For a lot of people, bug bounties present a way to escape the rat race. A way to exchange the handcuffs of employment for the freedom of autonomous control of one’s day, and one’s financial future. As appealing as that sounds, it’s also important to remain objective and methodical around turning something like bug bounty into the “way you keep the lights on” – It’s not wise to make life-altering decisions, without pragmatically considering all factors involved. If you’re still curious, this blog seeks to outline a list of important pros and cons to consider when thinking of turning bug bounties into a full-time living.
As a reader’s note, whilst I haven’t exclusively done bug bounties for a living, I have earned enough in a year (with part-time hunting around a pentesting job) that I easily could have. I’ve also played online poker professionally for seven years, as my only income. Whilst professional poker is not the exact same as doing bug bounties professionally, the environment, setup and strategy have very direct correlations in mindset and life requirements. I believe that these two shared experiences give me a unique position to discuss at length the considerations you should make before taking the leap or not.
Why is prior experience so valuable?
The most obvious consideration is prior experience. Not only to honestly gauge your hacking ability, but also time spent in the industry. This will give you an idea of the kind of return you can expect and how quickly you can expect it. If you’re considering making a run at doing bug bounties for a living without having already put a significant amount of time into hunting, you’re going to be at a distinct disadvantage, for a few key reasons:
- Programs and Opportunities for a seasoned hunter are a distinct advantage over a newer one. The longer you’ve been hunting, the more private invites you’ve received, and subsequently the wider attack surface you have available to you. Likewise, the better the severity ratings of your previous reports’ are and the higher quality of the reports that you’ve written (which comes with experience), the better and earlier opportunities you will be presented with. At the beginning of your journey, the only programs available to you tend to be public, Joinable and Waitlistable programs, and whilst that’s useful and there’s bugs to be found, the return on your time and the availability of bugs in the attack surfaced are far reduced when compared to having a wider array of programs (and platform opportunities) to choose from. In addition, the more successful you are, the more opportunities and networking possibilities you’ll have to collaborate with and learn from other top hackers.
- Learning and Upskilling is an expensive, and very time-consuming activity. As you start out, everything is new and learning each skill takes significantly more time than it will for somebody who has a more seasoned skillset to draw upon. The first time someone experiences a SQL injection, for example, it will typically take much longer to understand and learn than when that same individual expands upon that skillset to understand Blind SQL Injection, or even, NoSQL Injection. This is because there’s a prior experience that’s distinctly related to the first learned skill to draw upon for quicker understanding. Many, if not most, elements of bug bounties and security, in general, follow this pattern. Taking a leap and needing a full financial return on your time will require costly learning situations, and may cause a more stressful experience than it was previously.
- Report Backlogs are important. Given the variety and range of businesses involved, not all reports are paid in a timely manner. Different companies have different considerations they have to make before a report can be paid. Some will meet regularly as a panel, to make decisions about reports in batches (potentially causing long payment delays), others may have run out of “pool” (money to pay) and need to go through budget approval and procurement processes to replenish the funds they have available to pay, and others may be just plain slow. Whilst that’s not universal, and the majority of programs do pay quickly, and on time, these delays are a lot more noticeable and impactful before you’ve built up a backlog of bugs to be paid. Having this backlog (a number of bugs you’ve previously reported, awaiting payment) adds a more consistent and reliable inbound payment stream. This will allow you to better manage your income when you’re paying yourself as a full-time hunter.
The impact of external factors
How your demographics and country can impact your outcome
For some, demographic, country and external factors can work against your dreams of becoming a full-time bug hunter. Bug bounties are typically paid in U.S. dollars, which for many regions means a higher return on your payments because a lot of countries have a lower cost of living than the US. By the same token, for many individuals this can also pose a distinct advantage, especially if you’re U.S. based. That isn’t to say the bar is impossible to meet; if you’d like to hunt for a living, it’s certainly been achievable for many, but it will mean you have more to consider in a country with a higher cost of living/dollar than one that doesn’t have the same barriers. It’s also important to learn how capital gains tax works with these conversion rates – the cash benefit you receive in conversion still needs to have tax paid on it. It’s not “free money”.
Additionally, consider the impact beyond just this conversion rate on your ability to obtain a mortgage or other financial application needs. Working for yourself brings a different set of financial obligations when applying for these loans, and it’s good to be aware of this ahead of time so you can plan appropriately.
Likewise, personal external factors can’t be ignored. Do you have a high number of expenses? Are you certain you can cover those even in a bad month, or one where you’re ill? Have you factored in the need to save for retirement, being self-employed, as well as providing health care and enough income to allow for time off? Finally, who else is going to be influenced by your decision? For myself, I played poker at a time when I was young, single and had a lack of dependents, which suited me very well at the time. Later on in life, I now have external responsibilities, and the decision is no longer my own, given I would impact my entire family. Considering circumstances, the current and near future, is an important part of the decision-making process.
Whilst obvious, I found that many get caught up in the excitement of early success, often ignoring these kinds of considerations either intentionally, or unintentionally. This can work in the short term, but sooner or later you’re going to get sick, need a break, or have a difficult conversation with family members who may not align with your decision. Considering and planning for these factors is, in my opinion, the most important part of any decision-making process before seeking self-employment in a variable field.
Why it’s important to factor in savings and flexibility
Let’s talk expected value
In poker, we have a shared piece of wisdom: always have at least one year of expenses in savings in addition to your 100 buy-ins of table stakes before even considering playing poker for a living. These two buffers not only mean you can sustain a losing streak (as happens in skill-based games with elements of luck), but it also helps sustain your mental state throughout those periods because it provides you the space to think in expected value, not direct value. This freedom is not to be underestimated. Creating this financial “cushion” allows you to continue working at your best, and making good decisions without fear of your lights getting turned off.
Expected value (EV) is essentially a term to state that if you make good decisions, the right decisions, they will render into $y return over the long term. Let’s break it down:
- Whilst the sample sizes aren’t ideal for a direct correlation in regards to bug bounties, as a baseline we can similarly think in expected value. For example, if you’ve 100 paid bugs to your name, for an average of $1000 a bug, then you can realistically start to say that you have a $1000 return per bug. If each bug takes you sixteen hours of time, then you can state that your EV is $62.50 an hour worked. That said, it’s unlikely that you’re going to hunt for 38 hours straight, at least not over the long term. You need to adjust this calculation taking into consideration time spent reporting, time spent learning, conferences, illness, family and leave time. After doing all of that, you’ll arrive at a truer calculation that can help you decide if you want to approach bug bounties full time or not.
Once you’re at such numbers, you can start to use them to work out your expected returns, and subtract taxes, health care and other expenses to see if it’s a feasible living for you. It’s important to be honest with yourself. Here are a few questions to ask yourself before moving forward:
- If most of your bugs, for example, all come from one type of subdomain takeover – what happens to your return once that vector is inevitably patched?
- If you’re purely reliant on one program, what happens if they harden over time, change the scope, or close entirely?
- What are the factors that you’re vulnerable to, and how can you diversify your time and build upon your skills to reduce the exposure that leaves you with?
- Are you dependent on specific tooling, and have you budgeted ongoing costs for that tooling?
For many, this calculation will show that bug hunting for your sole living likely remains too variable to consider, and it’s best left as a lucrative hobby. For others, there may be different life circumstances or risk appetites to make it feasible. Again, this is a risk you only accept after working out the logistics and understanding how you’re exposed to it.
What is my burn rate?
Extending upon the concept of expected value, another significant contributor to consider when thinking of hunting for a living is your burn rate. Burn rate essentially refers to how much money you spend each month, and how quickly you will consume your savings without making additional income.
For example, let’s assume that in your bug bounty journey to date, you’ve saved $10,000. You have expenses (including tax) and entertainment costs of $2500 a month. With that, you have four months you can sustain yourself – however that assumes you can immediately land another job, should the four months go by, and you don’t make anything additional.
A much more prudent approach would be to try your hand at bounties for two months, and reevaluate your position. If over time, you’ve sustained at least your expenses (of $2500 a month in our example) and you still have remaining savings for four months of expenses, then you can feel confident that you’re starting to find a sustainable approach to making a living. Regularly keeping track of your burn rate (the money you have to burn. Also called, “cash runway”) and the point at which you may need to reconsider looking for another job is important to make sure you regularly have awareness of how well your income is working.
Lastly, what is your motivation?
The “what” and the “why” will ultimately guide your actions. What are the drivers? Why do you want to turn bug bounties into a full-time living? If your goal is to hack cool things all day, bug bounties likely could lead you down the exciting path of becoming a pentester (assuming you find a firm with varied and interesting work), where a lot of the considerations above no longer apply, and you’re able to make a salary while still hunting on the side. In my experience, the biggest benefit of becoming a pentester is that all your expenses are covered. It’s a full-time day job that gives you the freedom to bug hunt for fun, on targets you enjoy. The context switch between bug bounties and pentesting is also varied enough, at least for me, that burnout is less likely – not to mention you’ll have paid holiday time where you can do nothing infosec related.
Ultimately, if you’ve considered the above, and you’ve made accommodations to allow you the flexibility to approach bug bounties skillfully and competently while making a consistent return, then I wish you every success available and can’t wait to see you on the queue.
If you enjoyed this article, or have any questions, you can find me on twitter.com/codingo_. I regularly post various items of interest to the hacking and bug bounty community there, and would love to have a conversation with you!