It’s taken months of probing, scanning, and attacking, but he’s finally found it. A crack in the wall. A small leak in what is otherwise a fortress. Now all that’s left is expanding that leak into a hole. He gets to work. Slowly but surely the weakness expands. And as it grows, so does the confidence of the attacker. Until eventually, a hole is formed and he can step through it, into Google’s internal computer systems.  

The man above is a bug bounty hunter. Bug bounty hunters are participants in bug bounty programs that companies will set up to gather more information about their level of cyber security. The bounty hunters are given free rein on the company’s websites and when they eventually do find a bug, they get paid by the company based on the severity of the bug. For example, breaking into Google’s internal computer systems would be considered a high-severity bug. 

For the uninitiated, Bug Bounty Hunting might seem like a side hustle at best or a glorified hobby at worst. But in reality, many people can make a living off of it. Since companies pay off how severe a vulnerability is, high-severity bugs can earn a couple of thousand dollars. Bug bounty hunting also offers a way for young people to become interested in computers and more specifically, ethical hacking. “There will be teenagers who will be curious and if you don’t give them away to report it, bad things can happen,” says former bug bounty hunter

Ezequiel Pereira. 

There can be some real benefits to bug bounty hunting and of course some drawbacks. According to Mr. Pereira, boredom and frustration are the number one enemies of a bug bounty hunter. A hunter may poke and prod at a server for months and still not get anything. And of course, there is always the risk that when you do find a bug, it’s not high enough severity to get a decent payout. However, the benefits can sometimes be enough for a tired hunter to push forward. 

Companies also have a lot to gain from these programs. All the money in the world won’t buy a perfect system and creative hackers with time on their hands will almost always find a way in. “Companies can hire security and invest a lot of money into security, but it’s impossible to get it right,” explains Mr. Pereira. Companies also get the advantage of having lots of different people working on their systems all at once in order to cover more vulnerabilities in a shorter amount of time. As they say, many hands make light work. 

Many hands do make light work, but some of those hands get paid a lot more than the others, and for good reason. For example, 21-year-old ethical hacker Santiago Lopez became the first bug bounty hunter to reach one million dollars in bounties. He started hacking when he was 16 years old learning from Youtube and others in the hacker community. Another example is Ezequiel Pereira who earned 36,000 dollars after finding a remote code execution bug in Google’s Cloud Platform console. 

The future of cyber security is bright. Through creative thinking, perseverance, and Youtube, young hackers could one day be famous penetration testers or bug bounty hunters. And in an age where everything is digital, including currency, cybercrime will be on the rise. A need will grow for men and women who can operate and protect the virtual landscape. Programs like bug bounty programs will continue to provide an outlet for computer-savvy teenagers to practice in a way that helps rather than harms others. Hopefully leading to a generation of benevolent hackers.