Vickie Li was a college student when she found and reported her first bug, a low-severity vulnerability on a social media platform. The bounty was $100. But the thrill Li got when she saw the security team triage and fix a flaw she had discovered -- on a website she used daily -- was priceless.
With that, Li was hooked. She kept hacking, eventually becoming a full-fledged security researcher who has reported vulnerabilities to major enterprises, including Starbucks, Facebook and Yelp.
Bug hunting can be a lucrative pastime, with a single vulnerability potentially netting a researcher thousands of dollars. Arguably just as important, it can provide a way for cybersecurity professionals to learn and grow. Li, for example, credits the skills and experience she gained as a bug bounty hunter and freelance penetration tester with leading to her current position, a senior security engineer at grocery delivery service Instacart.
In her book, Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities, Li aims to teach aspiring ethical hackers how to become a bug bounty hunter. Here, she explains how to choose a bug bounty program, which asset types are best for beginners and more.
Editor's note: This transcript has been lightly edited for length and clarity.
As a college student new to hacking, you landed your first bounty almost immediately. What happened next?
Vickie Li: I had beginner's luck, if you will, because I didn't really have any success for a few months after that. But that early success was enough to keep me going, and I learned a lot about infosec in the process. Bug bounty hunting and writing about my learning journey on my security blog really kick-started my career. It's what led to me finding my first job in the industry and publishing my book.
What advice would you give someone wondering how to become a bug bounty hunter today?
Li: Breaking into bug bounties is becoming more difficult. When you look at the popular programs on bug bounty platforms, like HackerOne and Bugcrowd, there's so much competition. It can be frustrating because you really need to have some early success and positive feedback to keep you going.
I think a good strategy is to avoid focusing on the money at first. Instead, focus on gaining skills and building a reputation by hacking on nonpaying programs. That's unpopular advice because a lot of people want to do bug bounties to earn income, which is totally understandable. But it's really, really difficult if you don't yet have the knowledge or skills to find bugs in the popular programs. So, build up your skills in nonpaying or charity programs first, and then start to move on to those bigger programs.
Maybe you'll even learn enough to branch out from bug bounties. You might be able to get some penetration testing contracts, start a blog or land a side job doing technical writing for a bug bounty platform. I think my own experience with bug bounties helped me learn you shouldn't be myopic in your goals because the field is so vast and there are so many different opportunities. Try to see bug bounty hunting as a starting point and as a learning experience, instead of the be-all, end-all.
What other factors should someone consider when choosing a bug bounty program?
Li: Besides the popularity of the program and the amount of competition you're likely to face, you should also consider response times. Try to find a program that will give you feedback right away so you don't have to wait several weeks just to know whether your submission was valid or not.
It's also helpful to find a program that devotes time to helping its researchers learn. A lot of these engineers are passionate about security. They will discuss bugs with you and explain why something is valid or not, as well as how you can improve your skills and find better bugs in the future.
It's easy to find a program with good response times just by looking at the program metrics on bug bounty platforms. But finding a program with a kind security team that will help you learn and grow is trickier and takes some trial and error. In general, though, there are a lot of great security teams and great bug bounty hunters out there who are willing to push you in the right direction and help you level up.
Speaking of bug bounty platforms, what are the pros and cons of using them?
Li: It really depends on the platform and the program itself. I'm seeing more and more that, if you build up your reputation points on the bug bounty platforms, you can get noticed by and invited to private programs that are less crowded and have less competition. That's a pro. But a con is that there are a lot of people on these platforms and the competition in the public programs will be fierce.
In general, I enjoy using the platforms because I can try out different targets that I might not have hunted on before. You can use a bug bounty platform to explore and say, 'Let's hack a social media platform this time,' or 'Let's hack a mobile application.' It's really good in that it can expose you to a lot of different areas of cybersecurity. But the downside is you're faced with more competition, and it might be hard to get traction in the beginning.
More on Bug Bounty Bootcamp
To learn how to use open source web application fuzzer Wfuzz to conduct automatic vulnerability discovery, check out this excerpt from Chapter 25 of Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities.
For someone looking to become a bug bounty hunter, what kind of asset type -- web applications, APIs, source code, hardware, IoT, etc. -- is generally best?
Li: I think it depends on your experience. Some people already have experience as developers or engineers when they get into bug bounties. In that case, I'd say choose whatever you have experience with. Generally, if you have experience building something, you will also have a better understanding of what kind of security issues could manifest in that type of application or product.
I see people with no experience have the most success with web applications, just because we all interface with web applications every day and kind of understand how they work. And, if you don't understand how to hack web applications and don't have a lot of those fundamental concepts in your repertoire yet, then you'll probably find it difficult to hack other things as well. I think web applications have the lowest barrier of entry into the bug bounty world and also make a good starting point from which to eventually explore other asset types.
What would you say to a new bug bounty hunter who has hit a dry spell?
Li: It comes back to thinking of it as a learning experience. One of the things I like to do when I'm stuck is to learn a new bug type and then start looking for those on the different programs on which I'm hunting. Step back and shift your focus, learn something new, clear your mind a little bit and then come back to whatever you're working on. You might even find you enjoy hunting the new bug type and have some success with that as well.
When I first started bug bounty hunting, if I didn't find a bug, I would get really frustrated and would feel like my progress was stalling. But that really wasn't the case. Even though I was not actively finding bugs, hunting and trying to improve my process was a really good learning experience that eventually led to my career nowadays.
About the author
Vickie Li is a developer and security researcher experienced in finding and exploiting vulnerabilities in web applications. She has reported vulnerabilities to firms such as Facebook, Yelp and Starbucks and contributes to a number of online training programs and technical blogs. She can be found at https://vickieli.dev/, where she blogs about security news, techniques and her latest bug bounty findings.