Found Bugs, Got paid, Stayed poor: Making a Living with Bug Bounties

Early 2021. After feeling unsatisfied with my job for quite some time and battling burnout, I decided to take a sabbatical. “To hell with it,” I thought. “I’m not spending another day working for ‘the man’! I’m my own boss now!”

For the next several months, I decided to try three different strategies:

• Creating a reverse engineering course.
• Giving private reverse engineering lessons.
• And, of course, hunting for bug bounties!

The Setup

Every security guy dreams of making a living off bug bounties. I always pictured this lifestyle as lounging on a sunbed at the beach, sipping cocktails, and occasionally glancing at the screen of my laptop the check the fuzzing campaign. In reality, my journey began in the grim spring of a megapolis, with my family’s bank account only stretching to cover us for 3–4 months.

My experience with bug bounties was quite limited at the time. I had secured a reward for a couple of random vulnerabilities I stumbled upon but had never pursued it systematically. However, the little experience I had taught me some important lessons:

• Reading posts like “I got $30,000 for hacking Facebook” is very exciting, but achieving that requires an enormous amount of skill, determination, experience, and probably a bit of luck.
• High reward == high competition. Sure, I’d love to earn tens of thousands of dollars for hacking Windows, but entering that arena means competing against security researchers with years of experience, firms that discover and sell bugs to the highest bidder, and even Microsoft’s internal teams.

To get my feet wet, I needed something more predictable and sustainable. I figured working on low-profile targets, let’s say with a 30% chance of finding vulnerabilities, was better than aiming for high-profile software with a mere 1% success rate. At least this way, I had a solid chance of making some money and could estimate the profitability of this endeavor without spending weeks or months hitting a wall and coming out empty-handed.

With that strategy in mind, I started searching for a target. The search didn’t take too long. Having worked in industrial security for a long time, I knew this field offered the perfect combination of factors:

• Tons of low-quality legacy software, often with little to no consideration for security.
• An intimidating and less sexy appearance, resulting in less attention from the cybersecurity community and, consequently, less competition for me.

Choosing hardware as my target was out of the question, as I didn’t have any budget to purchase it, and I highly doubted a bug bounty platform would buy it to verify my findings. My choice landed on Schneider Electric’s IGSS SCADA. I had some experience finding bugs in it previously, so I was hopeful that it was still soft in some places.

I was already experimenting with going for bug bounties, so with tools and approach I decided to stick with my guns: manual reverse engineering with IDA and x64dbg.

The Payoff

Finding vulnerabilities in subpar ICS software gradually lost its allure over four years on the job, but then it suddenly appeared in a different light. Every bug I found gave me a dopamine rush, knowing it was my only means of making money at the time. And the euphoria from receiving that SWIFT transfer notification is hard to forget.

My strategy seemed successful at first glance: I discovered 10 vulnerabilities, ranging from information disclosure to remote code execution. In total, I made around $3,000 on that.

So, why do I consider this endeavor a failure?

I didn’t meticulously track the time spent on it daily, but the whole active research phase consumed about 3 months. During this period, I also juggled other activities, none of which were financially rewarding. When you break it down monthly, the income was 30–50% less than what my family needed to maintain a normal life without anything extra. I watched as our savings account slowly depleted, each day inching closer to zero, a constant, looming reminder of the risks of going self-employed.

Time per Bug

When you consider the months of work and subtract the time spent on various unsuccessful targets and methods, the actual productive time is significantly lower. And if we divide by that new number, we’d get a higher pay per month. Unfortunately, reality doesn’t align with such wishful recalculations, and my failures were also paid from my pocket.

But, if I had a faster method to find those bugs, financials would be much better. Fuzzing could’ve been helpful, but

• the majority of the bugs were of pure logical nature
• My focus was on network services, but didn’t have network traffic for the majority of them. That meant that I had to reconstruct the protocol manually. And a careful look at the protocol implementation was enough to identify the vulnerabilities.

Another major mistake involved the quality of my reports. No, my reports weren’t bad — they were too good. I spent far more time than I should have crafting some of the highest quality reports you’ve ever seen, complete with root cause analysis. Now, having seen the reports other people submit to bug bounty programs, I realize that my drive for report perfectionism was at my own expense.

Unstable Income

Being an employee has a quite amusing side effect: you get paid on the same date every month. As a bug bounty hunter, however, the money arrive whenever the bug bounty program decides to pay out. I was far from a top-tier researcher, and my target was as low-profile as they come. So, sometimes I had to wait weeks or even months for my submissions to be triaged and paid.

It took over three months from the submission of my final vulnerability to receive the payout. I’m not sure if that’s normal for my situation, but it’s definitely another factor that puts the stability of this income source into perspective.

Lessons Learned

I didn’t end up sipping cocktails on the beach while watching the bugs pouring, but I’m genuinely happy I went through this experiment at that point in my life. Big thanks to my wife for supporting me through this. I learned a lot from the experience.

Choosing obscure, low-profile targets proved to be a great training ground, but:

• The payouts aren’t that high (which, of course, varies depending on your cost of living). It might work out with strategies to significantly cut the time spent per bug.
• You’re given the lowest priority on the platform. Unfortunately, this can mean longer wait times.

In hindsight, I should’ve quickly pivoted to either coming up with a quick and dirty way to find bugs as fast as possible, or jump to targets that are just one step higher. Probably, as combination of those would be even better.

Working for “the man” can actually be lovely: you don’t need to hustle for clients, “the man” compensates you for the time you spend learning from mistakes, being sick, or even procrastinating. And oh, that wonderful notification from the banking app every month!