Hacking on Bug Bounties for Four Years (opens in new tab)

(blog.assetnote.io)

89 pointsinfosecau5y ago10 comments

10 comments

I've got to respect the transparency and spirit of this post. Major props. What I really love is seeing all the partnerships that have gone into some of his work over the years. Didn't realize how mammoth of a task some of these reports must have been that were only made possible via collaboration.

mellosouls5y ago

Very informative and admirably transparent article.

From the other side (bounty program manager -this was linked to in another article on the assetnote blog):

https://medium.com/@collingreene/bug-bounty-5-years-in-c95cd...

melvinroest5y ago

A friend of mine looked at the feasibility of getting into bug bounty as a professional career. He mentioned that if you're not specialized on a specific attack, you have no chance.

I think it's quite refreshing to see that Shubham Shah is a strong counter example.

Hitton5y ago

Is he really strong counter example? If you actually count bounties he got this year so far, it's less than $50,000. I think he could easily earn more working as some kind of security engineer (with way less flexibility though).

infosecauOP5y ago

Author of the blog post here. I want to make it clear that I had multiple full-time jobs along the way that paid over 200k AUD/year and it required a lot of effort to do both bug hunting and work full time. I only did bug bounty hunting full time for around a year while I was traveling around Europe. I just really love hacking. Bug bounties landed me my first job in the industry and have led to countless opportunities in my career so far.

1 more reply

doopy15y ago

Automation of niche bug classes is the name of the game for high earners. Or you're the 0.01% and find new vulnerabilities in services that will pay big bucks for them. For example account takeovers in Google, FB and the like or remote code execution in high profile software have payouts that are a minimum of five figures.

agustif5y ago

Well, he seems specialized on a variety of attacks, but specialization is there nonetheless!

pakwa5y ago

Hey Shubham, nice report and write up.

Do you see much demand on the mobile security side, either as a specialist or focussing on mobile bounties?

j / k navigate · click thread line to collapse