One of the biggest benefits of being an ethical hacker is your ability to work independently. Many companies need one-time assessments done or need them on an infrequent basis like annually or semi-annually. Platforms like bugcrowd for example make it so you can sign up as an independent researcher and make money finding security bugs without any need for a job interview or even a phone call. Here I go over some of the best places to make money as a hacker outside of a regular 9-5 job.
Bug Bounty Platforms
The first place you can begin working as a freelance hacker are established bug bounty programs. Bug bounties are programs where companies give you permission to hack into their systems and report on what security vulnerabilities that you find. Some platforms help companies create and monitor these programs, some notable examples include bugcrowd and Hackerone. If you join these platforms as a security researcher you will have access to several different bug bounty programs, both paid and unpaid. The advantage of going through one of these platforms is you don’t have to spend time finding potential clients, you can just start hacking. The downside is the level of competition can be high, there are many security researchers on these platforms so it can be hard to find a useful security bug before anyone else can report it.
In addition to joining these larger platforms, you can also target clients individually for bug bounty programs. Top companies like Intel, Yahoo, Snapchat, Dropbox and Google all have bug bounty programs. If you want to be strategic you can target smaller companies that may not have as many people going after them so that it’s easier for you to start generating money and then move up to the larger companies as your skills grow. Also, you can target companies whose platforms are more in line with your specialty so that it’s more familiar for you and it’s easier for you to be effective. Here is a list of the top 30 bug bounty programs in 2021, you can start here but there are plenty more out there.
Private Bug Bounty Programs
The end goal of an ethical hacker should be to get invites to private bug bounty programs. The reason being is that when you are doing public bug bounty programs, many times they have already done private security testing and other people have looked at that same application or company several times before you did. This means that any of the obvious security vulnerabilities have already been reported and someone has gotten paid. In a private bug bounty program, you get to have a first look at the product, therefore there is much more potential to find security bugs if you are part of a private program. Private programs are usually invite only so to get invited you’re going to need to build a portfolio and establish yourself as a quality security researcher. Alternatively, you can look for opportunities to apply to be part of private programs.
Doing volunteer work
Another good way to get exposure and experience is to do volunteer work. Some companies offer unpaid bug bounty programs, if you’re a beginning hacker it may be a good idea to do these programs to build your portfolio up. Especially if it’s for some type of charity that may not have a large sum of money to pay for quality security testing. These can generate leads for full-time work or leads to other companies that may be willing to pay you to do security work for them. Also, some people go out of their way to report security issues that they find in products that they use to the company directly and ask them if they would like their help in resolving the issue. Now, it’s 100% illegal to hack into someone’s systems without permission so I wouldn’t recommend doing so. But if through your experience you can identify a security risk to a company’s website or application without having to hack into it, companies are usually very thankful for that information and that can be the beginning of a good relationship between you and the company.
Being able to make money freelancing is one of the best benefits of being an ethical hacker. It’s a job that can be done 100% remotely and without having to have a strict 9-5 job. Even if you choose to have a 9-5 job, being able to supplement that with money that you can make on your own time is a very valuable thing. For someone new to freelancing I think the ultimate goal is to build a strong portfolio so that you can have inbound marketing, which means companies coming to you offering you work rather than you having to go out and find clients. However, at the beginning of your career this probably isn’t practical so I would suggest starting with smaller companies, maybe non-profit companies at first. Then move up to bigger and more competitive bug bounty programs as your skill improves.