Hacker News new | past | comments | ask | show | jobs | submit login
Hacking on Bug Bounties for Four Years (assetnote.io)
89 points by infosecau on Sept 18, 2020 | hide | past | favorite | 10 comments



I've got to respect the transparency and spirit of this post. Major props. What I really love is seeing all the partnerships that have gone into some of his work over the years. Didn't realize how mammoth of a task some of these reports must have been that were only made possible via collaboration.


Very informative and admirably transparent article.

From the other side (bounty program manager -this was linked to in another article on the assetnote blog):

https://medium.com/@collingreene/bug-bounty-5-years-in-c95cd...


A friend of mine looked at the feasibility of getting into bug bounty as a professional career. He mentioned that if you're not specialized on a specific attack, you have no chance.

I think it's quite refreshing to see that Shubham Shah is a strong counter example.


Is he really strong counter example? If you actually count bounties he got this year so far, it's less than $50,000. I think he could easily earn more working as some kind of security engineer (with way less flexibility though).


Author of the blog post here. I want to make it clear that I had multiple full-time jobs along the way that paid over 200k AUD/year and it required a lot of effort to do both bug hunting and work full time. I only did bug bounty hunting full time for around a year while I was traveling around Europe. I just really love hacking. Bug bounties landed me my first job in the industry and have led to countless opportunities in my career so far.


Contractor? You are making bank.


Paid in USD, worked remotely (conversion rates)


Automation of niche bug classes is the name of the game for high earners. Or you're the 0.01% and find new vulnerabilities in services that will pay big bucks for them. For example account takeovers in Google, FB and the like or remote code execution in high profile software have payouts that are a minimum of five figures.


Well, he seems specialized on a variety of attacks, but specialization is there nonetheless!


Hey Shubham, nice report and write up.

Do you see much demand on the mobile security side, either as a specialist or focussing on mobile bounties?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: