Courtesy of Evan Ricafort

Business Impact

Life as a bug bounty hunter: a struggle every day, just to get paid

Independent cybersleuthing is a realistic career path, if you can live cheaply.

Aug 23, 2018

Evan Ricafort works from home, his office taking up a room in a house that he shares with his family along a national highway in the Philippines. While the 22-year-old’s parents go to work at a convenience store the family owns in the southern town of Ipil, he spends up to 75 hours a week inside, plugging away at his tricked-out computer. There, amidst a cacophony of  motorcycles, barking dogs, and wailing babies, he could be saving your personal data.

This article also appears in our newsletter Clocking In, which covers the impact of emerging technology on the future of work. Sign up here—it’s free!

Ricafort is a bug hunter, a name given to a particular breed of  do-good hackers who search for vulnerabilities in the software built and owned by some of the world’s largest tech companies before they can be exploited by bad guys. They don’t do it for free, of course: many companies pay (and sometimes pay pretty well) for submissions that help companies shore up the code their business depends on. There’s enough of this going around that being a bug bounty hunter is something of an emerging occupation.

But Ricafort doesn’t have a professional degree in computer science or coding. After one of his friends started posting about the bounties he was earning as a bug hunter, Ricafort took to the internet, reading up on blogs from other security researchers and tirelessly watching videos to learn the trade. His first bounty, he says, was nothing more than “a $50 bug from a random company.” But the thrill of the hunt had him hooked, and in 2014 it became his full-time career.

At first, his friends and family didn’t understand, but after he explained his work and the bounties began to roll in, they realized this was a real career option. And one with purpose. “You are also helping not just the company, but the whole community. The users and the people using the company,” Ricafort says.

Over the past four years, he has found vulnerabilities in the code of more than 200 companies, including Apple, Google, Microsoft, PayPal, Yahoo, IBM, and Twitch. Last year he landed his largest payout to date: a cool $5,000 (for a company he says he can’t name). “That was life-changing. I can’t put into words how it felt,” he said. He celebrated as any 21-year-old would: he did some traveling and bought himself a new toy, in the form of a BMX bike.

Courtesy of Evan Ricafort

But the bug he’s probably best known for—the one that in many ways put him on the map of serious bug hunters—didn’t bring in a penny. Back in 2014 he spotted a flaw in Google Nest that could allow attackers to gain access to the personal and financial details of Nest customers, including credentials, payment card information, and scanned copies of items such as passports and ID cards. The find boosted him into Google’s Vulnerability Reward Program hall of fame, but the company’s security team said it was a problem with a third-party software vendor and therefore wasn’t eligible for a payout (he has, however, gotten paid by Google for other bugs he’s uncovered).

Courtesy of Evan Ricafort

Unfortunately, that failure to get paid wasn’t an isolated incident. Other companies have offered him everything from swag to a tour of the US Capitol instead of money. And while Ricafort says he enjoys his shirt from the Dutch government that reads “I hacked the Dutch government and all I got was this lousy t-shirt,” it doesn’t help make ends meet.

Nevertheless, he says makes enough to get by—in an average month he estimates he makes around 10,000 Philippine pesos (equal to about $187), about an average salary in his country, while in a good month he might bring in 20,000 to 30,000 pesos ($374 to $561).

For many bug hunters, that’s how it goes: big fluctuations in pay, and often living on wages that would be untenable in an expensive Western country. That could be starting to change, though. Companies like Bugcrowd and HackerOne (both of which Ricafort has worked with) are making things easier for the bug-hunting community by offering schemes where hunters can earn more regular pay and get connected to companies that are willing to shell out. (For a deep dive into companies that help bug hunters get contracts, see “Crowdsourcing software bug hunters is a booming business—and a risky one.”)

Either way, Ricafort says, he enjoys the impact his work has. While he says he’d entertain the right offer for a full-time cybersecurity position, he feels he can make the biggest difference where he is now: fighting vulnerabilities in the background. As he put it, “My heart is for the bug bounty.”

This article is part of a series on jobs of the future. Check out other futuristic job profiles here.