Bug Bounty hunting is one of the most lucrative side hustles for the vast majority of hackers and security researchers out there. Security breaches like the SolarWinds Supply Chain Attack always remind us that it doesn't need much effort for attackers to find a weak point in systems and leverage that to gain persistence in networks – while it's not likely that's the way the attackers got in, but we had reported how SolarWinds had exposed a critical FTP credential through a GitHub commit since 2018, only brought to their notice in late 2019. A brilliant way to prevent such breaches is to crowdsource talent, security is very hard to get right but when you have a thousand different eyes looking into it, it's very probable that they will find issues and edge cases you never thought in the development cycle of your applications – and that's where a Bug Bounty Program fills the gap.
A large number of WhiteHats now just rely on bug bounties as their only source of income, and it all begins to makes sense – when you see Hackers making millions through their art of hacking. Full time (independent) hacking is becoming a thing, as we have entered the age of bug bounties. Bug Bounties are no longer a disorganized sector, but with more platforms it has almost become a mainstream profession.
Almost a year back, Hackerone had announced that Cosmin (@inhibitor181) had reached $1 Million dollars in bug bounty earnings across their platform, and officially become the 7th Bug Bounty millionaire on the platform. Today, they tweeted that @inhibitor181 has completed $2 Million dollars in bug bounty earnings which makes it an important landmark for the Bug Bounty industry, and the highest till date. Is it a vantage point or, will there be someone who will cross this?
$1 Million Dollars in bug bounties in less than an year
Hackerone had earlier announced less than an year back that Cosmin became the 7th hacker to have become a bug bounty millionaire. Now, he has crossed the $2M mark in all-time earnings, which means @inhibitor181 might have made $1M in bounties less than an year, on Hackerone itself.
A Million dollar salary with just about 4 years of work experience
At the age of 30, and with just 4 years of experience in bug bounty hunting, Cosmin makes $1 million in bug bounties a year from 468
bugs that he reported on Hackerone, and has made $2 million so far in bug bounties.
This is way higher than the pay of most senior position tech jobs or, cybersecurity/infosec jobs that we know. From Cosmin's Hackerone profile, we came to know he joined the platform only around 4 years back in 2016 – with just about 4 years of experience (which is even less than what one can consider mid-level experience), a bug bounty hunter is able to earn $1M an year and make $2M in all time earnings.
Taking the facts into account, with just a few years of experience, most skilled hackers can make six figure salaries from bug bounty hunting. This makes it approachable for a large number of entry-level cybersecurity job seekers.
The Bug Bounty Millionaires
There are 9 bug bounty millionaires in the world, and Cosmin, one of them, but the richest as of date. List of the nine Bug Bounty millionaires are as follows –
- Cosmin Lordache (@inhibitor181), from Germany - $2M+
- Nathaniel Wakelam (@nnwakelam), from Australia - $1.8M+
- Mark Litchfield (@mlitchfield), from U.K. - $1M+
- Frans Rosen (@fransrosen), from Sweden - $1M+
- Ron Chan (@ngalog), from Hong Kong - $1M+
- Tommy DeVoss (@dawgyg), from the U.S.A. - $1M+
- Eric (@todayisnew), from Canada - $1M+
- Jon Colston (@mayonaise) - $1M+
- Santiago Lopez (@santi_lopezz99), youngest at the age of 19 and the first bug bounty millionaire - $1M+
Among them, Santiago Lopez (@try_to_hack) was the first bug bounty millionaire at just the age of 19.
Note: '+' indicates it's unknown if or, how much more they have earned beyond $1M since their earnings were last published.
Bug Bounties give Hackers a respectable source of income
Hackerone reportedly paid out $40 million dollars in bug bounties in 2019 alone, and $82 million dollars in total. Hacking which was considered bad not long ago, is now a respectable source of income for many people around the globe.
Is Hacking good or, bad?
As per Hackerone's survey, 82% Americans think hackers can expose weaknesses in systems rather than engaging in malicious activities. This shows that the perception about whitehat hackers is gradually changing. Also, companies seem to prefer hiring people with hacking skills in security roles. In cybersecurity jobs, the focus of hiring is gradually shifting to people with advanced hacking skills than those with certificates and degrees.
Some Facts about Hackerone
Hackerone is one of the top Bug Bounty platforms. There are more bug bounty platforms like Bugcrowd, YesWeHack and so on, but Hackerone seems to have the largest market share and the only one where bug bounty hunters were able to make millions exclusively.
Hackers from over 170 countries have been hunting for bugs on Hackerone, Hackerone said in their 2020 Hacker Report. There are over 6,00,000 bug bounty hunters on Hackerone.
Hackerone hosts programs from over 1,700 companies and government agencies on their platform.
So far, 50 Hackers made six figures ($100,000) in bug bounties in 2019, while most hackers tend to earn less than $20k per year. The figure though small is indicative that there's huge potential in bug bounty hunting for aspiring hackers.
18% hackers are hacking full time, which though a small number is quite reassuring that Bug Bounty Hunting is becoming a full-time profession for many.