Bug Bounties Are Bonanza, For a Few Persistent Hackers

chicksdaddy writes: Bug bounty programs are all the rage these days, with companies from Asana to Zendesk (http://bugsheet.com/directory) offering cash rewards for finding holes in their web sites. But is spending your weekends fuzzing someone else's application code really worth it? And is anyone really getting rich off bug bounties? The short answer is 'yes.' As this article at The Christian Science Monitor notes, top bounty researchers on sites like HackerOne and BugCrowd are indeed seeing big paydays — often in return for just hours of work perusing buggy websites. Among the eye-popping figures: researcher Mark Litchfield's $63,000 take over Labor Day weekend, which included the discovery of multiple remotely exploitable holes in a major web property, paying $15,000 each through HackerOne. Also profiled is researcher Frans Rosen and Sean "Meals" Melia, the number four ranked researcher on BugCrowd. Both claim to have netted six figure incomes in the last year on bug bounties alone. "It's like finding a gold nugget," Litchfield is quoted as saying. "Sometimes it's like finding my own gold mine."

Bug, the Bounty Hunter

[turkeydance]

next on History Channel, or Discovery, or CSNBC.

Re: "Sometimes it's like finding my own gold mine.

[Anonymous Coward]

Only the first party could manufacture vulnerabilities in software. Nobody hacks in and creates vulnerability. If anyone is hacking in it is because it was already vulnerable.
In other words, your post doesn't make sense. Not all bugs are vulnerabilities, but all vulnerabilities are bugs.

Re:

[KGIII]

No XKCD but, how about a Dilbert?

http://dilbert.com/strip/1995-... [dilbert.com]

Very much on topic. ;-)

Honeypot.

[zenlessyank]

I was under the assumption that these 'bounties' and 'contests' were just bait so the Power(s) that Be could make a nice list of peeps who have skills.

Re:

[Anonymous Coward]

All attempts at humor are dismissed. Learn to use an apostrophe.

Re:

[Dahamma]

So, you have never read a headline before? Dropping indefinite articles in headlines dates to centuries before you or I were born.

Re:

[Dahamma]

Bad example, since "give a shit" is a colloquialism, but "bonanza" and "a bonanza" mean the same thing.

Yes and no

[hsmith]

I am getting ready to launch one for my company. We simply announced it was coming and got inundated from India with garbage Metaspoilt attempts. Speaking with people that have programs this seems to be standard. Getting to serious issues seems to be a bit harder since it takes a bit more skill than a script kiddie can do. The real keys to success seem to be defining the scope well from the onset. But time shall tell.

tymothy

[beni1]

thank for info...

is anyone really getting rich off bug bounties? NO

[xxxJonBoyxxx]

If you need to be in the "top four" (TFA) to make a six-figure income, that's not getting rich. If you're in IT security and not pulling down six figures just showing up to the office by nine, it's probably time for the next job.

Buggy drones

[penguinoid]

What's the bounty for finding remote exploits in military drones?