If only I knew about Netscape Navigator's bug bounty back in the day.
With some releases you could sneeze and it would crash...
Nathaniel Wakelam made US$250,000 last year. In his second job, finding and reporting bugs to bug bounty programs. Wakelam's a 20-year-old high school and university drop-out who has become something of a poster boy for the bug bounty boom, a movement that sees the world's biggest companies pay guys like him tens of thousands …
"With some releases you could sneeze and it would crash.."
Ahh but back in the day, what a browser. Viola, Cello, Mosaic which I used for a long time and then on to Nestcape.
Back in the day, Netscape was like Korean meat balls, it was truly the dog's bollocks.
While we are at it, Xtreegold, FreeAgent and Lotus Symphony were wow products back then.
That's odd, because every time I look into this it's pure pocket change.
If Google's paid out $2,000,000 in a year across all the people doing this, then either hardly anybody's doing it, or pretty much everybody's getting peanuts. Getting '$250,000 a year' would be fine for the 8 people who got it though.
That's not inconsistent with what I said.
The conditions for most bug bounties seem appalling.
The payouts are arbitrary and whether your discovery is worth one at all is entirely at the mercy of the exploitee, who will deign to consider it after you've not only found a problem but attached it to a working exploit.
They are also looking for exploits, not bugs generally, so if you find something but it's not immediately exploitable then I hope you enjoyed that 'Thanks!!!' t-shirt.
Rarely is any source available, which would make many proactive strategies viable.
This conspires to make it look terrible to anyone who looks into it, leaving only those with few other options to try. This might be why the interviewees are such colourful characers, but it's not the best way to actually, y'know, incentivise people to spend their time looking for bugs, or let them do it with any efficiency.
'In an Agile context, I define a bug as behavior in a “Done” story that violates valid expectations of the Product Owner.' ref
"Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. ref
As I read through the article I had a growing feeling that it would end with a plug for a "learn to be a bug hunter" course of some sort. It sounded more and more like one of those "work from home for just a few hours and make xK £/$/€ per month/week/day" posts you come across in some forums.
Seems that being a low end skiddie pays well these days. Particularly the sort of petty criminal type who transitions from some noddy hacks and a bit of ticket fraud to a bit of Perl and XSS bashing.
Except it doesn't pay that well.
And the numbers don't add up between the totals being paid out by some of the biggest bounty sources and what is claimed as income, or the typical payments for individual reports. As has been said there are either very few players in the game or someone has spent 5 minutes to make up some invoices and a fake balance to show how great they are.
The whiff of bullshit is a little pungent.