From Pentester to Bug Hunter
Since Netscape launched the first Bug Bounty program in 1995, new platforms have developed quick and simple ways for companies to find and reward pentesters for disclosing and reporting their vulnerabilities. Find out what are some of the required skills and how to get started.
Skills & Pre-Requisites
The first part of Bug Hunting is knowing your skill set, what you are good at, and what you can achieve from your expertise. With that in mind, there are 3 main Bug Bounty categories or areas of focus:
- Web App Pentesting – Companies looking for professional penetration testers to find vulnerabilities in their web applications.
- Mobile Testing — Companies searching for professionals to find the bugs in their code, mobile apps, etc.
- Internet of Things (IoT) Security — Now emerging, and subject to large rewards due to the scarce number of people that have the right skills, companies are looking to bug bounty programs to make their IoT devices more secure.
One common way to get started is by doing your research and gaining extra knowledge on how to test web apps for vulnerabilities. You can read the methodologies from the “OWASP Testing Guide v4“, “The Web Application Hacker’s Handbook 2“, or gift yourself some practical training such as our Web Application Penetration Testing version 3 (WAPTv3) training course, to learn both methodologies and get practical experience. Get a free trial here.
⚠ Another important skill to have is knowing how to write thorough and professional reports.
While the majority of Bug Hunters rely on another source of income, it is possible to make bug hunting a full-time job. According to a rough estimate from Jason Haddix, VP of Trust and Security at Bugcrowd, professional bug hunters that devote 10-20 hours a week can earn on average $20k-$90k, and those who take on 20+ hours a week can gather up to $100k-$500k over a year.
Whichever option you choose, here are some of the common highest paying bugs:
- Server Side Request Forgery
- XML Entity Injection
- Security Misconfiguration
- Credential leakage and default credentials
- Variants of command and code injection (RCE)
Interested in learning how to make extra cash out of bug hunting? Catch a replay of the EH-Net Live! webinar with Jason Haddix, VP of Bugcrowd: “Bug Hunting As A Second Income“
Available Gigs & Platforms
Numerous platforms are available for professionals to find bug hunting gigs. Here are some of them:
Learn all the skills to become a successful bug hunter with our Threat Hunting Professional (THP) training course. Get a free trial below.
Connect with us on Social Media: