Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

  • Courtesy of Evan Ricafort
  • Business Impact

    Life as a bug bounty hunter: a struggle every day, just to get paid

    Independent cybersleuthing is a realistic career path, if you can live cheaply.

    Evan Ricafort works from home, his office taking up a room in a house that he shares with his family along a national highway in the Philippines. While the 22-year-old’s parents go to work at a convenience store the family owns in the southern town of Ipil, he spends up to 75 hours a week inside, plugging away at his tricked-out computer. There, amidst a cacophony of  motorcycles, barking dogs, and wailing babies, he could be saving your personal data.

    This article also appears in our newsletter Clocking In, which covers the impact of emerging technology on the future of work. Sign up here—it’s free!

    Ricafort is a bug hunter, a name given to a particular breed of  do-good hackers who search for vulnerabilities in the software built and owned by some of the world’s largest tech companies before they can be exploited by bad guys. They don’t do it for free, of course: many companies pay (and sometimes pay pretty well) for submissions that help companies shore up the code their business depends on. There’s enough of this going around that being a bug bounty hunter is something of an emerging occupation.

    But Ricafort doesn’t have a professional degree in computer science or coding. After one of his friends started posting about the bounties he was earning as a bug hunter, Ricafort took to the internet, reading up on blogs from other security researchers and tirelessly watching videos to learn the trade. His first bounty, he says, was nothing more than “a $50 bug from a random company.” But the thrill of the hunt had him hooked, and in 2014 it became his full-time career.

    At first, his friends and family didn’t understand, but after he explained his work and the bounties began to roll in, they realized this was a real career option. And one with purpose. “You are also helping not just the company, but the whole community. The users and the people using the company,” Ricafort says.

    Over the past four years, he has found vulnerabilities in the code of more than 200 companies, including Apple, Google, Microsoft, PayPal, Yahoo, IBM, and Twitch. Last year he landed his largest payout to date: a cool $5,000 (for a company he says he can’t name). “That was life-changing. I can’t put into words how it felt,” he said. He celebrated as any 21-year-old would: he did some traveling and bought himself a new toy, in the form of a BMX bike.

    Courtesy of Evan Ricafort

    But the bug he’s probably best known for—the one that in many ways put him on the map of serious bug hunters—didn’t bring in a penny. Back in 2014 he spotted a flaw in Google Nest that could allow attackers to gain access to the personal and financial details of Nest customers, including credentials, payment card information, and scanned copies of items such as passports and ID cards. The find boosted him into Google’s Vulnerability Reward Program hall of fame, but the company’s security team said it was a problem with a third-party software vendor and therefore wasn’t eligible for a payout (he has, however, gotten paid by Google for other bugs he’s uncovered).

    Courtesy of Evan Ricafort

    Unfortunately, that failure to get paid wasn’t an isolated incident. Other companies have offered him everything from swag to a tour of the US Capitol instead of money. And while Ricafort says he enjoys his shirt from the Dutch government that reads “I hacked the Dutch government and all I got was this lousy t-shirt,” it doesn’t help make ends meet.

    Nevertheless, he says makes enough to get by—in an average month he estimates he makes around 10,000 Philippine pesos (equal to about $187), about an average salary in his country, while in a good month he might bring in 20,000 to 30,000 pesos ($374 to $561).

    For many bug hunters, that’s how it goes: big fluctuations in pay, and often living on wages that would be untenable in an expensive Western country. That could be starting to change, though. Companies like Bugcrowd and HackerOne (both of which Ricafort has worked with) are making things easier for the bug-hunting community by offering schemes where hunters can earn more regular pay and get connected to companies that are willing to shell out. (For a deep dive into companies that help bug hunters get contracts, see “Crowdsourcing software bug hunters is a booming business—and a risky one.”)

    Sign up for Clocking In
    A daily look at the workplace of the future

    By signing up you agree to receive email newsletters and notifications from MIT Technology Review. You can change your preferences at any time. View our Privacy Policy for more detail.

    Either way, Ricafort says, he enjoys the impact his work has. While he says he’d entertain the right offer for a full-time cybersecurity position, he feels he can make the biggest difference where he is now: fighting vulnerabilities in the background. As he put it, “My heart is for the bug bounty.”

    This article is part of a series on jobs of the future. Check out other futuristic job profiles here.

    Couldn't get to Cambridge? We brought EmTech MIT to you!

    Watch session videos here
    Courtesy of Evan Ricafort
    Courtesy of Evan Ricafort
    More from Business Impact

    How technology advances are changing the economy and providing new opportunities in many industries.

    Want more award-winning journalism? Subscribe and become an Insider.
    • Insider Plus {! insider.prices.plus !}* Best Value

      {! insider.display.menuOptionsLabel !}

      Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

      See details+

      Print + Digital Magazine (6 bi-monthly issues)

      Unlimited online access including all articles, multimedia, and more

      The Download newsletter with top tech stories delivered daily to your inbox

      Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

      10% Discount to MIT Technology Review events and MIT Press

      Ad-free website experience

    • Insider Basic {! insider.prices.basic !}*

      {! insider.display.menuOptionsLabel !}

      Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

      See details+

      Print Magazine (6 bi-monthly issues)

      Unlimited online access including all articles, multimedia, and more

      The Download newsletter with top tech stories delivered daily to your inbox

    • Insider Online Only {! insider.prices.online !}*

      {! insider.display.menuOptionsLabel !}

      Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

      See details+

      Unlimited online access including all articles, multimedia, and more

      The Download newsletter with top tech stories delivered daily to your inbox

    /3
    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.