This is the fifth post in our series: "Bug Bounty Hunter Methodology". Read on to learn how you can use bug bounties to build and grow a successful penetration testing or bug hunting career. If you have any feedback, please tweet us at @Bugcrowd.
As the bug bounty market continues to grow and the adoption of bug bounties increases across industries, it has become more and more common for researchers to use their bug bounty experience to grow their career. Bug bounties offer the opportunity for researchers to gain and exhibit real world security experience.
Several successful bug bounty hunters have parlayed their experience into security jobs at major companies. To do this successfully, here are some pro-tips:
- Conduct yourself professionally and respectfully in your communication, in both bug submissions and online communication. Don’t publicly tweet complaints or flame attacks on a company.
- If the bounty program allows public disclosure of findings, request permission from a bounty program to post your major valid bug submissions on your personal blog. Sharing your successful techniques helps others learn and will build your reputation in the security community.
- If you find a bounty program that you like, stick with it and build a relationship with the program owner. Several bounty hunters have been hired by companies that noted the skills from researchers in their bounty program.
- Cite your bounty experience in your resume, with a focus on the high impact vulnerabilities you’ve found and the companies you’ve found them in (just don’t disclose a vendor name unless you’re allowed to!).
- Remember, the security industry is a small industry. Treat others with respect, create high quality work, and network with other security researchers. Companies are often on the hunt for great talent, even contacting Bugcrowd directly for potential hire suggestions. A skilled researcher with a good reputation will have much success and many opportunities
Network with fellow security researchers
The security community is global and very interconnected. Meeting fellow researchers and learning from one another is a great way to increase your skills, grow your professional network, and open yourself up to potential job opportunities. Here are some suggestions for where to meet security researchers:
Twitter List of Bug Bounty Hunters: https://twitter.com/Bugcrowd/lists/security-researchers
Much of the bug bounty community is active on twitter. After you’ve followed @Bugcrowd on Twitter, check out our twitter list to find researchers that are worth following.
IRC: #Bugcrowd on Freenode
Join Bugcrowd’s IRC chat to chat with other researchers in real-time.
The /r/Netsec community on Reddit is one of the best collections of technical security write-ups on the internet. Netsec is constantly updated with new blog posts, presentations and discoveries that have been shared with the security community.
Security Conferences & Meetups:
There are hundreds of security conferences all over the world. Most major cities hold a BSides event, and DEFCON is one of the biggest security events in the world. You may also find a local security meetup on Meetup.com or on OWASP’s website.
Bugcrowd Forum: https://forum.bugcrowd.com