back to article Want to get rich from bug bounties? You're better off exterminating roaches for a living

Security researchers looking to earn a living as bug bounty hunters would to do better to pursue actual insects. Using data from bug bounty biz HackerOne, security shop Trail of Bits observes that the top one per cent of bug hunters found on average 0.87 bugs per month, resulting in bounty earnings equivalent to an average …

  1. #define INFINITY -1
    Thumb Up

    Nice to see a bit of good common sense here.

  2. Anonymous Coward
    Anonymous Coward

    I received a Bug Bounty once...

    It was absolutely disgusting, which is probably why it was so short-lived compared to the milk chocolate version.

    1. Anonymous Coward
      Anonymous Coward

      Re: I received a Bug Bounty once...

      Much higher in protein and more sustainable. Just need organic chocolate and it'll leap off the shelves of health food shops.

  3. Dr Dan Holdsworth

    Things may change in future

    It turns out that exterminating cockroaches is actually quite easy, if you use modern science to help you out. The problem with most methods of killing cockroaches is that the cockroaches have tremendous selection pressure to evolve ways of not getting killed. The way around this is to use a method which they will find much more difficult to evolve out of.

    That way is developmental disruption. A cockroach life cycle is a simple one; it hatches from an egg into a miniature cockroach, then goes through a series of instars, shedding its exoskeleton each time and inflating internal air sacs to make the soft new one a bit bigger than the old one. All the time this is happening, a gland in its head is pumping out a hormone called Juvenile Hormone, for which there is no equivalent in vertebrates. About halfway through the last juvenile instar the gland stops producing juvenile hormone, and the final exoskeleton that forms is a little different from all the previous ones; it has genitalia and other adult characteristics.

    If you produce an artificial analogue of juvenile hormone and keep giving this to last instar cockroaches, then their adult exoskeleton looks just like a juvenile one; no genitalia. Such animals cannot breed, and do not undergo any further moults either; they live out their lives without breeding. Juvenile hormone analogues that are thousands of times more bio-active than the real one, and much more persistent have been developed.

    This means that if you want to permanently keep the cockroach population in a building near to zero, all you do is periodically saturate the place with a juvenile hormone analogue. You'll always have a few cockroaches coming in from the surrounding area, but the offspring of these incomers never themselves breed.

    1. jmch Silver badge
      Thumb Up

      Re: Things may change in future

      One of the things I love about the register is these little nuggets of information from a group of users who are extremely well informed across a vast range of subjects including such seemingly in-tech-related subj as cockroach extermination

    2. Anonymous Coward
      Anonymous Coward

      Re: Things may change in future

      @Dr Dan Holdsworth

      Nice attack vector, assuming the attack doesn't have any nasty side effects but even then unless you completely irradicate then those that survive evolve to cope resulting in all your expensive research becoming increasingly useless. In the event that you did manage to kill all the roaches then something else would take it's place and you would need to start again against a possibly worse replacment.

      The more holistic approach is always to attack/remove the niche i.e. reduce food availiblity for example, yes you may push the target into a new niche but the chances are it will lbe less optimised than the current organism living there, rather than using science to create a superroach that may be more of a problem than the existing strain.

      The fact is that the more humans there are the greater the likelihood that organisms will evolve to live off us, use our best weapons now and they will be useless when we actually need them.

      1. VikiAi

        Re: Things may change in future

        You don't want to try to starve them out! Cockroaches are known to nibble on your extremities while you sleep if they are hungry enough!

    3. Jim Mitchell

      Re: Things may change in future

      "Juvenile Hormone, for which there is no equivalent in vertebrates"

      Humans definitely have a whole bucket of juvenile hormones. Even as adults....

    4. Anonymous Coward
      Anonymous Coward

      Re: Things may change in future

      But - wouldn't they just continue to get bigger and bigger until they eat all the people?

      Sure you stopped them from breading, by introducing unlimited growth sounds dangerous.

      But still, can we ride them? replace soldiers with giant roaches, wars will be less boom boom, and more munch munch. At least they will clean up after.

  4. DavCrav Silver badge

    "The UK government, she said, is not going to start a bug bounty program"

    Fine. Will it start a bug bounty programme though?

    1. steviebuk Silver badge

      Because they know they'd be paying out over and over and over again.

  5. Anonymous Coward
    Anonymous Coward

    ""The UK government, she said, is not going to start a bug bounty program""

    I'm pretty sure that at one point they were looking at it. I received an email (at least a year ago) invitation to join a pilot scheme that NCSC were looking at running. Reading between the lines, it sounded exactly like a bug bounty scheme. I don't believe that anything ever came of it, presumably because they were asking security companies that already did government work to effectively work for free.

  6. EveryTime

    Bug bounty programs are often set up to get people to work for free, or for minimal pay relative to the effort and skill.

    But there is a down-side for a company that tries this approach. They.will likely attract people motivated solely by money. When a security vulnerability is discovered, the calculation will be "will I make more money by exploiting, selling or reporting this?" Only the minor, low-value bugs will be reported through a bounty program.

  7. blueops

    In contrast I wonder how much the black hats make using the bugs they find to gather and sell user data!

  8. The Indomitable Gall

    Eh, what...?

    "A bounty price can't really exceed what an in-house security person will make."

    Ehhh.. what?!? Whyever not? Surely freelancers need to get more money than employees in order to rebalance the risk/reward ratio to compensate for the lack of guaranteed income?

    1. The Indomitable Gall

      Re: Eh, what...?

      (N.B. This is not a defence of bug bounty, just an observation about handling fair recompense.)

    2. DavCrav Silver badge

      Re: Eh, what...?

      "Ehhh.. what?!? Whyever not? Surely freelancers need to get more money than employees in order to rebalance the risk/reward ratio to compensate for the lack of guaranteed income?"

      Absolutely. That's why the guys who work for Uber and Deliveroo make so much...oh wait.

  9. fm+theregister

    True security ppl never sells, instead they use them

    It is my understanding that if you are deeply involved in security, you should never sell the bugs / softwares for a bounty, instead you shall use them, and only when necessary to do so.

  10. a_yank_lurker Silver badge

    Proper Place

    Bug bounty programs are a nice adjunct to what should be done internally. It is an unfortunate situation that no matter how good your people, processes, etc. are bugs will get out. Thus the last line is the bounty hunters. What I would be more concerned about are the organizations that use bounty hunters as their first line.

  11. Anonymous Coward
    Anonymous Coward

    If you want to get rich then start the Church Of The Bug Bounty, I've yet to see a poor religious organisation, well those at the top anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020