Error hunters: The hackers win a lot of money…ethically


The term hacker is often used, pejoratively, but the ability to detect the weaknesses of the software companies and cyber security of the systems is in high demand. Ethical hackers are now earning large amounts of money and the growth of the industry.

James Kettle is a bug hunter – not of insects of the species, but of software.

Scan through pages of code looking for errors – weaknesses that criminals could exploit to gain access to a company’s network and steal data.

His computer science degree was a little slow for his taste, so he looked around for something else to do and came across the “bug bounty programs run by Google and the browser manufacturer Mozilla.

These are the schemes that pay in cash for the hackers to locate errors or bugs in the software companies.

“What really made the hard work of each one, and it took about 50 hours for a valid bug that I found,” he recalls.

The profitability, in addition to the box, was that he was struck by an insatiable desire to keep finding flaws in the code. And this eventually became a lucrative career.

And he is very good at his job.

Getty Images

What you need to find bugs
Insatiable curiosity
Solid technical knowledge in web and network technologies
The patience and dedication
Puzzle solving ability

He is now one of the top-earning an error of search engines on HackerOne, a service that connects hackers with companies and governments looking for experts to test their software.

These elite ethical or “white hat” hackers can earn more than $350,000 (£250,000) a year. Bug bounty programs prize to the hackers an average of $50,000 a month, with some paying $1,000,000 a year in total, say industry experts.

Find a “day zero” error – which is a type of glitch that has never encountered it before – it is very rare and may lead to major prizes, perhaps in the hundreds of thousands of people.

Mr Kettle works on the software company PortSwigger, which makes the Burp Suite of tools that many hackers use to probe web sites to see if they are ripe for exploitation.


“I find new ways to hack web sites and the automation of that, and I use the bug rewards to try out my new techniques work,” Mr Kettle says to the BBC.

“It’s fun and challenging.”

Most software contains bugs, because it has been written by fallible human beings, and criminals are constantly scanning code for these vulnerabilities, often, the use of automated tools.

So it’s a race to find these weak points before the bad guys, or “black hat” hackers do.

The problem is that until recently few companies have had enough eyes to throw at the problem. So I have been crowdsourcing the help of experts from companies, such as the Hacker One, Error Crowd and Synack.

These act as agents investigated the ethics of the hackers, the management of the bug bounty programs, verifying the work done, and ensuring the confidentiality of their clients.


Hacker One, the largest of the three best-known bug bounty companies, has more than 120,000 hackers on their books, and has paid more than $26m (£18.5 m) up to the time, says Laurie Mercer, a senior engineer in the company.

“Bug bounty programs offer a way for organizations to outsource application security testing, but it has a cost,” says Bob Egner, vice-president of the security firm Outpost24.

“You have to pay a crowdsourcing bug bounty provider to introduce your application to your independent researchers, to manage the program for you, and, finally, to pay for any benefits that are required”.

But the risk of not doing enough to find these vulnerabilities is a possible hack attack resulting in the theft of data, financial loss and damaged reputation. According to a recent report from the security firm Nuix, 71% of black hat hackers say that you can violate the perimeter of a target within 10 hours.


Swedish bug hunter Frans Rosen is using your reward income to finance tech start-ups.

“We use the bug with the bounty money as the investment growing,” he says. “It’s a fun way to use the money.”

The money allows start-ups to get established and do a bit of development of their products or applications, he says. As a former web developer, he knows what can go wrong when the web sites are being set up and run.

“After we help to get the scale of investment to finance the proper way,” he says.

Not all of the hackers that find bugs work for an established security company, however, so being represented by a company as a Hacker-One or Error Crowd gives them credibility when they want to alert companies to security vulnerabilities.

The evaluator of safety Robbie Wiggins says to tell a company that your website or application can be hacked is always tricky.More Technology of Business

Getty Images

“More than 600 applications had access to my iPhone data’
Meet the giant air freighter that looks like a whale
Airbus builds a new super-transporter
Reaping the wind, the largest turbine ever made
Make deliveries in a badly mapped world

Often there is no formal reporting structure, he says, apart from a generic admin email address. Bug bounty companies to assist in obtaining reports of error in front of the right people.

But the rapid growth in the bug bounty programs and major cash prizes has made it a crowded field, he says.

“It is in constant change and search of errors is much more difficult.”

So he specializes in finding companies that have made errors with your accounts of storage in the Amazon cloud. Until now, it has found more than 5,000 that seem wrong open to the public.

“Bug bounty” hunting is now a hobby and it helps when I need a bit of extra money for the kids,” he says.

Another advantage of this type of programs is that they can keep the hackers away from the dark side.

“Bug bounty programs offer a legal alternative to the use of the technology of individuals who might otherwise be inclined to the nefarious activities of actually hacking a system and selling your data illegally,” says Terry Ray, chief technology officer for data security company Imperva.

Maybe it’s time more hackers came in from the cold? Follow the Business Technology editor Matthew Wall at Twitter and Facebook
Click here for more Technology of Business functions