Bug bounty hunters can make big bucks with the right hack

They look for weak spots in companies' online armor. For most, it's a side job. A rare few do it full time, making six figures a year from legit hacking.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
7 min read

Bug bounties are a multimillion-dollar industry. A small group of talented hackers have decided to make it their livelihood.

James Martin/CNET

Back in 2002, Tommy DeVoss had some unwanted guests at his front door: FBI agents, ready to raid his home.

He'd been leading a hacking crew through a yearlong run attacking government websites and internet giants like Yahoo.

A decade and a half later, he's the one knocking on the door of some of the biggest websites out there, and the businesses behind them are gladly paying him thousands of dollars for his hacking efforts.

DeVoss is part of a rare group of full-time bug bounty hunters, hacking experts who dedicate their days to finding vulnerabilities on websites in hopes of big rewards, the digital equivalent of Indiana Jones. These bug hunters have been helpful to smaller companies that don't have resources to hire full-time experts to test their security, and even to big tech companies looking to augment their security efforts. They can help find flaws that could prevent major hacks by cybercriminals.

At a time when malicious hackers are exploiting vulnerabilities in a big way -- consider the 145 million people affected by Equifax's breach, or the 3 billion people who had information stolen in the Yahoo superhack -- companies are more vigilant about the need to protect themselves. For DeVoss, that means business is good.

Indeed, he went from struggling to find a job, given his conviction record, to quitting a comfortable, pedestrian job as a software developer that paid $90,000 a year. That was in late 2016, when he turned his focus to hunting for software bugs full time. He's aiming to make $100,000 this year, and already exceeded $84,000 in bounties by July.

DeVoss and other bug hunters been busy.  Companies like Google, Apple, FacebookChrysler and United Airlines, as well as government agencies including the Department of Defense, often launch bug bounty programs to reward hackers who find security flaws before criminals do. In 2016, companies and agencies paid out $6.3 million for 52,000 discovered vulnerabilities, according to Bugcrowd, a bug bounty resource.

"Our bug bounty program is an essential pillar of our security strategy," a spokesperson for Oath, a unit of Verizon to which Yahoo now belongs, said in an email.

It's like paying a burglary expert to come to your house to tell you all the ways someone could break in. The bigger the vulnerability, the higher the reward.

While these programs are popular, of the more than 53,000 bug bounty hunters active since March, only 15 percent are considered full-timers like DeVoss, according to Bugcrowd.

Some of them strike it rich, like Mark Litchfield, a veteran who makes more than half a million dollars a year on bug bounties. Others have more humble ambitions, like India's Jasminder Singh, who nabs bounties to fund his startup.

Here's what it's like to be a bug bounty hunter, from their own perspective.

The ex-con


Tommy DeVoss spent several years in jail for hacking. Now it's his job.

Courtesy of BugCrowd

As a teen, Tommy DeVoss defaced more than 160 government websites under his alias, DawgyG. DeVoss ran the World of Hell hacking group and thought he was untouchable.

Then the World of Hell fell apart. Agents arrested every member between 2002 and 2003.

He was slow to learn his lesson. DeVoss had three different stints in prison for hacking over the next several years.

After finally straightening out and getting a respectable job as a software developer for a small startup, he saw an article about a bug bounty program for Facebook. He brushed it off at first -- after all, a judge had told him his next conviction would bring the maximum penalty.

"It seemed too good to be true, that people were going to pay me to hack them and not call the FBI again," DeVoss said.

Then in 2015, he went to Defcon, the massive annual hacker gathering in Las Vegas, where bug bounty hunters told him how much money they were making. He decided to give it a shot, out of both boredom and envy.

DeVoss even returned to the scene of his last crime: Yahoo. He'd been hacking the site since 1997 and thought nearly two decades of experience would give him an advantage.

He was still nervous about hacking his old foe. DeVoss figured he'd do something simple, something that wouldn't get him in trouble with federal agents again.

He found Yahoo's gist -- a collection of private codes -- publicly available on Github, through a simple search, no hacking involved. He didn't think it'd be worth anything, but it would be enough to test the waters of a bug bounty program.

The company paid him $300 for it.

"I got $300 for finding something through a Google search," DeVoss said.

From there, he was hooked. He'd spend most of his time at work hunting for bugs instead of doing his actual job and eventually just quit.

He's been paying off his student loan debt and injunction fees from his past crimes with bug bounties. It pays off when you can make $9,000 in 15 minutes, as DeVoss did in June for finding a single bug.

"I would have to be the CEO of a Fortune 500 company to make the same hourly wage that I make while working on bugs," DeVoss said.

The high roller


Mark Litchfield was the highest-earning bug bounty hunter in 2016, and he's on track to keep his title in 2017.

Courtesy of HackerOne

"If you're not first, you're last."

It's not only a goofy quote from "Talladega Nights," but the mantra that helped Mark Litchfield become the highest-earning bug bounty hunter, making $600,000 in 2016.

When you're not the first to send in a bug, you can lose out on $10,000, Litchfield said. He remembers, because he'd hit the jackpot in 2015 after discovering a major bug in PayPal's code that allowed for remote code execution, which gives an attacker potentially damaging control over a site.

The flaw earned the Las Vegas resident a quick $15,000. A couple days later, another bug hunter found the same coding error, since PayPal hadn't fixed it yet. The late-comer got only $5,000, though by bug bounty standards, that's generous.

"If you come in second, it's a duplicate and you're not going to get paid," Litchfield said. "It happens to all bug hunters, and it can be extremely frustrating."

Litchfield decided to become a full-time bug hunter in 2014 through HackerOne, another bug bounty service, after he became  confident he could pay all his bills through hacking. Like DeVoss, Litchfield felt bored at work and figured he could make a lot more money by going all-in after bounties.

To Litchfield, every bug bounty program is a race. And over the last year, he's won several. He's hunting for major bugs, not small-time flaws that every other bounty hunter is picking up. If a bounty is less than $500, Litchfield said, he doesn't even bother touching it. His targets can be worth as much as $50,000 a month.

The trick is to find exploits for services that companies think are important. When he joined Yahoo's bug bounty program, he went after its advertisements and email -- the company's bread and butter.

Instead of running a scanner that can automatically detect bugs, Litchfield takes the manual approach. He combs through important applications, searching for anything that would give him administrator-level privileges. He'll dig through code, looking at how it's built and ways it could be broken.

"It can be time-consuming," he said. "But if it's done right, you can find the issues you're there for, and the payouts are normally very high."

He's constantly afraid that all his work will have been for nothing, a major disappointment that's happened more than once. But he doesn't let it get him down.

"I enjoy what I do. Sometimes things get a little bit frustrating, but I've chosen to do this, so I've just got to move on," he said.

The startup


Jasminder Singh (back right) with his team. He uses money from Google's bug bounty program to fund his startup.


Not all bug bounty hunters are swimming in riches. For some, even a small payout can mean a lot.

At the average daily wage in India of $4.25 a day, it would take Jasminder Singh more than six years of nonstop labor to make what he did in four days from bug bounties.

Singh, an entrepreneur in India, never saw himself as a bug bounty hunter, much less a hacker. He's a web developer, making apps and websites for any clients that would pay him. He only got into security because he needed to keep his own creations safe.

But sometimes business was slow. When he couldn't count on his startup to pay the bills, Singh found a lucrative backup plan in bug bounties.

Google and YouTube have provided a steady flow of income for Singh, who uses all the earnings to build his company. If he's ever in a bind for cash, he'll turn to their two programs.

"If you want to make money quickly, and you're good, bug bounties are definitely the way to go," Singh said.

The first time he tried out Google's bug bounty program was in December. Singh had been short on cash and learned about the tech giant's Vulnerability Rewards Program. In 2013, Google had given out $3 million in rewards for hackers who found vulnerabilities in Android and Chrome, and Singh figured he could find bugs for some quick cash.

The first bug he discovered was an issue with YouTube -- a critical flaw with cross-site scripting that could allow a hacker to take control of the site without permission from Google.

"Google is very concerned about guarding their access," Singh said. "If you find a bug, it's usually five grand, guaranteed."

By Litchfield and DeVoss' standards, that isn't a lot. But for Singh, it's enough to fund his own company.

Full-time bug bounty hunters are rare but steadily growing in number, Litchfield said. Talented hackers are learning they can earn a lot of money for essentially breaking into a web service, while major companies figure it's easier to pay bounty hunters to find their flaws than spend hours searching for it themselves.

As long as the cash keeps flowing in, hackers have found a legitimate way to earn a living and make a difference at the same time -- if they're willing to put in the work.

"There's a lot of people that have small families and can make $150,000 as security analysts," DeVoss said. "It's not worth the risk for a lot of them to try to do it full time."

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.