For many, bug bounties present a way to escape the rat race—a way to exchange the handcuffs of employment for the freedom of autonomous control over not only our day but our financial future. As appealing as this future sounds, it’s important to remain objective and methodical about turning something like bug hunting into the way you keep the lights on. It’s not wise to make life-altering decisions without pragmatically considering all the factors. If you’re on the precipice of taking this path, this blog outlines important pros and cons to consider when considering turning bug hunting into a full-time career.
Author’s note: While I haven’t exclusively done bug bounties for a living, I have earned enough in a year (with part-time hunting around a pen testing job) that I easily could have. For seven years, I also played online poker professionally as my only source of income. While professional poker is not the same as professional bug bounty, the mindset and life requirements, environments, setups, and strategies have very direct correlations. I believe that these two shared experiences put me in a unique position to discuss at length the considerations you should make before taking the leap.
Why is prior experience so valuable?
The most obvious consideration is prior experience. Not only should you honestly gauge your hacking abilities, but you should also assess your time spent in the industry. This will give you an idea of the kind of return you can expect and how quickly you can expect it. If you’re considering making a run at doing bug bounties for a living without having already put a significant amount of time into hunting, you’re going to be at a distinct disadvantage, for a few key reasons:
- Programs and opportunities are distinct advantages reserved for seasoned hunters. The longer you’ve been hunting, the more private invites you’ve received, and subsequently, the wider the attack surface available to you. Likewise, the better the severity ratings of your previous reports and the higher the quality of the reports that you’ve written, which is undoubtedly a product of experience, the earlier you will be presented with better opportunities. At the beginning of your journey, the only programs available to you tend to be public, Joinable, and Waitlistable programs. While there will undoubtedly be bugs to be found in these programs and money to be made, the return on your time and the availability of bugs in the attack surfaced are far lower compared to if you were to have access to a wider array of programs (and platform opportunities). In addition, the more successful you are, the more opportunities and networking possibilities you’ll have to collaborate with and learn from other top hackers.
- Learning and upskilling are expensive and time-consuming activities. When you start out, everything is new, so learning each skill will take a significant amount of time. As you become a seasoned veteran, learning becomes easier, as the base set of skills you acquire will propel learning. For example, a new hacker will typically require much more time to understand a SQL injection, but once they’ve honed their skills, they’ll understand blind SQL or even NoSQL injections much more quickly. This is because seasoned hackers have prior experience to draw from. Many, if not most, elements of bug bounties and security generally follow this rule. If you’re not financially prepared to take a leap and potentially suffer the consequences of lower financial returns during the initial phases of your hacking career, you will undoubtedly learn this costly lesson the hard way. The stress of this experience may outweigh the stress of having a full-time job.
- Report backlogs are important. Given the variety and range of businesses involved in bug bounties, not all reports are paid in a timely manner. Different companies have different considerations to make before a report can be paid. Some companies will host regular panel meetings to make decisions about reports in batches (potentially causing long payment delays). Others may have run out of “pool” (money to pay) and need to go through budget approval and procurement processes to replenish available funds. Still others may be just plain slow. While these aren’t universal experiences and the majority of programs do pay quickly, and on time, these delays are a lot more noticeable and impactful before you’ve built up a backlog of bugs to be paid. Having this backlog (a number of bugs you previously reported and are awaiting payment) contributes to a more consistent and reliable inbound payment stream. This will allow you to better manage your income when you’re paying yourself as a full-time hunter.
The impact of external factors
How your demographics and country can impact your income
Demographic, country, and external factors can work against your dream of becoming a full-time bug hunter. Bug bounties are typically paid in the US dollar, which for many regions means a higher return on your work because many countries have a lower cost of living than the US. By the same token, this can pose a distinct disadvantage to people living in expensive countries, such as the US. This isn’t to say that earning a living off of bug hunting is impossible, but it does mean you have to take stock of different financial considerations, Including cost of living and cost of goods. It’s also important to learn how capital gains tax works with conversion rates—the cash benefit you receive in conversion is still taxed. It’s not “free money.”
Additionally, consider your ability to obtain a mortgage or other financial application needs. Being self-employed brings a different set of financial obligations when applying for loans, and it’s good to be aware of this ahead of time so you can plan appropriately.
Likewise, personal and external factors can’t be ignored. Do you have a high number of expenses? Are you certain you can cover those even in a bad month or if you fall ill? Have you factored in the need to save for retirement, health care, and time off? Finally, who else is going to be influenced by your decision? For me, I began playing poker at a time when I was young, single, and lacking dependents, which suited me very well at the time. I now have external responsibilities, and the decision is no longer my own, given it would impact my entire family. Considering the circumstances, as well as the current and near future, is an important part of the decision-making process.
Although this may sound obvious, I have found that many get caught up in the excitement of early success, often ignoring these kinds of considerations, whether intentionally or unintentionally. Initial success may make you think you’ve got things handled, but later, when you get sick, need a break, or have a difficult conversation with family members who may not agree with your decision, this venture might become one you regret. Planning your career and financial future with these factors in mind is, in my opinion, the most important part of any decision-making process.
Why it’s important to factor in savings and flexibility
Let’s talk expected value
In poker, we pass around a shared piece of wisdom: always have at least one year of expenses in savings in addition to your 100 buy-ins of table stakes before even considering playing poker for a living. These two buffers not only mean that you can sustain a losing streak (as happens in skill-based games with elements of luck), but they will also help sustain your mental state throughout those periods because they will afford you the space to think in expected value (EV), not direct value. This freedom is not to be underestimated. Creating this financial cushion will allow you to continue to work at your best and make good decisions without fear that you can’t put food on the table.
EV is the idea that if you make good decisions, the right decisions, they will render into $y return over the long term. Let’s break it down:
- While the sample sizes aren’t ideal for a direct comparison with bug bounties, as a baseline, the concept of EV can nevertheless be useful. For example, if you have 100 paid bugs to your name for an average of $1000 a bug, then you can realistically say that you have a $1000 return per bug. If each bug takes you sixteen hours of time, then you can state that your EV is $62.50 per hour worked. That said, it’s unlikely that you’re going to hunt for 38 hours straight, at least not over the long term. You need to adjust this calculation to take into consideration time spent reporting, time spent learning, conferences, illness, family time, and leave time. After doing all of that, you’ll arrive at a truer calculation that can help you decide if you want to approach bug bounties full time.
Once you’ve arrived at your numbers, you can start to use them to work out your expected returns. You must subtract taxes, health care costs, and other expenses to see if bug hunting could be a feasible living for you. It’s important to be honest with yourself. Here are a few questions to ask yourself before moving forward:
- If most of your bugs all come from one type of subdomain takeover, for example, what happens to your return once that vector is inevitably patched?
- If you’re purely reliant on one program, what happens if it hardens over time, and the organization changes the scope or shuts it down completely?
- What forces are you vulnerable to, and how can you diversify your time and build upon your skills to address your weaknesses?
- Are you dependent on specific tooling and have you budgeted ongoing costs for that tooling?
For many, this calculation will show that bug hunting is best left as a lucrative hobby. Others may be facing different life circumstances or have the risk appetite to make full-time hunting feasible. Again, this is a risk you only accept after working out the logistics and understanding how you might be affected by them.
What is my burn rate?
Extending on the concept of EV, another significant consideration is your burn rate. The burn rate essentially refers to how much money you spend each month and how quickly you will go through your savings if you were to stop having an income.
For example, let’s assume that through your bug bounty journey to date, you’ve saved $10,000. You have expenses (including taxes to be paid) and entertainment costs of $2500 a month. With the amount saved, you’d be able to sustain yourself for four months. However, this assumes that you could immediately land another job, should the four months go by, and you don’t make any additional purchases.
A much more prudent approach would be to try your hand at bounties for two months and then reevaluate your position. If you manage to make enough to cover your expenses (of $2500 a month in our example) and enough to save up for four months of expenses, then you can feel confident that you’re starting to find a sustainable approach to earning a living through bug bounties. Regularly tracking your burn rate (aka “cash runway”) and the point at which you may need to consider looking for another job is important in keeping a realistic picture of your financials.
Lastly, what is your motivation?
The “what” and “why” will ultimately guide your actions. What drives your decisions? Why do you want to turn bug hunting into a full-time living? If your goal is to hack cool things all day, you might consider becoming a pentester (assuming you find a firm with varied and interesting work), where a lot of the considerations above no longer apply. You’d be able to make a salary while still hunting on the side. In my experience, the biggest benefit of being a pentester is that all your expenses are covered. It’s a full-time day job that gives you the freedom to bug hunt for fun on targets you enjoy. The context switch between bug bounties and pen testing is also different enough, at least for me, that burnout is less likely—not to mention you’ll have paid holiday time where you can take time off from doing anything infosec-related.
Ultimately, if you’ve considered the above and you’ve made accommodations to allow you the flexibility to approach bug bounties skillfully and competently, then I wish you every success available and can’t wait to see you in the queue.
If you enjoyed this article or have any questions, you can find me at twitter.com/codingo_. I regularly post various items of interest to the hacking and bug bounty community and would love to have a chat!