascinating specializations in the world of cyber security. All that glitters is not gold, but fun is guaranteed.

The cybersecurity sector is vast and very heterogeneous. A set of highly diversified specializations and skills, so much so that speaking of “cybersecurity” alluding to a single occupation is misleading.

Within this variegated world of professions and activities, in addition to the more famous ones such as penetration tests, monitoring, awareness and so on, there are some that are a little less hyped up and enjoy the respect that is aimed at what is little known or not at all. Among these, of course, is bug hunting .

What is bug hunting

Of course, it’s not a mysterious object. In fact, more or less everyone knows that bug hunting refers to that activity in which software and hardware are analyzed in search of vulnerabilities that could be exploited maliciously by cybercriminals who appropriate them.

Based on the type of vulnerability detected, the technology where it is present, and the respective manufacturer, the bug hunter is then remunerated in a more or less substantial way. All this creates a virtuous circle in which there are highly specialized professionals who spend their working days analyzing code, devices, developing exploits and trying to apply them to find confirmation of their intuitions.

And if everything works perfectly, here comes the generous compensation. Which hopefully come from those who have an interest in fixing that given vulnerability, even if things don’t always work out that way.

Go hunting now

Obviously referring to ethical bug hunting, let’s start by saying that there are various career possibilities. The easiest is to sign up for bug hunting programs and start working right away. The level of expertise required, however, is medium-high: bug hunting programs attract some of the best talent on the market and the risk is that they will be the first to find the best-paid vulnerabilities.

The concept, in fact, for the beginner, is that those who organize bug hunting campaigns draw up a sort of tariff with rewards, which vary greatly depending on the level of the vulnerability found. For example, Apple Security Bounty is one of the highest paying campaigns, with rewards reaching up to a million dollars .

Google is less generous, perhaps because it offers many more services than the Cupertino giant and, therefore, the potential number of vulnerabilities is greater. Here, the rewards can reach 30,000 dollars, although in some cases a bargaining can be started and much more substantial figures can be obtained. Microsoft? It competes for the best bug hunters with its rival Apple, and even in this case we get to a million dollars.

There are platforms that offer themselves as intermediaries between those who offer bug hunting and bug hunter campaigns: the most famous is HackerOne and it is an excellent training ground for growing, challenging ourselves and aiming for increasingly critical vulnerabilities.

Bug hunting: what there is to learn

It should be clarified, however, that finding these vulnerabilities is a real undertaking, which requires months, if not years, of hard work and extremely high-level skills. Which is why, unless bug hunting is our hobby and reason for living, and we dedicate a lot of time to it, it’s better to gain experience with a more structured career. Career that starts from ad hoc training.

In reality, the skills to approach the world of bug hunting start from rather classic foundations, for the cybersecurity sector. Linux, and its in-depth knowledge, is an essential requirement, as is network architecture, with particular reference to the protocols of the various layers of the OSI model, to then move on to in-depth knowledge of the web and web apps.

Unless we also want to consider hardware bug hunting, which however requires much more preparation, at this point it is good to learn how to program at a good level, unless we already know how to do it.

Here the opinions on which is the best language are discordant, but for beginners the advice is to aim for Python and Go, which can count on simple semantics, an enormous amount of libraries and a certain vocation for ethical hacking. Which, after all, is the principle upon which bug hunting is based. For those with more will, Perl, C and assembly represent a plus that repays the effort.

Having built a solid foundation with these skills, the next step is to tackle the art of bug hunting head-on. There are excellent books that explain this and among the best are Bug Bounty Essentials by Carlos Lozano and Shahmeer Amir, Bug Hunting for Penetration Testers by Joseph Marshall and Real-World Bug Hunting by Peter Yaworski.

The importance of practice

Bug hunting, even more than other cybersecurity specialties, requires a lot, a lot of practice. If it is true that the basic notions must be solid and understood in every detail, it is equally true that bug hunting requires experimentation, resourcefulness and patience, because it very often happens to “chase” a bug, only to then realize that it is a fire straw, or that someone, in the meantime, has already discovered it.

For this reason it is essential to quickly learn how to make economic assessments of one’s business: it is often better to focus on the search for many small vulnerabilities, rather than the millionaire one. And meanwhile gain experience.

How much do we earn

Speaking of earnings: what are the ones we can really aspire to? The figures vary greatly according to the subjects, commitment and, why not, even luck.

However, there is no shortage of professionals ready to share their numbers. One of the most famous is Anton “Skavans” Subbotin , who says he earned $558,000 in the last three years of work. Respectively 91 thousand in 2019, 229 thousand in 2020 and 252 thousand in 2021.

Subbotin himself, however, is keen to point out that he does not enter this sector just for an economic reason: doing so without having any real interest inevitably turns into a disastrous experience.

To be successful, in bug hunting as in any other profession, we need to have fun and be passionate.

Roberto Raspatella offers the cybersecurity and project leading competences gained in years for the benefits of his readers. His approach is characterized by critical thinking which cannot be detached by the constant research in technology, cybersecurity, privacy, ethics, politics, psychology.

He shares his own opinions on LinkedIn and Twitter.