Skip to content

Can You Make Any Money from Bug Bounties?


Hacking has evolved. No longer does hacking only encompass the nefarious activities of a bored teenager or a Russian spy. People are hacking for good, or ethical hacking, now. An entire field has developed around ethical hacking — penetration testing or pentesting — which involves hackers being paid to test a company’s cybersecurity defenses.

Getting a full-time job as a pentester isn’t easy, nor do many companies have the resources to hire one. The solution? Bug bounties. Bug bounty hunting works a lot like regular bounty hunting, but the targets are software vulnerabilities instead of bail-jumpers. Over the past several years, bug bounties have become popular. They’ve also made some ethical hackers rich.

How exactly do bug bounties work and can you make any decent money from them?

How do bug bounties work?

When a company wants to test the security of their software or other digital assets, they can set up a bug bounty program. The company asks ethical hackers or security researchers to try and hack into their systems, looking for any gaps or vulnerabilities. In return for finding and submitting a vulnerability, the company rewards the bug bounty hunter either monetarily or with free products, recognition, or some other prize.

Bug bounty programs can be either internal or crowd-sourced. Companies can host their own program, where they recruit security researchers to test their software. With a crowd-sourced bug bounty, a company posts their bounty on a platform, such as HackerOne, where members of the platform can attempt it.

Why bug bounties are useful

Bug bounty programs and platforms have become popular because they allow white-hat hackers and pentesters to improve their skills and get paid for it. Even if a bug bounty hunter doesn’t succeed at finding a vulnerability, they’ve still gained valuable experience that they can later apply to their job search in cybersecurity.

Bug bounties benefit companies as well because they identify security issues that in-house teams might not catch. And the more people who vet software or digital assets, the more secure they will be.

Where to find bug bounties

You can search for bug bounty programs hosted by companies or join a platform for crowd-sourced bug bounties. Joining a platform is probably the easiest way to find bug bounties, as they’ve already been searched out and vetted. Some platforms also host bug bounty programs, where security researchers submit results and are paid through the platform.

The most popular bug bounty platforms currently are:

  • HackerOne
  • Bugcrowd
  • SafeHats
  • Cobalt
  • SynAck

With some platforms, you have to apply and demonstrate your expertise before you’re accepted. Others award you points for submitting vulnerability reports, and you convert the points into cash payouts.

Are there any successful bug bounty hunters?

The big question is: how lucrative is bug bounty hunting? There are successful bug bounty hunters, according to HackerOne. On the HackerOne platform alone, the number of resolved vulnerabilities doubled between 2019 and 2020, and $44.75 million in bounties has been awarded to hackers across the globe. At least nine individuals have made $1 million or more on the platform since its founding. The average bounty paid for critical vulnerabilities reached $3,650 in 2020.

So yes, you can make money from bounty hunting, but it may not become your new full-time job right away. Also, as it’s become more popular, bug bounty hunting has become more difficult. The more people find vulnerabilities in large companies, the fewer vulnerabilities there are left. Only the most difficult bugs, which require more advanced skills to crack, will be available. Even so, working on bug bounties may not give you the financial payout you’re looking for, but it definitely gives you a chance to work on important job skills for the cyber security sector.

Making it as a bug bounty hunter

To be a successful bug bounty hunter, you need more than just hacking skills. You also need organizational skills, and should be prepared to teach yourself what you need to know. Many bug hunters started out with only basic knowledge and worked their way up to full-time bug bounty hunting. Participating in the ethical hacking community is also part of a bug bounty hunter’s success. Collaboration, both assisting others and receiving help, is fundamental to being a bug hunter.

If you’re excited by hacking, want to improve your skills, and don’t mind earning some money in the process, then participating in bug bounties is a great use of your time.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety

How to Manage Privacy Settings on Facebook and Why You Should

So much is happening on social media at any given time. It’s become a natural part of…

[Read More]

Are Your Kids Faking Their GPS Location?

GPS tracking on kids’ phones isn’t new. Apps like Family Tracker and Find My Kids allow parents…

[Read More]

Android vs. iPhone: What’s Best for Security?

Certain brands have achieved that rare golden ring of customer loyalty–some would say blind loyalty–to the point…

[Read More]

Preventing Identity Theft with Adam Levin

At some point in our life we will encounter a cyber intrusion, either through somewhere we have…

[Read More]

How Setting Up Medical ID Can Save a Life

What’s one gadget or accessory that almost everyone is sure to have on them when they’re out?…

[Read More]

Movies That Got Cybersecurity All Wrong

Movies take fantastical leaps in logic all the time. They can’t always remain realistic and still tell…

[Read More]