For a lot of people, bug bounties present a way to escape the rat race. A way to exchange the handcuffs of employment for the freedom of autonomous control of one’s day, and one’s financial future. As appealing as that looks, it’s also important to be very objective and methodical with decisions around making something like bug bounty the “way you keep the lights on” - It’s not good to make life altering decisions, without objectively considering all factors involved. Given that, this blog outlines a list of pros and cons to consider if you’re thinking about doing bug bounties for a living.
Whilst I haven’t exclusively done bug bounties for a living, I have earnt enough in a year (with part time hunting around a pentesting job) that I easily could have. I’ve also played online poker professionally for seven years, as my only income, and whilst not the exact same, has very direct correlations in mindset and life requirements. I believe that these two shared experiences give me a reasonable position to discuss at length considerations I feel you should make before you take the leap, or whether or not you should.
Perhaps the most obvious consideration is prior experience. Not only for hacking ability, but time in, for a return. If you’re considering making a run at doing bug bounties for a living without having already put a significant amount of time into hunting, and shown results, you’re going to be at a distinct disadvantage, for a few key reasons:
- Programs and Opportunities for a seasoned hunter are a distinct advantage over a newer one. The longer you’ve been hunting, the more private invites you’ve received, and subsequently the wider attack surface you have available to you. Likewise, the better your reports' previous severity ratings and quality of the reports that you’ve written (which comes with experience), the better and earlier opportunities are going to be presented to you. Starting out at the beginning the only programs you have available to you tend to be public, joinable and waitlistable programs, and whilst that’s useful and there’s bugs to be found, the return on your time and the availability of bugs in the attack surfaced are far reduced when compared to having a wider array of programs (and platform opportunities) to choose from. In addition, the more successful you are, the more opportunities you’ll have to collaborate with and learn from other top hackers.
- Learning and Upskilling is an expensive, and very time consuming activity. As you start out, everything is new and learning each skill takes a significant amount longer than it will for somebody who has a more seasoned skillset to draw upon. The first time many experience SQL injection, for example, typically will take much longer to understand and learn than when that same individual expands upon that skillset to understand Blind SQL Injection, or NoSQL Injection, because there’s a prior experience that’s distinctly related to the first one to draw upon for quicker understanding. Many, if not most elements of bug bounties and security in general follow this pattern and taking a leap into needing a full return on your time is going to make learning a now expensive, and more stressful experience than it was previously.
- Report Backlogs are important. Given the variety and range of businesses involved not all reports are paid in a timely manner. Different companies have different considerations they have to make, before a report can be paid. Some will meet regularly as a panel, to make decisions about reports in batches (causing long payment delays), others may have run out of “pool” (money to pay) and need to go through budget approval and procurement processes to replenish the funds they have available to pay, and others may be slow. Whilst that’s not universal, and the majority of programs do pay quickly, and on time, these delays where they occur are a lot more noticeable before you’ve built up a backlog of bugs to be paid. Having this backlog (a number of bugs you’ve previously reported, awaiting payment) adds more consistency to the inbound payments you’ll receive, and allows you to better manage your income more consistently when you’re paying yourself as a full time hunter.
Demographic / Country / External Factors
In favour of hunting for a living, but for some against can be both country, and external factors. Bug bounties are typically paid in US dollars, which for many regions means a higher return on your payments, in addition to a lot of countries having a lower cost of living than the US. By the same token, for many individuals this can also pose a distinct advantage, especially so if you’re US based. That isn’t to say that the bar is impossible to meet, if you’d like to hunt for a living, it’s certainly been achievable for many, but it will mean you have more to consider in a country with a higher cost of living / dollar than one that doesn’t have the same expectations. It’s also important to learn how capital gains tax works with these conversion rates - the cash benefit you receive in conversion still needs to have tax paid on it, and isn’t to be considered “free money”. Additionally, do also consider the impact beyond just this conversion rate on your ability to obtain a mortgage, or other financial application needs. Working for yourself brings a different set of financial obligations when applying for these loans, and it’s good to be aware of this ahead of time so you can plan appropriately.
Likewise, external factors can’t be ignored. Do you have a high number of expenses? Are you certain you can cover those even in a bad month, or one where you’re ill? Have you factored in the need to save for retirement, being self employed, as well as providing health care and enough income to allow for time off? Finally, who else is going to be influenced by your decision? For myself, I played poker at a time when I was young, single and had a lack of dependents, which suited me very well at the time. Later on in life I now have external responsibilities, and the decision is no longer my own, given I would impact on my entire family. Considering circumstances, current and near future, is an important consideration as a part of the decision making process.
Whilst obvious, I found that many get caught up in the excitement of early success, often ignoring these kinds of considerations either intentionally, or unintentionally, which can work for the short term, but sooner or later you’re going to get sick, need a break, or have to have a difficult conversation with other family members who may not align with your decision. Considering and planning for these factors is in my opinion the most important part of any decision making process before seeking self employment in a variable field.
Savings and Flexibility
For poker, we used to regularly repeat the advice that you should always have at least one year of expenses in savings in addition to 100 buy-ins of table stakes before even considering playing poker for a living. These two buffers not only meant you could sustain a losing streak (as happens in skill based games with elements of luck), it also helps to sustain your mental state throughout those periods, as you can then afford to think in expected value, not direct value. Not to be underestimated, this allows you to continue working at your best, and making good decisions.
Expected value (EV) is essentially a term to state that if you make good decisions, the right decisions, they will render into $y return over the long term. Whilst the sample sizes aren’t ideal for a direct correlation to this method in bug bounties, as a baseline we can similarly think in expected value. For example, if you’ve 100 paid bugs to your name, for an average of $1000 a bug, then you can realistically start to say that you have a $1000 return per bug. If each bug takes you sixteen hours of time, then you can state that your EV is $62.50 an hour worked. That said, it’s unlikely that you’re going to hunt a direct 38 hours, at least not over the long term. You need to adjust this calculation taking into consideration time spent reporting, time spent learning, at conferences, sick, family and leave time. After doing all of that, you’ll arrive at a truer calculation that can help you to decide if you want to approach bug bounties full time or not.
Once you’re at such numbers, you can then start to use them to work out your expected returns, and subtract taxes, health care and other expenses to see if it’s a feasible living that you want to approach. The importance of honesty with yourself here shouldn’t be missed. If most of your bugs, for example, all come from one type of subdomain takeover - what happens to your return once that vector is inevitably patched? If you’re purely reliant on one program, what happens if they harden over time, change scope, or close entirely? What are the factors that you’re vulnerable to, and how can you diversify your time and build upon your skills to reduce the exposure that leaves you with? Are you dependent on specific tooling, and have you budgeted ongoing costs for that tooling? For many, this point and calculation if done properly will show that bug hunting for your sole living likely remains too variable to consider, and it’s best left as a lucrative hobby, For others, there may be different life circumstances, or risk appetite to make it feasible anyway, however that again should be a risk you accept after working out and understanding how you’re exposed to it.
Extending upon the concept of expected value, a significant contributor to when you should start hunting for a living, is your burn rate. Burn rate essentially refers to the money you have available to you, and how long it will sustain you with expenses.
For example, let’s assume that in your bug bounty journey to date, you’ve saved $10,000. You have expenses (including tax) and entertainment costs of $2500 a month. With that, you have a burn rate of four months - however that assumes you can immediately land another job, should the four months go by, and you don’t make anything additional.
A much more prudent approach would be to try your hand at bounties for two months, and reevaluate your position. If over time, you’ve sustained at least your expenses (of $2500 a month), then you still have a remaining burn of four months, and you can feel confident that you’re starting to find a sustainable approach to making a living. Regularly keeping track of your burn rate, the money you have to burn, and when you may need to reconsider whether you need to look for another job or not is important to make sure you regularly have awareness of how well your income is working.
Lastly, what and why? What are the drivers for you to want to approach bug bounties for a living, and why? If your goal is to hack cool things all day, bug bounties likely could lead you onto the path to being a pentester (assuming you find a firm with varied and interesting work), where a lot of the considerations above no longer apply, and you’re able to make a salary - whilst still hunting on the side. In my experience, the biggest benefit here is that all your expenses are covered in a day job, allowing hunting to be something you do for fun, on targets you most enjoy. The context switch between bug bounties and pentesting is also varied enough that I believe, at least for me, that it helps to keep burnout further away - not to mention you’ll have paid holiday time where you can do nothing infosec related.
Ultimately, if you’ve considered the above, and you’ve made accommodations to allow you the flexibility to approach bug bounties well, and make a consistent return, then I wish you every success available and can’t wait to see you on the queue.
If you enjoyed this article, or you have any questions, you can find me on twitter.com/codingo_. I regularly post various items of interest to the hacking and bug bounty community there, and would love to have a conversation with you!