…he is the best guard of a camp who is best able to steal a march upon the enemy…he who is a good keeper of anything is also a good thief.
~Socrates, The Republic
Are you a whiz at cracking into systems and maybe even exploiting social media platforms like Facebook? You don’t have to admit to it here…but if you are a hacker, you can actually make good money while plying your craft.
And just who would be seeking out your services? Well, none other than social media platforms including Facebook, Pinterest and others. Major companies like Dropbox, Western Union and Tesla would also be highly interested in working with you.
Hacking for fun and profit
With crafty hackers constantly inspecting and injecting malicious code in an effort to hack passwords or obtain credit card information, companies have become increasingly alarmed about security breaches. To this end, they have invested in encryption, password verifications, etc. However, even these measures don’t always prevent a security breach.
One need only to think about the recent Ashley Madison reveal of user identities or the Target credit card breach to understand that, no matter how “secure” a site appears to be, there are always ways to get around that security.
This is why many companies have come to the conclusion that the best way to prevent hacking is to make friends with the hackers themselves. To this end, many companies are teaming up with hackers and asking them to deliberately exploit their passwords, platforms and systems. Successful hackers that manage to crack into Facebook, Pinterest, etc. are rewarded with money.
So-called white-hat hackers make anywhere from a few bucks to as much as $33,500 (according to Facebook’s payout to Reginaldo Silva) depending on the type of bug they find and report.
Here are some other companies that pay big bucks for bugs:
Western Union: $100-$5,000
Most companies have a security page on their website that describes their incentive program for finding and reporting security risks including the following:
· Cross-site scripting (XSS)
· Cross-site request forgery (CSRF)
· Database injection
· Open redirection
· Mixed-content scripts
· Server-side code execution bugs
· Open vulnerability
Finding the big payers is hard work, and some companies won’t pay you at all, or will only acknowledge your efforts with a thank-you note and a T-shirt.
So, how do you quickly sift through companies and find those companies that pay the big bucks?
The advent of ‘bug finder’ websites
Recently, several “matchmaker” websites have launched with the goal of pairing white-hat hackers with companies looking to improve their cybersecurity. These websites accumulate hackers, coders and programmers and offer their crowdsourcing services to companies. In exchange, the companies pay the matchmaker website a user fee and a bounty to the hacker who finds and reports a bug in the software or online platform.
Here are four websites where would-be hackers can sign up and earn bug bounties:
This website pairs a community of over 22,000 white-hat hackers with major companies including Microsoft, Tumblr, YouTube, etc. Hackers can sign up on Bugcrowd’s website and then apply to work on listed projects. Hackers can also submit independent bug reports to the corporations via Bugcrowd’s secure platform.
This website pairs companies with a community of hacker researchers who send vulnerability reports whenever a bug or security issue is detected. The companies are notified privately, so that any security issues can be addressed and corrected before malicious hackers and other online criminals become aware of them.
Hackers are rewarded for their efforts with monetary bounties. Example companies that work with HackerOne include Twitter, LinkedIn, Adobe and Snapchat.
Clients like Optimizely, LendInvest, Auctionata, Nexmo and Weebly use Cobalt to set up and operate bug bounty programs that expose cybersecurity risks. Security researchers (i.e., hackers) can sign up to this site and work with its roster of clients to find and report bugs.
While this is a newer website and doesn’t have as many clients as Bugcrowd or HackerOne, it does offer decent sized bounties from its current client list, with many bounties ranging from $100-$1,000.
This recently launched company sets slightly higher IT standards for its “Red Team” members, and you’ll need to submit a resume and cover letter to apply for a position. However, if you have some IT training or experience, you should get some response. This is because Synack works with a team of cybersecurity experts who are paid bounties for discovering and reporting bugs.
The Bottom Line
Bug finder websites are a win-win for both the client companies involved as well as their hackers. The companies draw from a large pool of brainpower rather than one or two in-house IT experts. They also don’t pay by the hour but by the product, which in this case is the bug. The hackers, meanwhile, are paid a large sum of money for finding those security bugs and alerting the respective companies.