Table of Contents
Learn why and how you should get into bug bounty, whether you’re a hacker or an organization. Platforms, program types, your journey starts here.
It’s a cliché, but the need for cybersecurity in organizations is increasing year after year. It’s a major challenge, with numerous ramifications: supply chain security, authentication, data storage and access, endpoint security, and the list goes on.
In this plethora of cybersecurity topics, there’s vulnerability detection. Offensive security provides organizations with a broad arsenal for testing and strengthening their digital assets. And among these tools is bug bounty.
What is bug bounty?
Bug bounty is a method for detecting IT vulnerabilities, by leveraging the community of ethical hackers to test the security of digital assets – applications, websites, APIs, clouds, etc. – in order to identify potential risks.
It’s a bug hunting scheme based on a pay-per-result logic. Organizations pay monetary rewards to security researchers for each valid vulnerability they manage to identify. The more critical the vulnerability, the higher the bounty. If no vulnerability is detected, the organization spends nothing.
E-Book: Bug bounty, the ultimate guide to a successful program
Learn how to build your Bug Bounty program, make it attractive and leverage hackers to identify high-risk vulnerabilities.
What is a bug bounty program?
A bug bounty program is nothing more than the security program that endorses the practice of bug bounty. It sets out the rules for collaboration between the organization and security researchers. These rules may cover the scope of testing, the amount of rewards, the types of vulnerabilities to look for, the restrictions to be observed, and so on.
Two types of program: public and private
There are two main types of bug bounty program:
- Public bug bounty programs, which are publicly visible on the web and open to everyone;
- Private bug bounty programs (or invitation-only programs), which are reserved for researchers expressly invited to join.
With a public bug bounty, the number of participants is potentially unlimited. But this is to the detriment of the program’s confidentiality – some sensitive organizations prefer to cultivate a form of secrecy, such as financial or government institutions. Furthermore, a public bug bounty doesn’t allow for talent selection, and will attract novices as well as seasoned hackers.
On the other hand, a private bug bounty is only accessible to researchers invited to take part. This allows organizations to:
- decide on the number of participants;
- their level of expertise;
- control the volume of detections and reports received, and therefore the workload of triage and mitigation teams.
The benefits of bug bounty
Bug bounty is an approach to security testing that has many benefits for organizations, so much so that it’s hard to list them all here. But the main ones are:
- the large pool of security researchers, allowing for multiple perspectives;
- the diversity of skills involved, since each researcher brings unique expertise and professional experience to the table;
- a continuous approach to cybersecurity, allowing for an ongoing testing of assets throughout the year;
- and detection of in-depth and critical vulnerabilities, which requires time and a good knowledge of the environments involved.
Again, this is just a quick overview of the strengths of bug bounty. For more on this subject, we recommend reading the following article.
Who can do bug bounty?
To put it simply: organizations and security researchers can get into bug bounty. The objectives pursued are obviously not the same:
- Organizations use bug bounty to find out about vulnerabilities in their systems, in order to improve their level of cybersecurity.
- Researchers practice bug bounty to identify vulnerabilities in these systems. Their motivations are many: money, of course, but also learning and improving skills, the desire to make the world a safer place, or simply the challenge and thrill of the search.
Can bug bounty become a full-time job?
Some experts have made bug bounty their full-time job, but this is far from the case for the majority of people. Most bug hunters also have regular jobs – pentesters, for example – or are self-taught or computer security students. Generally speaking, bug bounty is not an activity likely to generate stable, regular income, which often makes it more of a sideline than a full-time profession.
How much can one expect to earn from bug bounty?
Bug bounty is not a salaried activity, but rather a form of freelancing. Unlike pentesting, bug bounty specialists are not paid for their work time, but for the results of their research. It is therefore impossible to estimate the average earnings resulting from bug bounty activities, as they depend directly on:
- the researcher’s expertise and ability to identify vulnerabilities;
- the severity of the vulnerabilities discovered, which determines the value of the bounty. Minor vulnerabilities rarely generate more than a hundred dollars, whereas the most critical exploits can be rewarded with thousands;
- the speed with which organizations validate reports and pay researchers on time.
How do you get into bug bounty?
Once again, it all depends on which side of the fence you’re on: security researchers or organizations.
Where to start as a researcher?
For researchers, there’s no secret: you’ve got to know security! You can’t find vulnerabilities in systems without a minimum of knowledge. But since everyone has to start somewhere, we’ll give two pieces of advice to aspiring hackers:
1. Study hard! Learn a programming language and the basics of web technologies – DNS, browser rules, protocols… There are hundreds of resources on the web to get you started! For those who prefer video content, here are some of our favourite Youtube channels about ethical hacking: Stök, NahamSec, LiveOverflow, IppSec and The XSS Rat.
2. And practice! There are a number of training platforms where you can brush up on ethical hacking, such as TryHackMe, HackTheBox and the PortSwigger Academy. Public bug bounty programs are also good training grounds for those who have already acquired sound foundations.
Where to start as an organization?
Bug bounty is a highly effective method for detecting vulnerabilities, but it’s also very demanding for organizations.
Let’s put it bluntly: with a pentest, all you have to do is pay a provider and let them do their job. With bug bounty, companies have to invest time, human, technical and financial resources. To be effective, bug bounty requires a good understanding of the exercise and a good knowledge of the security level of your own assets.
It’s vital to ask yourself whether this is the most appropriate test for your target environment. Bug bounty is not an appropriate approach for products that are not sufficiently mature in terms of digital security. We can’t stress this enough, but it’s essential to screen assets using other forms of testing – such as pentesting and vulnerability scanners – before running a bug bounty.
If you think it’s time to take your security to the next level: congratulations! But there’s still one important step left: how to build and implement an effective bug bounty program. There are plenty of topics to tackle here:
- program scope;
- triage of vulnerability reports;
- selecting researchers and communicating with the community;
- reward amounts;
- program management by your internal teams;
- the remediation process for your development teams.
These are just some of the questions you need to ask yourself before diving headlong into bug bounty. And as you can see, there’s plenty to think about. So, for those of you who’d like to take the plunge, we’ve put together a complete bug bounty guide to a successful program.
In addition, it may be interesting to read testimonials from companies already experienced in the exercise. Here are experiences of some of our customers, who have been successfully running bug bounty programs for several years.
Choosing the right bug bounty platform
Whether you’re a researcher or an organization, the practice of bug bounty goes through the use of a bug bounty platform. In both cases, it’s important to choose the right platform.
What is a bug bounty platform?
A bug bounty platform is an online platform that enables collaboration between companies and security researchers as part of a bug bounty program. It acts as an intermediary between the two parties, providing a secure space where researchers can report discovered vulnerabilities, and where companies can manage these reports.
The differences between public and private platforms
There are two main types of bug bounty platform:
- Public platforms. All researchers are free to register on these platforms. Anyone can create an account, regardless of their skills, expertise or, sometimes, their identity. To date, the vast majority of bug bounty platforms are public – this is the historical model.
- Private platforms. These are selective, and researchers wishing to join them and take part in their bug bounty programs must first fulfill a number of criteria. These usually include a series of technical tests, identity checks and pedagogical tests to assess their ability to communicate with customers.
Yogosha is a private platform – the only one of its kind in Europe. This means two things:
- Our community of researchers is selective. Each member of the Yogosha Strike Force has proved his or her worth by verifying their identity and passing our entry tests – which are demanding, to say the least, since only 20% of participants succeed.
- All our bug bounty programs are confidential, and researchers are invited to participate according to their skills, the program’s objectives and the technologies involved.
To find out more about the differences between public and private platforms – which all have their role to play in the ecosystem of crowdsourced security – we recommend you read our in-depth comparison.
Yogosha has specialized in offensive security testing, including private bug bounty since 2015 – a discipline in which we are the European leader. Needless to say, we’re starting to get the hang of it.
Feel free to contact us if you’d like to find out more about private bug bounty, or our OffSec testing operations as a whole.