How to Become a Bug Bounty Hunter

How to Become a Bug Bounty Hunter


There are numerous ways to make money in IT. There are career options in IT that have nothing to do with programming, and there are people in IT that have never even written a line of code in their life. There are UX and UI designers, business analysts, technical writers, game testers, etc. Bug bounty hunters usually have some technical background, but this is not always the case.



Ethical hackers, or security researchers, are people looking for vulnerabilities in networks and websites. There is a distinction that we must make between the ethical hackers, aka �white hats�, the grey hats and the black hat hackers. The first ones are looking for security exploits with good intentions and with permission; the grey hat hackers are doing the same but without permission; and the black hats are basically finding bugs with bad intention and without permission. That being said, the bug bounty programs have been created to encourage hackers to stay away from the dark side of hacking. Many big companies in the tech industry have such programs, including Facebook, Google, Microsoft, Reddit, Mozilla, Tesla, Pinterest, and even the US Government with its �Hack the Pentagon� program that ran in 2016, and the newly created one – �Hack the Army�.

While bug bounty hunting is mostly web-focused, 2020 has brought us an increasing demand for VPNs and strain on networks in general. More people are working from home, work-stations are decentralized and network vulnerabilities are there to be exploited.

Many researchers point out that AI is taking over testing and bug finding. While this is true to some extent, the creativity of the human mind (still) cannot be compared to the level where AI is today.

Also, competition is hard. There are thousands of people hunting for bugs. There are thousands of bug reports submitted every day. Not all of the bugs found will be rewarded, and of those rewarded, many will only get a t-shirt or a pen.



It was already mentioned that not all IT specialists have programming skills. With bug hunting, it is an advantage to have a technical background, but depending on the field you are working in, not having such a background is not a deal-breaker.

If anything, you should be passionate about it. Spending long hours trying to find a bug can be boring and tedious. Also, most people are surprised by the amount of paperwork that has to be read and written. That includes staying up-to-date with the latest news, vulnerabilities, reading research papers, following popular security experts on social media, and reading bounty write-ups and reports.

So, what do you need to know to get into bug bounty hunting? You should at least have the basic knowledge of networking, HTML, PHP, javascript, and basic Linux skills. The more you know, the better, so try to educate yourself, stay up-to-date, read other peoples� bounty write-ups. If you do have some programming skills, do code reviews, follow up with what is happening at the DEF CON (world largest hacker convention). Get on hacker101 and do as many exercises, as you can. What great hackers say is that there is a lot of intuition involved in finding a bug, but intuition comes only after long time practice.



Ethical hacking can be extremely rewarding. Google has paid security researchers over $6.5 million in 2019. There are pros and cons to bug bounty hunting. You could spend weeks or even months looking for a bug that will never show up, or you can get lucky and find it after just a couple of days of research. Depending on the severity of the bug, a couple of hundred dollars might be coming your way or it could be just a t-shirt, or even worse � nothing. Bug hunters should be aware that a lot of bug reports that are submitted are marked as duplicates. Often, depending on the severity, a company might decide that the integrity and functionality of the website or the app are more important than fixing an insignificant bug right away. A lot of duplicate bug reports can be submitted because the company has not yet started on fixing the issue.

A very important thing to note is that you should not just try to hack any random website out there. This might get you in trouble with the authorities. Search for Bug Bounty Reward Programs. A very comprehensive list can be found on the website of The list includes big company names like YouTube, Instagram, Google, Yandex, Intel, and many others. Participating in those programs will give you confidence that if you find a bug, there is a bigger chance of receiving a reward for it.