Skip to Content

A Bug-Hunting Hacker Says He Makes $250,000 a Year in Bounty

He probably does, but you shouldn’t quit your day job.
August 22, 2016

It seems like easy money. If you like tinkering with software, some big players in the tech world have a job for you: bug bounty hunter. At least one hacker says he can clear $250,000 a year by doing something that “comes easily”: hunting down vulnerabilities in computer code and then letting the software’s owner know about it.

Bug bounty programs have been around since 1995, but they’ve really taken off in the last few years, after Google and Facebook launched their initiatives in 2010 and 2011. Microsoft, Samsung, Uber, and Tesla (which pays for bugs found in its cars’ software) all have cash-for-bugs schemes. Apple, which was a holdout until earlier this month—and faced criticism for it—now says it will pay up to $200,000 per bug, but you have to be invited. Even the U.S. government got in on the trend earlier this year, with its Hack the Pentagon program.

Secretary of Defense Ash Carter discusses the results of the "Hack the Pentagon" program.

It can seem like a dream career:

Finding a vulnerability or hack “feels exciting, because you are the first person in the world to discover it. It feels good to know that you are somewhere no one else has been,” said Francisco Correa, a 30-year-old bounty hunter who also works with HackerOne.

Correa, who has a beachfront apartment in Chile which he’s fitted out with fiber-optic Internet, began working four years ago with Google’s bug bounty program, and was quickly finding vulnerabilities for Adobe and Microsoft as well.

But the reality is a little more complicated. While a few white-hat hackers probably do laugh all the way to the bank, there is at least some testimony that suggests it’s anything but easy street. As the bug bounty boom was underway in 2014, for example, a post on Reddit gave the impression—both from a would-be bounty hunter’s perspective and a commenter who claimed to run a bug bounty program—of a scrappy, workaday existence that doesn’t pay very well. Less of a path to riches than a desk job in the gig economy.

The claim for the $250,000-a-year salary came from an article in the Guardian on Monday, which ran with the headline “Bounty hunters are legally hacking Apple and the Pentagon—for big money.” It follows the exploits of Nathaniel Wakelam, a 21-year-old who appears to earn a fortune working out of coffee shops.

He probably does. There are other eye-opening numbers as well. Wakelam says a 24-hour bug-hunting binge brought in $3,000, for example. Not bad for a day’s work. Facebook recently paid $10,000 for an Instagram bug—to a 10-year-old.

But the article also says that Bugcrowd, a third-party firm that helps connect companies with bug hunters, has gotten over 50,000 bug submissions in its three years of existence and paid out in excess of $2 million. That would be about $40 per bug submission, but only a small fraction of submissions result in payouts, and the company says the average is about $300. Enough, perhaps, for some money on the side, but it won't leave many people rolling in dough.

(Read more: The Guardian, “Apple Opens Up iPhone Code in What Could Be Savvy Strategy or Security Screwup,” “Online and Self-Employed”)

Keep Reading

Most Popular

wet market selling fish
wet market selling fish

This scientist now believes covid started in Wuhan’s wet market. Here’s why.

How a veteran virologist found fresh evidence to back up the theory that covid jumped from animals to humans in a notorious Chinese market—rather than emerged from a lab leak.

light and shadow on floor
light and shadow on floor

How Facebook and Google fund global misinformation

The tech giants are paying millions of dollars to the operators of clickbait pages, bankrolling the deterioration of information ecosystems around the world.

masked travellers at Heathrow airport
masked travellers at Heathrow airport

We still don’t know enough about the omicron variant to panic

The variant has caused alarm and immediate border shutdowns—but we still don't know how it will respond to vaccines.

egasus' fortune after macron hack
egasus' fortune after macron hack

NSO was about to sell hacking tools to France. Now it’s in crisis.

French officials were close to buying controversial surveillance tool Pegasus from NSO earlier this year. Now the US has sanctioned the Israeli company, and insiders say it’s on the ropes.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.