Bug Bounty: why and how to get started?

What is a bug bounty program?

A bug bounty program is nothing more than the security program that endorses the practice of bug bounty. It sets out the rules for collaboration between the organization and security researchers. These rules may cover the scope of testing, the amount of rewards, the types of vulnerabilities to look for, the restrictions to be observed, and so on.

Two types of program: public and private

There are two main types of bug bounty program:

• Public bug bounty programs, which are publicly visible on the web and open to everyone;
• Private bug bounty programs (or invitation-only programs), which are reserved for researchers expressly invited to join.

With a public bug bounty, the number of participants is potentially unlimited. But this is to the detriment of the program’s confidentiality – some sensitive organizations prefer to cultivate a form of secrecy, such as financial or government institutions. Furthermore, a public bug bounty doesn’t allow for talent selection, and will attract novices as well as seasoned hackers.

On the other hand, a private bug bounty is only accessible to researchers invited to take part. This allows organizations to:

• decide on the number of participants;
• their level of expertise;
• control the volume of detections and reports received, and therefore the workload of triage and mitigation teams.

The benefits of bug bounty

Bug bounty is an approach to security testing that has many benefits for organizations, so much so that it’s hard to list them all here. But the main ones are:

• the large pool of security researchers, allowing for multiple perspectives;
• the diversity of skills involved, since each researcher brings unique expertise and professional experience to the table;
• a continuous approach to cybersecurity, allowing for an ongoing testing of assets throughout the year;
• and detection of in-depth and critical vulnerabilities, which requires time and a good knowledge of the environments involved.

Again, this is just a quick overview of the strengths of bug bounty. For more on this subject, we recommend reading the following article.

Who can do bug bounty?

To put it simply: organizations and security researchers can get into bug bounty. The objectives pursued are obviously not the same:

• Organizations use bug bounty to find out about vulnerabilities in their systems, in order to improve their level of cybersecurity.
• Researchers practice bug bounty to identify vulnerabilities in these systems. Their motivations are many: money, of course, but also learning and improving skills, the desire to make the world a safer place, or simply the challenge and thrill of the search.

Can bug bounty become a full-time job?

Some experts have made bug bounty their full-time job, but this is far from the case for the majority of people. Most bug hunters also have regular jobs – pentesters, for example – or are self-taught or computer security students. Generally speaking, bug bounty is not an activity likely to generate stable, regular income, which often makes it more of a sideline than a full-time profession.

How much can one expect to earn from bug bounty?

Bug bounty is not a salaried activity, but rather a form of freelancing. Unlike pentesting, bug bounty specialists are not paid for their work time, but for the results of their research. It is therefore impossible to estimate the average earnings resulting from bug bounty activities, as they depend directly on:

• the researcher’s expertise and ability to identify vulnerabilities;
• the severity of the vulnerabilities discovered, which determines the value of the bounty. Minor vulnerabilities rarely generate more than a hundred dollars, whereas the most critical exploits can be rewarded with thousands;
• the speed with which organizations validate reports and pay researchers on time.

How do you get into bug bounty?

Once again, it all depends on which side of the fence you’re on: security researchers or organizations.

Where to start as a researcher?

For researchers, there’s no secret: you’ve got to know security! You can’t find vulnerabilities in systems without a minimum of knowledge. But since everyone has to start somewhere, we’ll give two pieces of advice to aspiring hackers:

1. Study hard! Learn a programming language and the basics of web technologies – DNS, browser rules, protocols… There are hundreds of resources on the web to get you started! For those who prefer video content, here are some of our favourite Youtube channels about ethical hacking: Stök, NahamSec, LiveOverflow, IppSec and The XSS Rat.

2. And practice! There are a number of training platforms where you can brush up on ethical hacking, such as TryHackMe, HackTheBox and the PortSwigger Academy. Public bug bounty programs are also good training grounds for those who have already acquired sound foundations.

Where to start as an organization?

Bug bounty is a highly effective method for detecting vulnerabilities, but it’s also very demanding for organizations.

Let’s put it bluntly: with a pentest, all you have to do is pay a provider and let them do their job. With bug bounty, companies have to invest time, human, technical and financial resources. To be effective, bug bounty requires a good understanding of the exercise and a good knowledge of the security level of your own assets.

It’s vital to ask yourself whether this is the most appropriate test for your target environment. Bug bounty is not an appropriate approach for products that are not sufficiently mature in terms of digital security. We can’t stress this enough, but it’s essential to screen assets using other forms of testing – such as pentesting and vulnerability scanners – before running a bug bounty.

Read also: Penetration Test vs Bug Bounty, which approach is right for you?

If you think it’s time to take your security to the next level: congratulations! But there’s still one important step left: how to build and implement an effective bug bounty program. There are plenty of topics to tackle here:

• program scope;
• triage of vulnerability reports;
• selecting researchers and communicating with the community;
• reward amounts;
• program management by your internal teams;
• the remediation process for your development teams.

These are just some of the questions you need to ask yourself before diving headlong into bug bounty. And as you can see, there’s plenty to think about. So, for those of you who’d like to take the plunge, we’ve put together a complete bug bounty guide to a successful program.

In addition, it may be interesting to read testimonials from companies already experienced in the exercise. Here are experiences of some of our customers, who have been successfully running bug bounty programs for several years.