Hacking Full Time
Almost every week, I receive a message from someone in my network asking me if full-time bug bounty hunting as a profession is possible. Honestly, I don’t think I can answer that for you, but what I can do is share my experience as a bug bounty hunter over the last year. This blog post will give you some insight on my career, transitioning to working for myself, and then I’ll open up on planning, finances, and execution. Which I hope will help provide assistance in your own decision making if you are considering a similar path.
Just a heads up this is an extensive overview, if you’d like the TL:DR; please check out the youtube video.
BACKGROUND
Before we jump into this, it is important to note that I do not consider myself a full-time bug bounty hunter. Let me explain why:
If you are an OG Nahomie, you know that I have been hacking on Bug Bounty programs since the end of 2013. In 2015 I was hired at HackerOne as an intern where I spent most of my time helping improve the hacker experience. During my last 4 years at HackerOne I focused most of my time on creating a community by organizing hacking events, conferences, streams, creating content on Hacker101. As a result of it, I was even given the chance to share my experience with hacking large organizations like Airbnb, Lyft, Apple, or Redbull at large security conferences like BSides, DEFCON, and OWASP’s AppSec California. In April of 2022, I left HackerOne to join Hadrian as the VP of Research & Community which only lasted until December of 2022.
Throughout all of those years of working my 9-5 job, I always participated in bug bounties in some way because I really believed that I can’t improve the hacker experience if I was not hacking on the platform myself. So I have never really considered myself a full-time bug bounty hunter, because it was always more of a hobby that helped me better understand the community and helped me with my career.
Deep down, I had always wanted to leave my job and become a full-time bug bounty hunter and content creator. Mostly because I enjoy both hacking and creating content, but also because I wanted to work for myself to be in charge of my schedule. This would allow me to choose when and where I work, chase my own dreams, and build something for myself.
Even to this day, I don’t consider myself a full-time bug bounty hunter, because I don’t spend the majority of my time on bug bounty programs. I enjoy having a mix of different types of work that I do. Hacking, whether it’s for bug bounty hunting or my client’s pentests, is a great way to stay technical. Creating content helps me stay creative, and teaching or speaking at conferences allow me to push my career forward while I get to connect face to face with the community. On top of it all, I’m also in the process of launching my company HackingHub to help the next generation of Hackers. So as you can see, I have my hands tied in a lot of different projects and you are probably asking yourself, How?
SELF EMPLOYMENT
When it comes down to working for yourself, regardless of the profession, your lifestyle and your spending habits play a huge role in making this decision. When I was in my VP role, I was guaranteed a very comfortable salary where my spending habits didn’t really matter. However, the best decision I made when I took my new role, was that I promised myself to not let an increase in wages push me to a “lifestyle creep”...and let me tell you, when you are in your early thirties, you start making double your previous salary overnight, that is one of the hardest decisions to make! So when I went from a guaranteed and comfortable monthly salary in 2022 to $0 on January 1, 2023, it was time to examine my lifestyle and spending habits. This started with looking at what I spent my money on and I started with asking myself
“How much of a runway do I have?”
Luckily, I was in a position where I had a good amount of money saved up, so that I could still live and pay my bills for the next year or so without any income. But, I do know that not everybody is fortunate enough to have the same circumstances. So this process starts with creating your bare minimum:
“How much do I need in order to get by?”.
Here’s an example bare minimum per month:
$2500 - Housing and utilities
$1500 - Transportation and car expenses
$500 - Groceries
$500 - “Oh shit funds” for anything unaccounted (not required)
Totalling everything to $4000-$5000 per month.
Sidenote: The numbers used are made up for the sake of having an example to give readers a framework to work with. While I understand that $48,000 - $60,000 may not be realistic for some, they are there to help the reader understand the framework.
The point of the bare minimum isn’t to not live your life. It is to make sure you don’t lose your necessities by causing issues with your bank due to missing your car or mortgage payment. This may seem a bit aggressive at first, but if you’ve worked a 9-5 job with a comfortable salary, where you’ve received a paycheck regularly to put everything on “auto-pay”, you don’t pay attention to them as much.
Now that I had come up with my “bare minimum” income, it was time to come up with a plan: “What do I have to do to make this amount?”. Luckily, because my bare minimum wasn’t extremely high and I didn’t have any major responsibilities (like kids), and I do have multiple sources of income, I had more options to come up with this plan and it looked similar to this:
$4000 - $5000 x12 = $48,000- $60,000
So that means if I made anything between $48,000 to $60,000 in yearly income, I can make it without having to look for a fulltime job. But to make my plan easier to execute, I split it into quarterly goals. This will allow me to focus on the bigger picture by splitting it into smaller milestones. if I end up making more than my quarterly goal, it rolls over into the next quarter so I feel less pressure.
When split quarterly, I need to make at least $15,000 per quarter. Now let’s look at my options:
YouTube/Twitch: Let’s be real, most of your infosec content creator friends are probably not making their living wages from their ad revenue. So this would more than likely not be an option
Content sponsorships: At the time, I was sitting at 60,000 subscribers with no regular sponsorships. Getting sponsors is typically not something that’s guaranteed especially with the current economy, budget cuts, and layoffs.
Pentests: probably my best bet, to tap into my old contacts and customers or work with Bugcrowd or HackerOne with their pentest offering
Bug Bounty: which seems to be the most obvious option because one or two critical findings can pay for my entire quarterly goal, but I was hesitant and I’ll explain more later.
Let’s break it down. $15,000 in three months, while being realistic with all of my options:
25 percent in sponsorship + ad revenue + subscriptions + anything content related
25 percent from pentesting
50 percent from bug bounty hunting
I’m not going to bore you with all of the details for my approach to generate an income from content or pentesting, but I do want to talk about the 50% that was dedicated to bug bounty hunting. In short, my approach any of those different revenue streams was to ask myself:
“How many valid submissions do I need in order to make $10,000 per month?”.
That, on its own, is a loaded question. It depends on the bugs you find and the bounty ranges which change per program, but here is my approach.
THE BUG BOUNTY APPROACH
Find a program that pays either:
Average of $500 per valid vulnerability
The medium severity vulnerability will receive a minimum bounty of $500.
This helps with a few different aspects of bug bounty hunting. First, if I do find a really good program that has a ton of similar vulnerabilities, it’s more than likely going to be considered a medium to high. These are typically your reflected XSS, low-level IDOR (or what I call “read-only IDORs”), or information disclosures. Easy to find, but if reported in mass, you can easily make $2,500 to $4,000 on a single program by following the same pattern.
Second, Programs that pay $500 for Mediums will have much more attractive bounties for Highs and Criticals. These are your server-side request forgery, privilege escalation, remote command execution, or IDORs where you are able to modify data or read sensitive information. Here’s an example from one of my favorite private programs on HackerOne:
The main challenge here is to pick a program, stick to it, and not jump from one program to another because you aren’t having any immediate success. We’ll talk about this a bit more later.
You can adjust the average bounty or reward per medium vulnerability to whatever you are most comfortable with. I chose $500, because I look at it from an hourly and effort perspective. If I spend 4-6 hours learning how this application works, and find something minor, like a reflected XSS, I want to make sure I receive something that’s worthwhile and about 10-15% of my monthly goal with bug bounty hunting.
So if you are considering following a similar approach, here’s a short version of how to use my framework:
Calculate your bare minimum and what you need to get by
Create a runway to cover 3-6 months of your bare minimum
Find a large company in a large industry (banking, hospitality, retail) that may have different micro applications that contribute to their core application (analytics, ads, payments, etc)
Now, I know what you are going to ask:
“Why only 50%? Why not 100% of your income from bug bounty hunting?”
Well, there are multiple reasons why: First, I wanted to continue to scale my multiple sources of income, but I was also afraid of not being able to make that 50% from bug bounties, because I felt like a washed up hacker. Deep down, I knew that it wasn’t true because I continuously delivered good results on my clients’ pentests, but when it comes to bug bounty hunting, it’s a different game. I think a reason for most of my self doubt was that near the end of my time at HackerOne I was unable to participate in bug bounty programs on the platform.
Mostly because my days were filled with busy managerial work, but also I didn’t have access to programs like I used to, due to internal policies and optics of working at one of the leading platforms. Fortunately, I no longer have that excuse. In the chart above, you can see that I had a few good months of bug bounty hunting, but eventually it declined more and more to the point that I only was doing pentest with no bug bounty.
But the reality of bug bounty hunting is that it requires a lot of consistency. You are going to have periods of time when you may not find any vulnerabilities. This can be incredibly frustrating but you need to shift your mentality. Count every “bugless” night as a learning opportunity: learning new skills to add to your testing methodology, learning about new uncovered assets, or just another night getting closer to a valid/unique finds.
While bug bounty hunting is high-risk, because of the number of hours you spend, the possibility of finding duplicates, or that you may not find any findings for days at a time, it is also high reward. It is going to take time but if you are putting your efforts into the right programs, looking for vulnerabilities that have direct impact on the organizations infrastructure or their users, you are going to have a breakthrough. It is only going to take that one program to set you on the right path. The program where you have your breakthrough and find a few vulnerabilities to build momentum and motivation to get through the bugless nights. For me it was a private program on HackerOne, for which I need to give a shout out to zseano for pushing me to hack on them. This helped me enjoy hacking more and readjust my quarterly goals and allocate more of it to bug hunting.
I’m not going to lie, it was extremely difficult at first. I wasn’t able to reach my goals for the first few months because I was still trying to figure it out. How do I land new pentest clients? How do I ask for people to sponsor my content? What programs do I hack on? But that’s what my runway was for.
I jumped from program to program because I couldn’t find anything interesting. I was continuously relying too much on automation and recon, until I realized that most of my bounties are coming from programs I spent extensive amounts of time understanding their core business. I didn’t have this realization until one of the HackerOne live hacking events, where I was forced to hack on a company that I had always been too afraid to look at. I spent 4-6 hours daily looking at the same application to completely understand how everything works, how each application communicates with the core application, what services they offer, and more. It officially pushed me to shift my mindset from finding bugs through automation to looking at the core application where they deploy new functionality every quarter. I quit recon and it helped me figure out a new framework that has allowed me to exceed my goals for this year.
As you can see in the chart on the right, every 6-8 weeks, I push myself to do these hacking sprints, where there isn’t a monetary goal anymore. You may have probably seen this video, but if it wasn’t for making $100,000 in two months, I wouldn’t have adjusted to this new schedule. So now I hack for 6-8 weeks to either hit my quarterly goal or create another runway for 3-6 more months, so I can focus on my other projects like launching my company, getting more pentests and creating content.
CONCLUSION
So, if you are considering going full time with bug bounty hunting or pursuing your passion, regardless of what it is, here’s my advice:
Make sure you have a runway. I highly recommend having 4-6 months of your bare minimum saved in an account to give yourself some time to adjust while you execute your plan.
Create a plan! What do you need to do to survive? How are you going to make that happen? Break your plan down into smaller portions and execute. Be realistic with your plan but also don’t be afraid to aim high. You can always revise your plan!
Give yourself time. You are not going to meet your goals overnight. It’ll take time. This is what your runway is for.
Find a group of people to work with. Your Network Is Your Net Worth! Surround yourself with people that can push you to achieve your goals, both in real life and online.
Find a large scope program in a big industry (finance, music, retail, etc): a company that has multiple services that you could login to with your account. For example, Snapchat, Spotify, Shopify, etc. All of these programs have different and smaller applications that support their core business.
If you are new to bug bounty hunting and this motivates you to try it out for yourself, check out some of my bug bounty related content:
A big thank you to zseano, Joel Margolis, Douglas Day and Mike Privette, and Todd Bailey for reviewing this blog post and giving me some valuable feedback.