Gone are the days where the title “hacker” meant that a computer programmer was only up to no good. In fact, these days the term can mean quite the opposite. These individuals, known as white hat or ethical hackers, do a lot of good for the tech community. While this isn’t a new concept, community bug bounty programs are proving to be quite successful, both for the companies posting the bounties and for the hobbyist hacker that fulfills them.
A bug bounty program is quite simple. Companies that seek to find specific or even general flaws in their products can post a bounty out to freelance hobbyists looking to test their skills. Generally the company will require a detailed written report of the bug, how to exploit it, and steps to correct it in order to qualify for any reward they might be offering.
This tactic can be quite lucrative for both parties. A company can accomplish their goal of finding and fixing flaws in their systems, and a programmer has the potential to make a little cash, hone their skills, add to their portfolio, and quite possibly discover a great job opportunity!
You might be wondering just how much money one could earn by participating in such programs. Some of the highest monetary rewards reported to date have been awarded by Microsoft ($100,000 & $200,000 payouts). United Airlines has been known to pay their bounties in up to one million air miles! Not all rewards will be high value however, and many do not offer any reward at all other than the satisfaction of accomplishing your goal and/or helping improve the products you care about. If you’re seeking bounties for the rewards, I advise you to do your research and understand exactly what each company is rewarding for the different types of exploits. This is also a good opportunity to read the rules each company has set forth for their bug bounties; many frown upon penetrating their system in a harmful way!
For a great resource, Bugcrowd offers an extensive list of companies providing bug bounty programs, as well as if a reward is offered.
So whether you’re a hobbyist looking to test your coding chops, or part of a company wanting to outsource some security work to the community, consider pursuing a bug bounty or two.