Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I liked this. I also wonder if it'd be worthwhile for me to take a few months off of work and try just poking away at security bounty programs. I doubt it would pay off to start with, but it seems like a pretty lucrative path. I know the OWASP Top 10, but don't really know my way around Burp Suite or anything.


I don't know any program except FB with such bounties for bugs in web apps. If you want to hack for money, focus on FB forget about others.


Google has one: https://www.google.com/about/appsecurity/reward-program/


They pay ten times less


https://hackerone.com/programs


Which one is profitable there?


Sign up for Bugcrowd and give it a go in your spare time. I would say it pays really well, in that it forces you to exercise and stretch your brain, over time you'll start getting better and work to the point you could quit your day job and do security full time.


How do things like bugcrowd (and bug bounties in general) work from a legal point of view? It seems very risky to go poking around without some kind of formal contract with the target.


Bugcrowd has a contract with the target, and with you.


If you decide to give it a shot, pay close attention to the policies and procedures that companies post. Facebook has refused to pay people in the past because they didn't use the framework/channels that they have provided.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: