Everywhere you turn it seems that companies are having serious problems with security, and they desperately need help. Getting into information security provides an incredible career path with what appears to be no end in sight. There are so many disciplines that you can choose in InfoSec with the fundamental argument being whether you join Team Red or Team Blue. Most people tend to decide on the Red team and that becoming a professional pentester is the way to go, as it is the most sexy (and typically pays well). However, with bug bounties currently being all the rage and providing a legal and legitimate way to profit off vulnerability research, who really wants to be a pentester, when you can have so much more fun being a bug bounty hunter!
Researcher motivation in the old days and options for making money off of vulnerabilities were much different than today. This talk analyzes the history of selling vulnerabilities, the introduction of bug bounties, and their evolution. We cover many facets including the different types of programs and the ranges of money that can be made. We then focus on researchers, who have currently chosen the bug bounty hunter lifestyle and provide details on how to get involved in bug bounty programs, which likely pay the best, and which vendors you may want to avoid. What constitutes a good bug bounty program that makes it worth your time? What do you need to know to make sure that you keep yourself out of legal trouble?
Ultimately, we’ll provide thoughts on the value of bug bounties, their future, and if they can be a full-time career choice instead of a more traditional position such as pentesting.