For those in the field of computer security, it's not uncommon for Bounty bugs, still called bug bonuses, to tempt you one of its days.
Indeed, the amount of money proposed to serve this program are particularly enticing. And some see it as a way to make a living. Only because of the gains, and also because of the freedom that this rather special professional environment offers.
This article will also interest you: The social network Facebook will expand the capabilities of its bug bounty program
If today this has become a common activity see something fairly mundane, it should nevertheless be noted that a few years ago, reporting a security flaw or even a simple bug that could affect the information system of an administration was likely to lead the individual to prison. The key to discovering bugs is often trouble. Brice Augras and Christophe Hauquiert, researchers noted: "It took time, it was complicated and often we were not kept informed of the corrections or what was happening after we were reported. And sometimes we would run into a wall, with innuendos that suggested that we might run into the lawyers of the company in question. And that, not to mention any possible rewards. Yann Cam: "I've been interested in computer security since I was 11 years old overall. Sometimes I found vulnerabilities, but when we put them up, we were often very unwelcome. It may have cooled me down at some time."
But since then, the Bounty bug have democratized. They have become a fairly common or necessary practice when a tech company wants to launch a new product, and ensure that its customers will have full confidence in it. Companies have made it not only a way to ensure better security of their products, but also a marketing strategy to demonstrate that it is doing everything possible to ensure that they produce safe tools. In this context, some companies have not organized to provide these tech companies with easy contact with potential hackers for the development of this practice that has become almost symbolic. These companies create a professional framework or cybersecurity specialists in a free manner, making available their skills service companies against bonuses or stable remuneration. These include the American company famous in the hackerOne industry and the French company, YesWeHack.
The work is organized in such a way as to allow also its list of security often called bug hunters or even ethical Hackers to explore information systems for the purpose of general cells against non-discovery technical failures. These are legally regulating activities because companies tend to mention them in their annual balance sheets. This, of course, attracts even more potential interested "We managed to raise $100,000 reward on a bug affecting the Kubernetes platform," explained For example Brice Augras and Christophe Hauquiert, two security researchers who officiate on HackerOne and Yogosha. If the sums of money often proposed attract, because attractive, it must be meant that the work to be done is quite substantial: "it is the result of a 6-month work for two people. Now, a researcher at the top of the ranking who spends time on it can easily generate between 2,000 and 3,000 euros per month."
In this way, if the proposed amounts may look significant enough, for most bug hunters such as Brice Augras and Christophe Hauquiert it is rather an ancillary activity. "Sometimes you have weekends or nights to work on certain programs, but it's hard to make it a full-time activity. Incomes are irregular, and it is quite stressful. and it's the same for Yann Cam, slopester and lead auditor for a company specializing in computer security "I have a lot of respect for those who try to live with it, but there is a lack of stability that prevents me from doing this full time. Last year, I had to put together between 300 and 400 bugs, but it's hard to find time to work. We often find ourselves working at night or during our lunch breaks," he notes. If you have to add family life, the pace of work, the time demands, as well as the frustrations of being able to miss certain bonuses from time to time, work becomes boring or even unass interested professionally. "I think it's really important for hunters to take breaks: I see a lot of hunters who launch themselves, find critical vulnerability, get caught up in the adrenaline rush and lose a little bit of foot when they get into trouble," he explains. That's why most researchers see Bounty bugs as secondary activities to do in free time.
However, despite what can be described as disadvantages of the job, some have still decided to adopt it as a full-time job. Even if they are in the minority there are certainly some who see bounty hunts as it works in its own right. Like Anthony, known as Kuromatae, who for the past two years has been working like this: "What really motivated me was the opportunity to work completely remotely in the conditions I wanted. But also the fact that I did not find myself too much within the framework of the company in terms of the topics I was addressing: the Bug Bounty allows me to touch everything." Explains the latter. "My goal is to be able to generate at least an annual SMIC. Initially, I was in a way where I considered it problematic not to have cash inflow for a month. But at the end of the day, you get a little bit of a side of the way to build a mattress," he continues.
Now access an unlimited number of passwords: