Forgot your password?
typodupeerror
Bug Programming The Almighty Buck

Life As a Bug Hunter 68

Posted by samzenpus
from the bug-bounty dept.
An anonymous reader writes "Bug Hunter Aaron Portnoy claims to have earned $60K in 3 months as a bug hunter when he was 19 years old. Pretty impressive. Tighter company budgets and increased pressure to get a product ready by its release date means code isn't checked so thoroughly and bug frequency rises. From the article: 'Mozilla — makers of the Firefox web browser — were first to start a bug bounty programme in 2004. Their top prize is currently $3,000 (£1,800) and they have paid out about $40,000 (£25,000) per year since then. Their top earner is a student in Germany who has bagged more than $30,000 (£18,000) from a series of discoveries.'"
This discussion has been archived. No new comments can be posted.

Life As a Bug Hunter

Comments Filter:
  • by Anonymous Coward on Sunday June 19, 2011 @04:12PM (#36492962)

    I make a decent amount producing new bugs.

  • Do they pay the coders this much too? or are the code submissions all donated?

    • by vlm (69642)

      Do they pay the coders this much too? or are the code submissions all donated?

      They could:

      1) coder will submit a javascript parser provided by me in an envelope containing both half the cash bounty and a buffer overflow
      2) ....
      3) Profit!

    • Do they pay the coders this much too? or are the code submissions all donated?

      Coders are paid by Mozilla if they are employees. Coders are paid by other companies or organizations to code for Firefox, as necessary to meet that employer's needs. I could certainly see Mozilla offering a bounty for coding a specific feature, but this is usually called a contract and is exclusive to one or one group of reputable, vetted coders. The only reason they are offering money for exploits is because they don't know what, exactly, needs to be done and because the community hasn't jumped on the iss

  • by Anonymous Coward

    Don't get me wrong; $60k in 3 months is not a bad haul for anybody. But as the single biggest payout (over time) fluke ever, it kind of sucks, and is reflective of the average pay one can expect pursuing this career, which also sucks.

    If you want to shoot for the moon, you might as well just play the lottery.

    It's another thing if you hack for fun, and can collect a little money on the side for it. But this is not a sustainable career for anyone and slashdot in particular needs to stop acting like these guys

    • by ark1 (873448)
      The real money is in the black market of 0days. That is where Intelligence agencies and criminals compete for new vulnerabilities and are willing to throw some major money depending on the severity. If you are fortunate to find a critical 0day - think remote exploitation in a popular OS/application without user interaction then you may pocket 6 or even 7 figures for a single bug. White hat reporting is mainly done as a hobby and/or advertisement of your personal skills or your company and is not really mea
    • by BitZtream (692029)

      Thats 240k/year and doesn't require you to live somewhere that 240k a year isn't a big salary.

      240k/year is decent pay for anyone doing that job with the exception to that being the jobs doing it in areas where it costs a million plus a year just to pay your rent.

      You're seriously claiming you make 240k/year or more and that that is 'average pay'? What shitty assed city do you live in where thats the case cause there are only a limited number of places where 240k/year is average pay and pretty much none of t

  • Ahem... (Score:5, Funny)

    by bughunter (10093) <bughunter@ear[ ]ink.net ['thl' in gap]> on Sunday June 19, 2011 @04:24PM (#36493038) Journal

    I was not consulted for this article, therefore it must be considered suspect.

    • by bughunter (10093)

      I should add, it's easier when the bugs find you. It takes a special kind of [karma|luck|uncanny statistical influence] to be a real bughunter. You have to be the kind of person who only needs to walk by a piece of dodgy tech in order to induce it to fail. That gives you an inkling of what life as a bughunter is really like.

      On one hand, being an early adopter is just asking for trouble. Don't go there, unless you're being paid to. If it's been half-assed, you're going to find out -- and these days it

  • So being a bug chaser is now a profession? Who knew?
  • Ok, so even though I'm a programmer, when I started reaading the article, I was really thinking this was about a vermin hunter, someone who rids people's houses of infestations of insects or something like that... Am I the only one?

    • Ok, so even though I'm a programmer, when I started reaading the article, I was really thinking this was about a vermin hunter, someone who rids people's houses of infestations of insects or something like that... Am I the only one?

      No, you aren't. I just thought about someone going Terminator-on-your-ass on cockroaches or something before I read the submission itself.

    • by Aldanga (1757414)
      Definitely not. I had flashbacks to Pokémon battles with bug catchers.
  • The promises of OSS was to have more eyes looking at your code and therefore making better software.

    That is var sad that money needs to be involved, but we don't live in the same OMG ponies world RMS lives in, it died in the 80s after our pot smoking parent changed their mind about the value of money. Nowadays, you see leech of the system making money with all sorts of repulsive business model, ... so that is a good thing that security researcher gets rewarded and that student with too much time invest it

  • Lite? (Score:4, Insightful)

    by ninetyninebottles (2174630) on Sunday June 19, 2011 @05:26PM (#36493342)

    From the article:

    "When we started out it was $1337 which if you write it down spells out 'lite' which is hacker speak for elite. Since then we've increased the top prize to 3133.70 which spells 'elite,'" explained Rukowski.

    Seriously? 1337 spells "lite"? Are the authors of this article really that clueless and have that little competent review of their material? 1337 spells "leet" which sounds like "elite" if you don't really pronounce the first letter. Isn't this explained in "Hackers" or some other pop culture movie?

    • by mkiwi (585287)

      For a brief moment, I had the fancy of thinking entomologists were traveling the Amazon, making new discoveries for large amounts of money. That's pretty l337. I'm going to go back and read xkcd now.

  • In other creative industries, these contests are known for the exploitative ruse that they are. They fall under a more general class of labor called "spec work." With contests in general, or in this case bug bounties, a large number of people are induced to work while only a few or maybe none are actually paid.
    • better that they be working towards some kind of good than that they, for example, be trying to exploit existing bugs or looking for new bugs to exploit...

  • "When we started out it was $1337 which if you write it down spells out 'lite' which is hacker speak for elite. Since then we've increased the top prize to 3133.70 which spells 'elite,'" explained Rukowski.

    honestly their research knows no bounds

To thine own self be true. (If not that, at least make some money.)

Working...