Previously, in The Personalities that Put the “Crowd” in Bugcrowd (Part 1 of 3), I covered both the “Knowledge-Seeker” and “Hobbyist” personality types as part of the five distinct personalities that make up our crowd of over 65,000 security researchers. In order for companies to run successful bug bounty programs, it's important to understand researcher motivations - and to that end I will be covering the next two personality types in this post: those being “Full-Timer” and “Virtuoso”. If you want to learn more about all five personalities, along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. And with that, let’s dive right in!
The Full-Timers are the “soldiers of fortune” of bug bounty hunting - which is something that nearly every security researcher aspires to be. Unlike “Knowledge-Seekers”, who above all else Hack-to-Learn, the Full-Timer generally keeps a vast wealth of knowledge at the ready. In fact, it’s likely they’ve developed their own custom tools to increase their efficiency and throughput. Moreover, for the Full-Timer, this isn’t about “having fun” (okay - maybe it is, but not so much as the Hobbyist) - it’s about supporting their lifestyle.
At this point, I’m sure you’re probably wondering - so how do Full-Timers make enough money to stay ahead of their living expenses? Part of the answer lies in the age-old real estate phrase: “Location, Location, Location.” Although there are a handful of Full-Timers based in the United States and Great Britain, many of these security researchers live in parts of the world where the cost-of-living is substantially lower. Since most bounty payments come in the form of U.S. dollars - exchange rates are favorable, and thus these Full-Timers can afford to support themselves on the money they make from bug bounties. With that said, it should also be mentioned that there are many bounty hunters that pull-in north of $100k annually - with a subset of those individuals making several hundred thousand dollars each year. Make no mistake - bounty hunting can be a profitable venture if you’re clever enough to leverage low-profile vulnerabilities into more impactful findings, and you’re persistent enough to do so.
The other part of this answer comes from the fact that these researchers are naturally talented in building and leveraging their own tools to maximize efficiency. Why report a finding that affects just one customer, when I can automate finding a vulnerability - and report it separately - to ten customers, or even a hundred? For a Full-Timer, the sky’s the limit if they’re talented enough to build their own tools, keep good notes, and keep track of multiple programs at once.
So how do you draw a Full-Timer’s attention to your program? Bring them in at the very beginning, and entice them to stick around with higher rewards over time. The knowledge that a Full-Timer will acquire from participating in your program may be valuable to them in other programs - so as long as they are given regular feedback, they are likely to stick around for a while before moving on to greener pastures. Finally, if you broaden your scope over time you’re likely to keep their attention with each new target.
Virtuosos are the real-life wizards of the bug bounty world; they’re a rare breed, and if you’ve got a nagging suspicion that there are lingering vulnerabilities in your code - then it’s only a matter of time until a Virtuoso finds it. Unlike the Hobbyist who hunts for fun and profit, the Virtuoso hunts for sport - seeking out the challenges presented by testing production-quality code, and finding those vulnerabilities hidden beyond the reach of other hunters. By-far the most experienced of all Security Researcher personalities, the Virtuoso cares most about achieving excellence; they constantly strive for conquering their next “Everest”, and bring their experience to bear on every new program they join.
So who are these Virtuosos, you might ask? Well, they’re the senior security consultants you contract with; the instructors of expert-level trainings; the researchers who have CVE’s associated with their work; and the speakers that give expert-level talks at the world’s most prolific information security conferences. They are professionals, and they join bug bounty programs because every new target is a chance for adventure. Having a Virtuoso join your program is like winning the vulnerability lottery.
So how do you attract a Virtuoso to your program? Provide them with challenging targets, communicate with them regularly, and most importantly - treat them with the respect they have earned. Building a good working relationship with the Virtuosos who join your program will lead to the discovery of the most terrifying bugs - which, at the end of the day, are the bugs with the highest value to your organization. Thank them for their work, pay them well, and they will become your strongest ally in the hunt for bugs.
Until next time
With that - check back next week for Part 3 of this series where I’ll discuss how to appeal to the Protectors, as well as share with you my hypothesis on why the plummeting cost of disk space has changed the history of security testing for the better. Until next time - happy hunting!