A friend of mine looked at the feasibility of getting into bug bounty as a professional career. He mentioned that if you're not specialized on a specific attack, you have no chance.
I think it's quite refreshing to see that Shubham Shah is a strong counter example.
Is he really strong counter example? If you actually count bounties he got this year so far, it's less than $50,000. I think he could easily earn more working as some kind of security engineer (with way less flexibility though).
Author of the blog post here. I want to make it clear that I had multiple full-time jobs along the way that paid over 200k AUD/year and it required a lot of effort to do both bug hunting and work full time. I only did bug bounty hunting full time for around a year while I was traveling around Europe. I just really love hacking. Bug bounties landed me my first job in the industry and have led to countless opportunities in my career so far.
Automation of niche bug classes is the name of the game for high earners. Or you're the 0.01% and find new vulnerabilities in services that will pay big bucks for them. For example account takeovers in Google, FB and the like or remote code execution in high profile software have payouts that are a minimum of five figures.
blah blah blah, this dude is completely full of shit
Here's the scoop
HackerOne works with a very small, select group of security "professionals" for bug bounties.
Burp Proxy is the primary tool used for exploitation.
Burp Proxy relays all high value exploits back to portswigger.net.
James Kettle via portswigger.net brokers those high value vulnerability reports back to that same select group of security "professionals" that then in turn beat other security researchers to the punch in terms of the payout.
And Uber's security team is a complete and total piece of shit. A while back I compromised Uber's m.uber.com mobile endpoint with multiple high value vulnerabilities via HackerOne's bug bounty, only to have this exact same "notaffy" dude get awarded the $35K bounty from Uber in the weeks that followed, and with Uber locking via HackerOne all of my disclosures so that this notaffy turd could get the complete payouts by claiming that he had discovered them first in the literal hours before I had submitted my bug bounty reports.
Weeks and weeks of research into Uber's backend via HackerOne using Burp Proxy, at least eight critical vulns disclosed to HackerOne / Uber including reflected XSS and remote code execution capability, not a single dime awarded to me and with HackerOne locking all of my disclosures.
Burp Proxy is completely backdoored. When you scan targets with Burp Proxy, all high value vulnerabilities go to portswigger.net. You are then competing with this small select group of douchebags to beat them to the disclosure punch, and even then if you win, HackerOne will still award those vulnerabilities to this small select group while locking your disclosures from public dissemination.
HackerOne is complete garbage.
Uber is complete garbage.
And most importantly, portswigger.net and Burp Proxy is completely compromised to aggregate all high value discovered vulnerabilities, to be brokered to this select group of dickheads that sit on their ass and wait for the logs to roll in, at which point you are competing with them for all of the work you've put into the bug bounty.
I've got to respect the transparency and spirit of this post. Major props. What I really love is seeing all the partnerships that have gone into some of his work over the years. Didn't realize how mammoth of a task some of these reports must have been that were only made possible via collaboration.
12 comments
[ 2.7 ms ] story [ 37.8 ms ] threadI think it's quite refreshing to see that Shubham Shah is a strong counter example.
Here's the scoop
HackerOne works with a very small, select group of security "professionals" for bug bounties.
Burp Proxy is the primary tool used for exploitation.
Burp Proxy relays all high value exploits back to portswigger.net.
James Kettle via portswigger.net brokers those high value vulnerability reports back to that same select group of security "professionals" that then in turn beat other security researchers to the punch in terms of the payout.
And Uber's security team is a complete and total piece of shit. A while back I compromised Uber's m.uber.com mobile endpoint with multiple high value vulnerabilities via HackerOne's bug bounty, only to have this exact same "notaffy" dude get awarded the $35K bounty from Uber in the weeks that followed, and with Uber locking via HackerOne all of my disclosures so that this notaffy turd could get the complete payouts by claiming that he had discovered them first in the literal hours before I had submitted my bug bounty reports.
Weeks and weeks of research into Uber's backend via HackerOne using Burp Proxy, at least eight critical vulns disclosed to HackerOne / Uber including reflected XSS and remote code execution capability, not a single dime awarded to me and with HackerOne locking all of my disclosures.
Burp Proxy is completely backdoored. When you scan targets with Burp Proxy, all high value vulnerabilities go to portswigger.net. You are then competing with this small select group of douchebags to beat them to the disclosure punch, and even then if you win, HackerOne will still award those vulnerabilities to this small select group while locking your disclosures from public dissemination.
HackerOne is complete garbage.
Uber is complete garbage.
And most importantly, portswigger.net and Burp Proxy is completely compromised to aggregate all high value discovered vulnerabilities, to be brokered to this select group of dickheads that sit on their ass and wait for the logs to roll in, at which point you are competing with them for all of the work you've put into the bug bounty.
From the other side (bounty program manager -this was linked to in another article on the assetnote blog):
https://medium.com/@collingreene/bug-bounty-5-years-in-c95cd...
Do you see much demand on the mobile security side, either as a specialist or focussing on mobile bounties?