It might seem to some that $500 or even $3,000 is a paltry sum to earn for spending days looking for a security hole in software. Even $20,000 for a bug is chump change if you have a genius zero-day on your hands that could sell on the exploit black market for four times that amount.
But, as security researcher Charlie Miller points out, it all depends on where you’re standing. A $1,000 bounty for a researcher in New York won’t go as far as the same amount paid to a researcher in India or even in Indiana. But for some, bug hunting can actually bring in a good wage.
Abdul-Aziz Hariri earned more than enough to live on doing freelance bug hunting, during a period when he couldn’t find a job.
Hariri, a 27-year-old Lebanese-Canadian, began submitting bugs full-time after he emigrated from Lebanon to Canada in January 2010 and couldn’t find work. He did it full-time for a year and a half until he found a corporate job doing malware analysis.
Hariri, who has a computer science degree from the University of Balamand in Lebanon, worked eight to 10 hours a day and submitted about 140 bug reports to HP TippingPoint’s Zero Day Initiative bug bounty program during that period. He says he often worked a few days at a time, finding an average of two to three bugs, then would take a break and rest a couple of days.
“You already know you’re getting like $5,000 [for those bugs], so you can just take a break,” he says. He earned more than $50,000 the first year, raking in about $2,000-$2,500 per bug report, and only stopped in 2011 after he found his current job.
After he hit the $50,000 mark, he qualified for ZDI’s Platinum reward, which earned him a $20,000 bonus, plus a free trip to Las Vegas to attend the Black Hat and DefCon hacker conferences, as well as free enrollment in a training class at Black Hat. Hariri turned down the trip because he had his full-time job by then, so ZDI gave him the money that would have paid for his trip and class instead, which came out to another $8,000 on top of his bonus.
He sold vulnerabilities both to ZDI and to a bounty program run by the security firm iDefense, focusing on bugs in server-side applications rather than client-side bugs. These weren’t the most lucrative category of bugs, but he says he focused on them because they were easier to find and he needed a steady and quick income.
By his own admission, the initial bug reports he submitted to ZDI were “pretty bad.”
“I sent them proof-of-concept without in-depth analysis [of the vulnerability],” he says. His 18th report was so disorganized and incomplete, even he didn’t fully understand the nature of the bug he was reporting.
So Aaron Portnoy, head of the ZDI program at the time who recently launched an independent bounty-paying company called Exodus Intelligence, sent him back an in-depth and lengthy analysis of the bug.
“He didn’t know what he was doing,” Portnoy says. “So I spent the weekend and reversed all of what his bug was, got it to trigger with one packet, and reversed exactly what it was.” He then sent Hariri his analysis with a note saying, “Here’s what your bug is, here’s how I debugged it, here’s how I reversed it. Try to give us better information next time.”
Hariri says he learned a lot from the analysis and began submitting better reports. When Portnoy and a colleague later offered a bug-hunting class at a conference in Montreal, Hariri signed up for it.
Hariri says his experience freelance bug hunting gave him great training for his current job as a malware analyst.
“It improved my technical skills,” he says. “They gave me a lot of tips on reverse-engineering and how to debug stuff. It has definitely made [my job] a lot easier.”