back to article Bug bounty hunters score big dollars and the boom's only just begun

Nathaniel Wakelam made US$250,000 last year. In his second job, finding and reporting bugs to bug bounty programs. Wakelam's a 20-year-old high school and university drop-out who has become something of a poster boy for the bug bounty boom, a movement that sees the world's biggest companies pay guys like him tens of thousands …

  1. Dan 55 Silver badge

    If only I knew about Netscape Navigator's bug bounty back in the day.

    With some releases you could sneeze and it would crash...

    1. Bloakey1

      Re: If only I knew about Netscape Navigator's bug bounty back in the day.

      "With some releases you could sneeze and it would crash.."

      Ahh but back in the day, what a browser. Viola, Cello, Mosaic which I used for a long time and then on to Nestcape.

      Back in the day, Netscape was like Korean meat balls, it was truly the dog's bollocks.

      While we are at it, Xtreegold, FreeAgent and Lotus Symphony were wow products back then.

  2. cjhbtn

    Easy money

    I love these programs. I started with them less than 6 months ago but have already reported three small issues and received over $3000 in bounty payments. As the article says, it's easy money.

    (Beer, because it always tastes better when a large organisation pays for it..)

    1. Anonymous Coward
      Anonymous Coward

      Re: Easy money

      That's odd, because every time I look into this it's pure pocket change.

      If Google's paid out $2,000,000 in a year across all the people doing this, then either hardly anybody's doing it, or pretty much everybody's getting peanuts. Getting '$250,000 a year' would be fine for the 8 people who got it though.

      1. YetAnotherLocksmith

        Re: Easy money

        @AC: well, perhaps millions of people are looking, but only a few will find what they seek. And get paid.

        1. Anonymous Coward
          Anonymous Coward

          Re: Easy money

          That's not inconsistent with what I said.

          The conditions for most bug bounties seem appalling.

          The payouts are arbitrary and whether your discovery is worth one at all is entirely at the mercy of the exploitee, who will deign to consider it after you've not only found a problem but attached it to a working exploit.

          They are also looking for exploits, not bugs generally, so if you find something but it's not immediately exploitable then I hope you enjoyed that 'Thanks!!!' t-shirt.

          Rarely is any source available, which would make many proactive strategies viable.

          This conspires to make it look terrible to anyone who looks into it, leaving only those with few other options to try. This might be why the interviewees are such colourful characers, but it's not the best way to actually, y'know, incentivise people to spend their time looking for bugs, or let them do it with any efficiency.

  3. Ali Um Bongo

    Found One!

    *...Shah says. "They like legit despised me for ages."...*

    I'm pretty sure there's an English Language Vulnerability in that sentence.

  4. Anonymous Coward

    They like legit despised me for ages?

    I see a career in bug hunting has massivly expanded his vocabulary.


    Yo yo ta c uh wurl yn uh grain o' $and

    An' uh heavin yn uh wyldd flowuh

    Hold infiniteee ynn daa palm o' yo' hand

    An' eterniteee ynnn aa hour ya'll izzz mad mad $tupiddddd ya' dig?

  5. Anonymous Coward
    Anonymous Coward

    Handling Bugs in an Agile Context

    'In an Agile context, I define a bug as behavior in a “Done” story that violates valid expectations of the Product Owner.' ref

    "Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. ref

  6. Trainee grumpy old ****

    Is it just me?

    As I read through the article I had a growing feeling that it would end with a plug for a "learn to be a bug hunter" course of some sort. It sounded more and more like one of those "work from home for just a few hours and make xK £/$/€ per month/week/day" posts you come across in some forums.

  7. Anonymous Coward
    Anonymous Coward

    Who knew?

    Seems that being a low end skiddie pays well these days. Particularly the sort of petty criminal type who transitions from some noddy hacks and a bit of ticket fraud to a bit of Perl and XSS bashing.

    Except it doesn't pay that well.

    And the numbers don't add up between the totals being paid out by some of the biggest bounty sources and what is claimed as income, or the typical payments for individual reports. As has been said there are either very few players in the game or someone has spent 5 minutes to make up some invoices and a fake balance to show how great they are.

    The whiff of bullshit is a little pungent.

    1. Anonymous Coward
      Anonymous Coward

      Re: Who knew?

      Yep, agree that the numbers presented in this article do not add up. Vague comments ("reckons he has earned...") and suspiciously round numbers for earnings, along with invoices "ready to be paid" all makes this highly suspect.

  8. Anonymous Coward
    Anonymous Coward

    Earn Money Home

    Want to work from home and earn $3000 a day. Forget that earn $20,000 on Friday night before you go out for beers. No money down, easy 1-2-3 guide, just send credit card number and cvs to 555-704-COAT

  9. Scaffa

    That guys shirt was so loud my AdBlocker crashed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020