How digital bounty hunters search for software bugs—and money
Companies may offer large rewards, but the reality is that smaller payouts are often the norm. Here's how it all works.
The year was 2016, and Hack the Pentagon had just become the federal government’s first-ever bug bounty program. Just 13 minutes after the initiative opened to over 1,400 hackers, one of them found the first software vulnerability. A whopping 138 reports and $75,000 later, the program was deemed a success.
Bug bounties—money offered by organizations to people reporting software bugs related to security vulnerabilities—have only become more mainstream in the years since then. The pool of bounty hunters has expanded widely, and the reward for finding a bounty has quintupled for the few capable of catching the complex, valuable security vulnerabilities that companies are willing to pay millions for. But while there is a lot of money on the table, payouts tend to remain low, and chances are your average bug bounty hunter is getting paid around $250 for discovering a vulnerability.
Katie Moussouris, former hacker-for-hire and pioneer of Microsoft’s own bug bounty program, has had her concerns, not just about Hack the Pentagon, but about the ways the bug bounty field was changing. “They chose to start with a cash reward program right out of the gate, and that was against my advice,” says Moussouris, who served as an advisor for the Hack the Pentagon program. “You need to crawl before you walk and run.”
For Moussouris, bug bounties were an optional add-on to an entire system that she felt the Pentagon did not yet have in place. While it’s one thing to report a bug, Moussouris felt that the actual investigative work of finding the technical root of an issue, patching it, and testing that patch is something organizations should focus on before whipping out the checkbook to freelancers. She has been sounding the alarm about bug bounties for a long time, and about what she calls the exploitative labor practices in the industry.
Today, when you hear news about a hacker finding a software vulnerability and then receiving an award, that’s the modern-day bug bounty program at work. Here’s what to know about the system—and what some experts say are its problems.
A brief history of bug bounties
In the mid-90s, only one company saw fit to offer rewards for bug finding: Netscape, creator of the widely-used early web browser. A $500 prize pretty much remained the industry standard until 2010, when Google offered $1,337 as their top bug bounty number. That number spelled out “leet” in hacker-speak, short for elite, as a little insidery hat tip to the hackers.
That new offering upped the ante for software companies. Mozilla quickly raised their bounty to $3,000, so Google raised theirs to $31,337 (“elite” in hacker-speak), and Microsoft began asking Moussouris, who was a Microsoft employee at that time, what creating a bug bounty would look like for their browser, which was written in old legacy code.
At that time, people were sending over 250,000 to 300,000 emails a year to email@example.com to report bugs for free, so it took some doing to convince execs that paying hackers could be worthwhile. In 2012, Moussouris launched the Microsoft BlueHat Prize for Advancement of Exploit Mitigations, which paid out $260,000 for bugs in 2012.
Today, those numbers continue to rise. Apple’s maximum payout is $1 million dollars. Google said they paid out $6.7 million in bug bounties in 2020. Blockchain technology company Polygon paid out a $2 million reward for the discovery of a critical vulnerability that would have allowed attackers to double the amount of crypto they were withdrawing.
But these high numbers obscure the truth, which is that the majority of bug bounties are closer to $200 than $2,000, and are mostly hunted down by younger people in foreign countries where the cost of living is much lower, brokered by gig-economy companies like HackerOne (where Moussouris was formerly the chief policy officer) and BugCrowd.
An army of low-paid gig workers
Casey Ellis, CTO of BugCrowd, a crowdsourced security platform that connects bounty hunters to companies, says his company was the first to come up with the idea of putting a platform between ethical hackers and companies that need to know where they’re vulnerable. That was in 2013. “Back then, people couldn’t get their head around the idea that a hacker could be a good person,” he says. “And people didn’t really care about cybersecurity in the way they do today. It’s gone from being very obscure to something that’s dinner-table conversation.”
As of 2022, there are 300,000 people signed onto BugCrowd. While bounty hunters come in all shapes and sizes, Ellis says many of BugCrowd’s freelancers are young males, between 18-25, from places like India, South America, and the Philippines.
Kids also reach out to BugCrowd all the time. Ellis recalls one preteen who figured out how to hack his school lunch system to get free food at school before finding his way to BugCrowd, where his skills could be more ethically deployed.
“Bug hunting is a career path that’s getting more viable,” he says.
In an email, HackerOne CTO and cofounder Alex Rice wrote that “most payouts for bugs rated medium severity average around $500 for our customers — up 11% from last year.” He, like the rest of the bug hunting industry, anticipates these payouts continuing to increase.
It’s hard to make a living as a bug hunter
Security researcher Matt Tait can’t talk about most of the bugs he’s found, because he spotted them while working for the British government. But what he can talk about is how rare it tends to be to find a full-time bug bounty hunter in Western countries.
“The numbers sound very large, but when you dig into the details, they’re actually not necessarily as large as they appear,” he says. In order to get Apple’s highest bug bounty, you’d need to find multiple vulnerabilities affecting different programs inside iOS. Not to mention that it isn’t clear if Apple has ever even awarded any of these very large bounties.
“I’ve never heard of anybody in cybersecurity leaving their job to become a full-time bug bounty person for the money,” he says.
That was exactly what Moussouris was concerned about. “What you want in this ecosystem is to be able to attract and retain workers who will work for you internally, instead of outsourcing at higher and higher rates for one-off little bits of work,” she says.
While that one-time payout may look nice, Moussouris says companies will eventually price themselves out of being able to hire top talent. Moussouris warned Apple about this when they started offering their million-dollar bounty. “Frankly, [the bounty] hasn’t helped them. They had the most zero days of last year, more than Android,” she says.
Moussouris and Ellis agree that bug bounty hunters tend to be centered in less wealthy countries, where an American dollar might go a lot further. “We’re part of a much larger ecosystem,” says Moussouris, who calls for people to train a critical eye on the labor practices of bug bounty platforms. “And what we do in one corner of it will dramatically affect the rest of the ecosystem.”
Correction January 13, 2022: This article has been updated to fix the spelling of Katie Moussouris’ name in two locations.