Bug Bounties and Mental Health

In this post I want to discuss hunting for bugs, the effect on a hacker’s mental health, burn out, and productivity.

My other posts have better stock images.

About Me

Hi, I’m Nathan, and I’m a (now) full time bug bounty hunter. Since 2015 I’ve been participating in bug bounty programs and I’ve earned tens of thousands of dollars in rewards. I’ve worked with some amazing companies and found some really neat bugs, and I’ve also completely burned out and gone months without even attempting to find a vulnerability. Having heard similar stories from other bounty hunters, I wanted to share my personal experiences in the hope someone will benefit.

The Sell

Bug bounties are a great way to make money. Google, Facebook, PayPal, Imgur, Uber, and many more companies give monetary rewards for valid vulnerability reports. What’s not to love?!

Bug bounty programs have changed lives. They’ve certainly changed mine for the better. I’ve seen hackers on Twitter who’ve bought cars, houses, holidays, computer gear, paid off loans and debt, donated to charity, all with money they’ve earned from bug bounties. You have no boss, you choose which companies you want to work with, when you want to work, and how often. You don’t need a computer science degree or have to pass a test. You pick a program (or twelve), read their rules and scope, and start hacking. Particularly for people who are less fortunate and don’t have the same opportunities others might, bug bounties are a great source of money, experience, and enjoyment.

Personally, I’ve earned enough money to travel the world while continuing doing what I love. The last few years have been amazing.

But It’s Not All Plain Sailing

Bug bounty programs have their downsides too. It’s a highly competitive scene. You can feel pretty down when you discover someone reported the same vulnerability a day, a week, or a month before. If the team is slow to fix bugs then they’re more likely to get duplicate reports, and it can feel like time wasted for everyone.

sadface.jpg

Sometimes communication with the team will break down. You might get a bounty lower than expected. Perhaps the team has a different opinion on the severity of what you’ve reported, or maybe the program silently dies and you don’t even receive a reward. These are all real scenarios that I or others have experienced, and often it’s out of your control.

If you’re not finding bugs at all it’s very easy to feel like an imposter and start questioning your abilities. Maybe you need to improve your skills, maybe you’re searching in the wrong place, or maybe you’re just unlucky. Bounty hunters will spend the majority of their time learning about the application they’re testing, understanding how it responds to different input, and often not finding anything. This, I believe, is the main source of stress and anxiety when it comes to finding bugs.

If you push yourself too hard, you’ll get burned out. You’ll lose motivation, run into writer’s block, and feel like it’s impossible to continue. It might be days, weeks, or even longer before you feel confident enough to start again. It sucks. Burning out multiple times is not unheard of, either.

Self Care Is Important

How you approach bug bounties can have a big effect on how stressful you find it and how fast and often you burn out. As bounty hunters we want to find vulnerabilities and the more pressure we put on ourselves the worse our mental health is going to suffer.

Found a duplicate? That’s awesome! Congrats friend, you found a valid vulnerability. Yes, it sucks that you’re not getting paid, but you will next time. The time you’ve spent finding that vulnerability has been time spent learning and challenging yourself. It’s experience, and experience is a big factor when it comes to finding vulnerabilities, especially more obscure ones. Take it as a win, not a failure.

Forgoing sleep for a few more hours of searching is something I’m very familiar with, but it does nothing but wreck your sleeping pattern and make you feel worse when you’re awake. Waking up with a clear mind and feeling well rested will make testing less of a chore and you’ll be able to think straight. Anybody worth their salt will tell you how important sleep is.

Productivity isn’t how many hours you work, but how efficient those hours are. If you’re using your energy to try and find a bug, but you’re tired as fuck, you’re less likely to find one. These days, as a full time bug hunter, I treat my work like I used to treat coding back when I was a kid. I do it for fun. I throw on some music, open burp suite, and see what I can find. When I’m feeling stressed or tired, I’ll stop and do something else. Have a glass of water, sit outside, go for a walk, browse Twitter, anything which gives my brain a chance to cool down. Before jumping straight back into it, I might even read a few blog posts about different techniques to give myself new ideas and to pull myself away from what wasn’t working. When you’re your own boss you don’t need to be an asshole to the person doing the work.

I tried giving myself deadlines and daily goals, but it just didn’t work for me. Now I give myself a monthly goal of how much I want to earn. Without the daily pressure I find myself hitting and even exceeding my goal. YMMV, but forcing yourself to find bugs isn’t going to be enjoyable in the long run.

Instead of daily goals, I use the “eat that frog” technique.

Eat a live frog first thing in the morning and nothing worse will happen to you the rest of the day. — Mark Twain

I get my work done in the morning, but I don’t push myself to find a vulnerability. With time I’ll find one, and I won’t be carrying 12 hours+ worth of stress when I report it. If you’re doing bug bounties full time, or planning to, try not to do them every single day. Giving yourself a normal weekend is completely fine and you deserve the time off.

Final Thoughts

My experience is going to be different from yours, and no two hunters are the same. Find what works well for you, but look after yourself at the same time. It’s okay to not find bugs. It’s okay not understand a certain technique. That’s just a part of the job. It’s not okay to overwork yourself and sacrifice your mental health for additional stressful. You will find a bug. There always will be bugs. You can absolutely do this. More importantly, you need to look after yourself, and I definitely do too.

NB: I’m not a writer. I’m just guy with a Macbook Pro that I bought with bug bounty money.

If this has been helpful, please share with others. Did I miss something? What are your thoughts? Please, let me know.

As always, I’m @NathOnSecurity on Twitter. Thanks for reading.