In January 2020, Microsoft said it would pay from US$5,000 to US$20,000 to security researchers for reporting vulnerabilities for its video game service Xbox. Intel is said to offer US$30,000 maximum detecting critical bugs.
Yahoo is more selected limiting its US$15,000 reward for important bugs on its system although no reward is offered for bugs found in yahoo.net, Yahoo 7 Yahoo Japan, Onwander and Yahoo operated Word press blogs.
Apple is said to offer US$100,000 to those who can extract data protected by Apple’s Secure Enclave technology.
To be clear there are no standard rates for bug bounty rewards. But to be certain, there is ample opportunity for researchers interested in making a living as a bug bounty hunter.
During the month of International Women’s Day, FutureCIO contacted Alyssa Herrera, a bug bounty hacker with HackerOne to get her thoughts on women hackers.
What’s the biggest misconception businesses have about hackers and HackerOne?
Alyssa Herrera: The most common misconception out there is the view that hackers are malicious and intending to harm businesses. However, these beliefs are now slowly fading with the growing demonstration that hackers are good and empowering companies to improve their overall security.
The perception is definitely changing and a growing number of companies are now happily embracing hackers or bug bounty platforms like HackerOne for instance.
Are you still a full-time bug bounty hunter?
Alyssa Herrera: I’m still a full time hacker generally focused on bug bounties but I’ve branched out to doing mentorship programs in which I teach new hackers as well as experienced hackers, while giving back to the security research community and helping to cultivate the next generation of hackers in the world.
You’ve indicated specialising in SSRF and IDOR. Do you ever take on jobs that are more common like SQL injection and DDOS attacks?
Alyssa Herrera: I don’t always tend to focus on those two but I’m mostly familiar with SSRF, IDOR attacks and other esoteric attacks such as image/file parser-based attacks. It’s part of the learning process to focus on certain vulnerability types first to understand them fully and then move to another type to understand it more. It’s how you grow as a hacker and expand your knowledge and understanding of it.
Do you prefer working in groups or best alone?
Alyssa Herrera: Groups typically are the best to work in as you can all add in your own knowledge and tackle various issues that you might have not been able to by doing it yourself. It’s also generally the best way to learn new techniques and share your own knowledge and apply it as such. It’s why a lot of bug bounty groups are now popping up as a lot of hackers realise you can cover more ground this way while helping each other tackle hurdles.
Is there a specific industry that you enjoy more for bug hunting? (government, automotive, retail, healthcare, financial services, etc.)? Or, is it based more on attack surface and scope of the program?
Alyssa Herrera: It depends on both the attack surface and scope as well as the industry type. But my favourites are typically governmental and military programs as they provide a lot of new challenges, given the software technology used. A close second favourite of mine would be healthcare.
As far as scope goes, if a company has a very open scope and quite a lot of assets that are allowed to be tested then I generally will focus on them more because it gives me lots of room to work with and I get a better understanding of how they organise their infrastructure.
How did you learn your hacking skills?
Alyssa Herrera: I taught myself with resources that were freely made available by other security researchers in the field and I practiced on various capture the flag websites like root-me. I’ve also learned from some hackers that I’ve known in the community.
Do you have any advice for new hackers?
Alyssa Herrera: The best advice I could give is to both ask for help if you need it and keep learning. Many hackers in the community are quite willing to help with questions as well as there’s lots of resources available angled towards new hackers.
