zamboya

Michiel here. Some hackers do it full time, day and night. Some have day jobs and casually hack on the side. The amount of time you put in it influences your earnings, as well as skill.

The average bounty on the platform is around $500. Depending on how much time you invest, you will either find tens or hundreds of bugs on an annual basis. While the top hackers easily take home 6 figures, the community consists of mostly casual hackers who have day jobs. This category (50%) makes around $20K or less. The next biggest group is anywhere between $20K and $35K. Around 6% of the community takes home 6 figures or more.

Michiel here. For me personally it has been really helpful to know how to build software first. I learned quickly how easily humans make mistakes or underestimate things when building software. These mistakes have a high likelihood of becoming a vulnerability. Knowing how to write software combined with the curiosity that comes natural to most hackers, you will quickly start finding these mistakes and finding ways to turn these mistakes into an advantage.

To kickstart your bug bounty career, here are a few great resources to get started:

• The e-book Web Hacking 101 written by Pete Yaworski. The book is based on public disclosures of vulnerabilities. No better resource to learn than from real vulnerabilities that were fixed. You can grab a free copy here: https://hackerone.com/blog/Hack-Learn-Earn-with-a-Free-E-Book
• https://hackerone.com/hacktivity - a feed of real vulnerabilities that get publicly disclosed by many different hackers in the community. Learning how other hackers find bugs and how they report them is invaluable.
• The Web Application Hacker’s Handbook: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
• A blog on “how to become a successful bug hunter”: https://hackerone.com/blog/what-great-hackers-share
• The 5 things top bug bounty hunters do differently: https://hackerone.com/blog/5-things-top-bug-bounty-hunters-do-differently
• … and last: my favorite, a comic about bug bounties: https://hackerone.com/blog/how-a-bug-bounty-works-comic.

Michiel here. Burp Suite is a GREAT tool and nearly every web app hacker that I know uses it.

I personally pay for every tool/software that helps me. It provides me value, so I think it is fair to pay for it. A team of developers invests a lot of time and money to provide an excellent tool. It’s a trade of value.

And if you’re a bug hunter, paying for a Burp Suite Pro license pays off within days. :)

Mr. Robot! I wish it was an actual Netflix show, though. I love finding all the easter eggs and hints. Great show and they put A LOT of effort into getting it right and hiding things in plain sight!

Michiel here. There is big money in private and public bug bounty programs! Our algorithm invites researchers to private programs based on reputation. Keep hacking and it will increase your chances of getting invites. Check out the blog for more specifics: https://hackerone.com/blog/fair-and-transparent-hacker-invitations