This year, Santiago Lopez, a 19-year-old hacker from Argentina, became the world’s first bug bounty hacker to earn $1 million from hacking. This was a huge milestone for the hacker community as it gives a glimpse into the potential earnings of a hacker working to make the internet safer. What is even more remarkable is that Santiago is self-taught, demonstrating that one doesn’t need a University education to earn a living as a hacker.
According to a recent study, 81% of hackers point to online resources and blogs as their primary source for hacking education, while just six percent have completed a formal class or certification on hacking.
Bug bounty hackers are filling a new niche that is in high demand in the booming cybersecurity job market. Organizations like Starbucks, Verizon Media, Toyota, Airbnb and even government agencies such as the US Department of Defense are working with ethical hackers to find security vulnerabilities in their systems before they can be exploited. These organizations are increasingly relying on the hackers as another layer to keep their customers safe and many are willing to pay top dollar for these vulnerabilities.
According to a recent study, companies pay an average of $2,000 for a critical vulnerability, with bounties as high as $100,000 for a single flaw. Organizations and government agencies are attracted to bug bounty programs because they can work with some of the brightest minds without being geographically restricted or having to go through lengthy recruitment processes. To put this into perspective, the US saw more than 313,000 cybersecurity job openings between September 2017 and August 2018.
Hackers are now building successful careers with bug bounties. Hacking is becoming one of the most lucrative jobs in the world, earning more than physicians and architects in the US. A physician earns an average of $195,000 and an architect earns an average of $115,000; meanwhile, the top paid hackers are earning three times that as some companies are paying out millions each year. HackerOne has a community of over 400,000 hackers. These hackers were paid over $19 million in 2018 alone and more than $50 million in total, all in the name of making the Internet safer.
Considering all the benefits on offer, including a flexible work schedule, a great deal of autonomy, an active community to learn from and a potential to earn good money, how can you embark on a career as a hacker? The best news is that one doesn’t need to go back to school. Many skills required to become a successful hacker can be learned online, for free or minimal cost. Anyone with the drive and high degree of curiosity can become a hacker.
So where to start?
Embarking on a career in hacking has never been more encouraged or more rewarding, both financially and personally. Even though anyone can essentially teach themselves how to hack with the tools available online today, the one skill hackers must inherently have is the ability to problem solve and a strong sense of curiosity around how technology works and how it could possibly fail us. With that, here are my top resources to learn how to hack:
Top Free Reads & Videos
- WebHacking 101; HackerOne offers a free e-book version to get you started. This eBook is written by one of our hackers and Shopify engineers - Peter Yaworski -and is based on real vulnerability reports disclosed on HackerOne’s Hacktivity pages.
- Getting Started in Bug Bounty - by Sahil Ahamed, Security Engineer at Zomato.
- How to become a successful bug bounty hunter - HackerOne blog.
- YouTube video “How to get started in bug bounty - 9 X Professional Tips”
- Not to toot our own horn here, but with the help of Cody Brocious, head of hacker education at HackerOne, we’ve created our very own guide written by hackers for hackers, titled “Resources for Beginning Bug Bounty Hunters" and it’s a pretty good one. This is a great place for new hackers to learn the basics of Web Application Security.
Top Free hacking training tools:
- Cybrary, a free platform for cybersecurity training provides world class training and materials
- Bug Hunter University Google's Bug Hunter University. This resource was created by the Google Security Team for members of Google’s Vulnerability Reward Program bug hunter community and provides great vulnerability reports. The team provides various tips and behind-the-scenes knowledge for anyone looking to learn how to become a bug hunter.
- Hacker101.com offers free classes in web security and is geared for anyone interested in bug bounties for all levels. Most of the classes are led by HackerOne’s very own Cody Brocious, Head of Hacker Education.
- HackerOne’s Hacktivity showcases thousands of publicly disclosed reports to learn from. In fact, many of our hackers have learned to hack by reading these publicly disclosed vulnerability reports.
- HackEdu, offers interactive web application security training courses, including both free and paid for programs. The free program offers SQL injection courses, 6 public vulnerability sandboxs to test your hacking skills, and a variety of practices and challenges. In fact, HackEdu provides free training modules using real world vulnerabilities found on the HackerOne platform, that are now available in sandboxed environments
- HacktheBox, dubbed as ‘a massive playground’ to learn pen-testing skills offers both free and paid VIP programs to hone your pen-testing skills, which is another great way to develop a career in hacking.
- Portswigger’s Burp Suite has been the first scanner to detect vulnerabilities and is available for minimal costs to security researchers and hobbyists. Hackers should start using Burp Suite once they start looking for more complex bugs and are in need of automation. Portswigger also offers Web Security Academy, free training on web security vulnerabilities, techniques for finding and exploiting bugs.
The ethical hacking industry is booming and, whether you are looking for a lucrative hobby or full-time pursuit, there is no better time to embark on a career as a hacker. My recommendation is to start first with the free resources, learn them very well, and then apply the knowledge gained on real bug bounty programs like those found on HackerOne. Spending money on paid programs are worth it as a supplement to learn more and learn faster.
Ben is Hacker Operations Lead at HackerOne, the #1 most popular bug bounty platform by day, and a hacker by night. Prior to joining HackerOne, he has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, Github, and more. He also invested time in the security community, by creating a community of 200+ active hackers who share ideas and their experience. He also holds free workshops and training session to teach others about security and web application hacking.