Life as a bug bounty hunter: a struggle every day, just to get paid

Life as a bug bounty hunter: a struggle every day, just to get paid

Evan Ricafort works from home, his office taking up a room in a house that he shares with his family, which sits along a national highway in the Philippines. While the 22-year-old’s parents go to work at a convenience store the family owns in the southern town of Ipil, he spends up to 75 hours a week inside, plugging away at his tricked out computer. There, amidst a cacophony of  motorcycles whizzing by, barking dogs, and wailing babies, he could be saving your personal data.

This article also appears in our newsletter Clocking In, which covers the impact of emerging technology on the future of work. Sign up here—it’s free!

Ricafort is a bug hunter, a name given to a particular breed of  do-good hackers who search for vulnerabilities in the software built and owned by some of the world’s largest tech companies before they can be exploited by bad guys. They don’t do it for free, of course: many companies pay (and sometimes pay pretty well) for submissions that help companies shore up code that their business depends on. There’s enough of this going around that being a bug bounty-hunter is something of an emerging occupation.

But Ricafort doesn’t have a professional degree in computer science or coding. After one of his friends started posting about the bounties he was earning as a bug hunter, he was intrigued. Ricafort took to the internet, reading up on blogs from other security researchers and tirelessly watching videos to learn the trade. His first bounty, he says, was nothing more than “a $50 bug from a random company.” But the thrill of the hunt had him hooked, and in 2014, it became his full time career.

At first, his friends and family didn’t understand his career path, but after he explained his work and the bounties began to roll in, they realized this was a real career option. And one with purpose. “You are also helping not just the company, but the whole community. The users and the people using the company,” Ricafort says.

Over the past four years, he has found vulnerabilities in the code of more than 200 companies, including Apple, Google, Microsoft, PayPal, Yahoo!, IBM, and Twitch. Last year, he landed his largest payout to date: a cool $5,000 USD (for a company he says he can’t name). “That was life-changing. I can’t put into words how it felt,” he said. To celebrate, he went did what any 21 year-old would: he did some traveling and bought himself a new toy, in the form of a BMX bike.

Courtesy of Evan Ricafort

But the bug he’s probably best known for—the one that in many ways put him on the map of serious bug hunters—didn’t bring in a penny. Back in 2014 he spotted a flaw in Google Nest that could allow attackers to gain access to the personal and financial details of Nest customers, including credentials, payment card information, and scanned copies of items such as passports and ID cards. The find boosted him into Google’s Vulnerability Reward Program hall of fame, but the company’s security team said it was a problem with a third-party software vendor and therefore wasn’t eligible for a payout (he has, however, gotten paid by Google for other bugs he’s uncovered).

Courtesy of Evan Ricafort

Unfortunately, it wasn’t an isolated incident. Other companies have offered him everything from swag to a tour of the US Capitol instead of payment. And while Ricafort says he enjoys his t-shirt from the Dutch government that reads “I hacked the Dutch government and all I got was this lousy t-shirt,” when you are trying to make ends meet, money talks.

Nevertheless, he says makes enough to get by—on an average month he estimates he makes around 10,000 Philippine pesos ($187 USD), about an average salary in his country, while on a good month he might bring in between 20,000 to 30,000 Philippine pesos ($374 USD-$561 USD).

For many bug hunters, that’s how it goes: big fluctuations in pay, and often living on wages that would be untenable in an expensive Western country. That could be starting to change, though. Companies like Bugcrowd and HackerOne (both of which Ricafort has worked with) are making things easier for the bug hunting community by offering schemes where hunters can earn more regular pay, and be connected to companies who are willing to shell out. (For a deep dive into companies that help bug hunters get contracts, see “Crowdsourcing software bug hunters is a booming business—and a risky one”.)

Sign up for Clocking In

A daily look at the workplace of the future

Sign Up

Thank you — please check your email to complete your sign up.

Incorrect email format

By signing up you agree to receive email newsletters and notifications from MIT Technology Review. You can change your preferences at any time. View our Privacy Policy for more detail.

Either way, Ricafort says he enjoys the impact his work has. While he says he’d entertain the right offer for a full-time cybersecurity position, he feels like he can make the biggest difference where he is now: fighting vulnerabilities in the background, vying for his bounties. As he put it, “My heart is for the bug bounty.”

This article is part of a series on jobs of the future. Check out other futuristic job profiles here.

Source link