Bug bounties won't make you rich (but you should participate anyway)
Just in case you were planning to quit your day job to go full-time killing bugs for a living, don't. Sure, some hackers make more than $1 million each year doing that. And, sure, you just might, too. But as experienced bounty hunter Alex Haynes has described, "very few people [squashing bugs for bounties] even earn more than a pest control worker in Mississippi."
Yes, really. Here's why.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
The highs are high (and the lows are low)
The thing that gets hackers hungry for bug bounties is the dopamine (and five-figure cash) rush when they spend just a few minutes hunting for bugs, find one, report it, and seemingly get "money for nothing." The problem is this rarely happens for most people.
Even when it does, Haynes said, there are all sorts of reasons that finding a bug doesn't equate to finding riches:
And more, including haggling over whether serious vulnerabilities are viewed or treated as such by the company paying out bounties. The hacker is somewhat at the mercy of the companies paying out the bounties, without much leverage to ensure she gets paid on time (or at all).
Anyone can play guitar (or hack for bounties)
When I asked HackerOne CEO Marten Mickos last year about what makes bug bounties worthwhile, he pointed to the significant money many hackers make. But he also insisted that this wasn't the most important aspect of such programs. Instead, he said, bug bounties create "opportunity democratized across the entire globe."
Yes, the few make much more than the many, but this isn't surprising. Those that are most experienced will tend to make more, but the opportunity to gain that experience (and make more money) is always there.
Meanwhile, Mickos said, "Super smart people who are fully engaged in cybersecurity work in their spare time to hunt for vulnerabilities, report them, and help others explain how it was done. The security of the company in question improves. The overall understanding of this type of vulnerability increases in the industry." It's a virtuous cycle, one that should make our software and systems more secure, even as a rising number of hackers get paid for their troubles. (And, as Haynes makes clear, there are real troubles that need to be ironed out.)
Disclosure: I work for AWS, but nothing herein relates directly or indirectly to my work there.