Bounty hunters in the law enforcement field are often thought of as these long haired, wild men who will do whatever it takes to track down the person who has run afoul of the law. Bug bounty hunters perhaps have the same passion for tracking down code-based flaws, but you would be hard pressed to pick them out of a lineup.
Instead of tracking down perpetrators, bug bounty hunters are tracking down any vulnerabilities in companies' sites.
With the headlines of hackers finding vulnerabilities oh so familiar, bug bounty hunters have become a necessity. Just last month Google paid out $75,000 in bug bounties to fix 159 flaws in Chrome. Even Microsoft added a bug bounty program in September, offering to pay the minimum of $500 for bugs found.
While money is a nice incentive (and the bug bounty hunters won't turn any of it down), they are happy with a pat on the back and some recognition for their work. It's a way to work legally on a site without fear of being served with a lawsuit.
"It's not often that you get to hack into live websites without the threat of the law," said Jonathan Singer, a security engineer in the security consulting business. "I already try to contact companies if it is safe to do so. Responsible disclosure is the best policy, but more places needed to embrace it."
A bug bounty hunter who gave only his handle, Bitquark, said he enjoys taking advantage of routes through a system which the designer may not have intended or planned for.
"Spending hours picking away at something before finally landing a bug is enormously gratifying."
The staff information security engineer at Tesla Motors found success in the bug bounty world when he found an SQL injection flaw in Facebook. This find netted him a $15,000 reward. The flaw led to remote code execution in the Oculus developer portal.
The engineer, in his 30's, said he might pick at a project from time to time, but there are others that are timed that might require a more concerted effort.
Singer has been a bug bounty hunter for just over a year.
"It is still a hobby for me, kind of like a weekend warrior gig," he said. "My 9-to-5 is already spent with compliance and policy, so this is kind of a way to unwind, see what challenges exist and maybe get some swag or cash."
On a site like Bugcrowd, you can find a list of the open bug bounties along with a rundown of some of the contributors. Companies shown on Bugcrowd include EMC, Google, IBM, Microsoft and Yahoo. Each layout in minute detail what is open to scrutiny on their sites and what are available for rewards. For example, Google lists a $20,000 reward for anyone who can find remote code execution of their accounts.google.com.
Sign up for Computerworld eNewsletters.