Why Bug Bounty

People are usually surprised by the answer when they ask me what I do for living, questions rain, here are some answers. My first report was a XSS on a Yahoo acquisition, it happened the 26th January 2016. Since this date, I (try to) perform Bug Bounty as a full time job on Hackerone. Did I say “job”? I don’t really consider bug bounty/hacking as a “job”, it’s more a hobby or a passion, because you have to be passionnate to perform in this domain. So let’s say that bug bounty is my main source of income. Below why I do this “job”, why it fits perfectly to me and why I love it.

My Bug Bounty life

# whoami

First of all: life is unfair. Depending where you are born, everything is different. So to understand my point of view, you need to know a little bit about me.

I am 40+ years old, I am French, I had always lived/worked in Paris and the close suburb. I started web development at the end of 1999. It was the very beginning of the Internet in my country. At that time we had “Webmasters”, you know, that person that could do everything, well she had to do everything because she was the only one to understand all of this shit: code, hosting services, integration, database, design and sometimes customer relationships. 1 person where we now have 10. A friend told me about PHP3, it sounded pretty easy compared to another compiled language, “If you are comfortable with C, you will be easy with PHP”, true. “You don’t need to declare the variables nor initialize anything, you don’t even have to care about the errors”, so cool!

18 years later, I’m definitely not a PHP guru nor an Internet master. I had mainly coded basic websites, internal admin panels and small testing tools since I started security, in 2015, after I was fired for security reasons (understand: for having reported several SQLi in the main website of my company). Like many web developers, I didn’t know anything about security, I started from zero. 3 hard months to get OSCP. At the same time I heard about bug bounty, I jumped into it at the beginning of 2016.

$ money

Hey what did you expect?

In what kind of (legal) job I could earn 10k$ in 2 days? Seriously?? Even in my wildest dreams, I would have never imagine that. Ok it’s not everyday, but… I don’t really need to earn that much every single day. Some people ask me if I’m not afraid because of that, because “the salary” is not stable. Yeah it’s true, it’s not reliable. But the thing I love is that it mainly depends on me.

In a company, who decides my salary? In a company, whatever my knowledge, my skills, no matter the time I spend at the office, if I don’t have good feelings with my supervisor, I’m screwed. If (s)he hates me, (s)he will only relate bullshits about me to his/her own boss or (s)he will get credit for my work. My salary is mainly linked to this person. That’s it. When I finally get something, I only get a very little something, close to nothing compared of what I asked, what I really deserve for my devotion, for those hours spent on my weekends to repair the errors done by others.

In bug bounty, it’s very different. The money mainly depends on my knowledge because the rewards depend on the severity of the vulnerabilities I report. Ok the companies decide the bounties, true again, but if I don’t like the bounties offered by a company, I can simply move to another one. There are many many programs and some companies offer big payments like Facebook, Google, Yahoo, Uber and many others. They are public programs, they offer great bounties and no, they are not bulletproof, there are a lot of holes everywhere, it’s up to me to find them. Month after month my knowledge increases, so the more I practice, the more chance I get to find big issues and grab big bounties. However, I always keep in my mind that bug bounty is like every other freelance job, no work = no money.

+ learning

A company usually hires me for my skills, my current skills, not the skills I’ll potentially have (or not) in the future. They have some tasks in the pool and they need someone to flush the queue, they need me right here right now to do this stuff. My potential, my ability to learn, what I will be able to do in 5 years, they can’t bet on this because they don’t know me and most of the time they simply don’t care about that. Because of that I can only apply to jobs I am qualified for, I already know, I have already done before. Some nice companies could help me to evolve, to move from a chair to another, they can offer me a course where I’ll get new knowledge, hopefully. But it’s still pretty rare, too rare in France in my opinion, it has never happened to me, I have always paid the courses by myself.

In bug bounty each case is different. I meet so many different types of architecture and crazy combinations of different technologies. I have to take care of older vulnerabilites (sometimes very very old stuff) but I also have to stay up to date because new bugs appear every day. I read thousands of articles, I watch videos, I buy books, I follow other hackers, I test the things by myself which makes me better and better. My skills grow very fast. I learn something new every day and it’s fucking exciting!

& gratefulness

In my country, people like me (like you?), geeks, we are just stupid kids that play video games all day. We are not well considered by companies, we are like tissue, use it, throw it away. “You’re not happy here? Go away, there are thousands of people like you waiting for your seat.”

In bug bounty, I have been amazed by how the companies can be nice. I received much more congratulations in the first 3 months of my hunter career than the past 18 years. Isn’t that crazy? The rewards themselves can be considered as a thanks but it’s definitely not the most important for me, I appreciate the words much more.
“Damn man you did a great job, that was awesome, we are happy to give you 300$ for that.”
Bug bounty? Daily. Company? Legend.
Bug Bounty thanks

\o/ statisfaction

Trust me, there is nothing more exciting than popping a shell on a remote server, not even sex, really. No matter the bounty. I can dance like an idiot watching the result of the commands. And when the issue is fixed, I have this feeling that I did something good. I’m so happy to see that all these hours/days/weeks/months spent to learn hacking are finally rewarded. All this time working so fucking hard, all these failures, and finally get it. Days after the report is closed I still read it again and again, proud of myself :)

Or being able to bypass a SSRF filter, it’s like successfully solving the biggest challenge of my life. It reminds me of the first time I finished this one, same feeling, every time.
Bug Bounty Rubik's Cube

> contact

Since I perform bug bounty, I joined Twitter, I have been to several conventions, where I met many people in the security industry like Sam Houston in London. I have been in touch with people from big companies like Yahoo or Uber. I share techniques with some of the more talented hunters on this planet, I spent some days with Geekboy in India, Nicolas Grégoire in Paris, Jobert Abma and Pete Yaworski in Québec, and many others… This is definitely something that would never have happened if I would have stayed stuck in my small office (or big open space) in a company because I mainly had contact with my close colleagues, sometimes the office next to us but come on…

Plus, since I only need a computer and a Wi-Fi connection to “work”, I can do that from anywhere in the world. Any country, any hotel or any coffee shop… I can travel to meet my fellow hunters and make money at the same time or I can visit the company I hack. You know, meet those people you talk with but you never see, that’s so cool to meet them in real life. I have never met so many interesting people that could teach me such interesting things.

? what’s next

I consider bug bounty as a step in my life, I don’t plan to do it for ever. For now it’s the best way for me to learn & earn at the same time. My goal is to perform pentest and whatever the platform, being able to enter the system of the company I’m dealing with, no matter if it has webapps or not. However since I have been a web developper for ages, web testing is obviously my entry point in the security world.

I think the next step will be network and system testing but for that, even if I already have the basics, I still have many many things to learn. I had some small experiences with CTF in the conventions I have been to, it was so fun and I learn so much there that I will probably give a try that way, it’s also a good way to meet people.

| conclusion

Money, knowledge, thanks, people, personal satisfaction, all these things make bug bounty the best “job” ever for me. The best way to make your own opinion is to give it a try, also take care to read the stories linked at the very bottom of this page.

Now I want to say something to developers, especially French people. If you work in a company, if you are not happy in your daily job, if you don’t like the way they use you, if you think you deserve something better. You have to know that you can choose. Really! There are several options. Freelancing is one of them. It can be scary at first but remember that you have the strongest position. You have skills, you have experience, you have potential, you have a real value (and I’m not only talking about money), never doubt that and don’t let anyone tell you the opposite. Companies need you much more than you need them because you create the world of today and tomorrow.

Do you know this story? A company hires a senior designer to create a new logo for the brand. 2 days later the freelancer comes back with some graphics. The artistic director of the company studies the propositions and chooses one. Then he asks the invoice to the designer, what a surprise when he discovers the total amount:
- 5000$ ?!! Seriously ? 5000$ for 2 days of work ??? For a single image ??
Reply:
- No, 5000$ for 15 years of work.

My opinion.

Find vulnerabilites in Flash SWF

As a user I would say that I don't care about all these Flash stuff that try to catch my eyes, most of the time I have a plugin to disabl...… Continue reading

« Subdomain enumeration

Published on April 21, 2018

The bug bounty program that changed my life »

Published on February 11, 2018