A little while ago, we wrote an article on the richest bug bounty hunters in the world. Fortunately, we were able to speak with one of the richest and most successful bug bounty hunters in the world, Cosmin Lordache aka @inhibitor181.
Before proceeding, we wanted to share a quote for our readers -
All that glitters is not gold
There may be a lot of seemingly easy and lucrative opportunities but nothing is a get rich quick scheme, and Cosmin tells us exactly how this profession has a steep learning curve. Getting into it isn't as easy as it sounds, and you will get to know this later in this article, in the words of one of the richest bug bounty hunters on this planet!
An overview about Bug Bounty Hunting
What is bug bounty hunting?
Among many weird niches, is a relatively little-known freelancing occupation called bug bounty hunting, not known to many except those who know how to hack and where to hack. Most importantly, it's for the people who hack responsibly and get paid for their time and efforts by companies.
Did you know?
Bug bounty programs are slowly getting mainstream in recent years with almost every important organization building its own. This is evident in job listings in recent times, where both experiences in bug bounty hunting and bug bounty program management are listed as desirable skills to have.
Wait, is that hacking for money?
Yes, but not the bad one. Hackers (in the bad sense of the word) have extorted companies for tens of millions of dollars, but bug bounties offer a fixed amount of money to security researchers who submit bugs (security glitches and not functional bugs) to their programs based on certain criteria. These are coordinated and mediated by a third-party platform called bug bounty platforms like Hackerone and Bugcrowd.
The best part though...
Hackers get paid to hack at the comfort of their homes and paid lump sums to find security vulnerabilities in software. You are your own boss. All you need is a sharp skill set and a passion to hunt for bugs, as they say.
As good as it gets
It's by no means an easy task. We sat down with Cosmin to understand him more and how he got into this. If you are unaware of Cosmin, he made more than $2M in bug bounties from platforms like Hackerone. Cosmin's is a rare story of success. One could barely imagine single-handedly making this much from a small successful business. Earning a million takes decades, but Cosmin achieved this within just a few years through bug bounty hunting alone. How cool, isn't it?
Like you, we had some questions in our minds. How and when did he start doing this? What motivated him to do this? How do bug bounty hunters make these massive amounts? What kind of individuals are making a killing in it? We have tried to get these answers from Cosmin through an exclusive Q&A with him.
Q&A with the richest bug bounty hunter in the world - Cosmin aka @inhibitor181
Q: When did you start hacking?
Cosmin: I discovered bug bounties in mid 2016 and I can say I started doing bug bounties in the end of 2016 as a sidegig, in paralel with my job. Since mid 2018 I have been doing fulltime bug bounties.
Q: What was your initial motivation and approach towards bug bounties?
Cosmin: I really liked the idea of finding flaws in web apps, it seemed very interesting and not linear. There were also some amazing payments that other hackers got and I wanted to be part of that...
Q: What's the best part of being a full-time bounty hunter?
Cosmin: I always wanted to "work" on my own terms, when I wanted and without having any superior it seemed a very good fit for me. I was a bit skeptical at first because bug bounties have an incredibly steep learning curve, but I was fortunate enough to get some interesting findings pretty early on, in the first 6 months, and that boosted my motivation a lot.
Q: Do you have a degree in cybersecurity?
Cosmin: I graduated from university with the official title of "engineer" (in the direction of software in reality), but I do not have any degree related to cybersecurity.
Bonus Question: if not, do you plan on pursuing a cybersecurity degree?
Currently, I do not have any plans of pursuing one, but don't get me wrong, I think you learn a lot if you study for one, it's just not a good fit for me and how my mind ticks.
Q: What is your advice for someone starting in bug bounties?
Cosmin: Bug bounty is not something you learn in a few months. It has an extremely steep learning curve, so be prepared to invest much time in learning and doing it.
Keep yourself motivated with your own ways and do not give up hope. I think that bug bounty is pretty unique for each individual so try to gather as much knowledge or input from many different people, but in the end pick what works for you, not what X or Y says it's good.
Some key takeaways
Does it need a degree in cybersecurity?
Turns out it doesn't. Cosmin stresses the need for education (he is a graduate engineer) but says he doesn't have a degree in cybersecurity.
The need for self-motivation
Cosmin tells how important it is to stay motivated and not to give up. So, try harder if you couldn't find a bug yet!
Be prepared to invest time in it
Choose a way that works for you
There's no tried and tested path that is guaranteed to work for you. So, gather as much knowledge as you can but at the end of the day, choose the unique way that works best for you. Don't try to strictly follow others, grow your knowledge, and do it your own way.
One extra piece of info*
Cosmin had dev experience of 6 years before getting into bug bounties. Do you think you need to know how to build before how to break (as he did)?
Thanks for reading
Do you want us to interview others? Did you like this? Was it useful? Tweet to us and let us know your thoughts.
Did we just start the #HackOMotivation series? Watch this space to know more!