How to survive the hunter bugs: the daily struggle for income

Basically, you can make a career as an independent cyberwoman - if you are rather unpretentious

Evan Ricafort works from home, and his office occupies one room in a house located on the highway in the Philippines, where his family lives with him. The parents of a 22-year-old computer scientist work in a grocery store owned by his family and located in the southern city of Ipil, and he spends up to 75 hours a week locked up, working on his computer. And here, among the cacophony of motorcycles, barking dogs and crying children, he can be engaged in saving your personal data.

Ricafort is a bug hunter belonging to a certain type of positive hackers who are looking for vulnerabilities in software security created by the world's largest tech companies, trying to get ahead of bad hackers who could take advantage of these vulnerabilities. They do it not for free, naturally: many companies pay ( sometimes decently) for contributions that help companies fix the code on which their business depends. And such proposals are enough for the hunt for bugs to become one of the emerging professions.

Ricafort has no computer science or programming education. After one of his friends began to talk about the rewards he earned by searching for bugs, Ricafort went online, and began reading the blogs of security researchers and tirelessly watching educational videos on this topic. He says that his first award was "$ 50 for a mistake from some random office." But the excitement of the hunt seized him, and in 2014 the hunt became his main source of income.

At first, his friends and family did not understand him, but after explanations and the flow of rewards they realized that this was a very real choice of profession. Yes, and having a specific purpose. “I help not only the company, but the whole community. Users and people using this company, ”says Ricafort.

Over the past four years, he has discovered vulnerabilities in the codes of more than 200 companies , including Apple, Google, Microsoft, PayPal, Yahoo, IBM and Twitch. Last year, he received the largest prize at the moment: as much as $ 5,000 from a company he cannot name. “It changed my life. Words cannot describe what I felt then, ”he said. He celebrated this event like any 21-year-old boy: he traveled a bit, and bought himself a new toy, a BMX bicycle.



But the mistake that brought him fame - and put him on a par with other serious hunters for mistakes - did not bring him anything. In 2014, he found a bug in Google Nest, allowing an attacker to access the personal and financial information of Nest users, including name, bank card information, and document scans. Nakhodka placed it in the hall of fame of the Google reward program for mistakes , but the company reported that since the problem was software from a third-party company, the reward payment for it was not relied on (however, it received money from Google for other vulnerabilities).



Unfortunately, this was not the only case when he was not paid. Other companies offered him anything instead of money, from material gifts to a tour of the Capitol.. And although Ricafort claims that he likes his T-shirt, received from the government of the Netherlands, where it says “I hacked into the Netherlands government, and got just this stupid T-shirt,” it does not help him make ends meet.

Nevertheless, he says that he has enough money to live - in the middle month he earns about 10,000 Filipino pesos (about $ 187), which is equal to the average salary in his country, and in a good month he can raise from 20,000 to 30,000 ($ 374 - $ 561).

This is the case with many hunters for mistakes: large fluctuations in payments, and life on wages, insufficient for a rich western country. But this situation will probably change. Companies such as Bugcrowd and HackerOne (Ricafort has worked with both) make life easier for the error-hunting community by offeringfor which they can earn more regularly and get involved in companies that are ready to fork out.

In any case, as Ricafort says, he likes the way his work is changing the world. Although he would consider a full-time job offering in the field of security, he believes that he can achieve the greatest results the way he works now: struggling with vulnerabilities while in the shadows. As he himself says: "I prefer the rewards for the errors found."