Got Computer Skills? Use Your Powers for Good — and Get Paid

white hat hacker
Dwayne Bent under Creative Commons

Computer hackers constantly find vulnerabilities in computer codes, breaking into corporate systems and databases, and wreaking havoc.

Your identity or account might even have been collateral damage in an attack, like Target’s fiasco that resulted in the theft of 40 million people’s credit and debit account numbers or LinkedIn’s password theft.

And these breaches cost companies an average of $3.8 million a year, according to a Ponemon Institute study reported by CNBC, up from $3.5 million last year.

To combat these attacks, many companies offer bounties to “white hat hackers,” who can uncover weaknesses and vulnerabilities before ill-intentioned hackers. And this can be a very lucrative industry. Facebook once paid $33,500 to a hacker who found a single bug.

A minor bug can pay as little as $25, but some discoveries net five-figure checks, CNBC reports. Below are a few resources to help you use your computer skills to cash in as a bug bounty hunter.


BugCrowd is a platform that partners with more than 160 companies to help find their vulnerabilities. Check out this list of their current “bug bounty programs.”

It offers two types of work.

White Hat Hacker Side Jobs

If you don’t want a full-time job, work a side gig as a white hat hacker.

You’ll have to be good to make the big bucks. Typically, you register for a program and start searching for bugs. But you don’t get paid until you find them — and you generally have to be the first person to do so.

The program list outlines how much you can earn reporting bugs for various companies. You can make up to $1,500 reporting bugs on, up to $5,000 for Western Union, $2,500 for and up to $4,913 for bugs on Dropbox.

Tesla is another company on the BugCrowd list and you can earn up to $10,000 finding the company’s bugs. Bounties start at $25 for minor bugs, but it has a complete list outlining how much you can earn for reporting different types. SQL bugs, “command injection” and “vertical privilege escalation” command the highest bounties.

Tesla also pays for finding sensitive data exposure, security misconfiguration and a host of other items. Of course, you have to follow all the rules and responsible disclosure guidelines to get paid (and stay out of trouble).

These guidelines include providing enough information so the company can replicate the bug, not publicly disclosing information, not delving into private information and not being a destructive hacker.

Full-Time Careers

If you’re looking for a full-time gig, BugCrowd is hiring. As of this writing, the open positions include product designer, senior software engineer, sales engineer, senior application security engineer and customer success specialist.

Senior software engineers make up to $180,000, plus up to 2% equity in the company. If you have the skills, this could be a lucrative job for you.

Hacker One

Hacker One is another bug-finding site that works with top companies and researchers to disclose security issues before they become a problem.

HackerOne hackers have received $3.48 million in bounties for the more than 10,500 bugs they’ve discovered, CNBC reports .

To try your hand at working with this team, set up an account with the company, pick a program and get started.

HackerOne works with a variety of companies, including Dropbox, ownCloud, Coursera and many more. While they don’t list maximum bounties, they do list minimums, including $216 per-bug from DropBox.

Full-Time Jobs

You can also apply for a full-time job with the company. As of this writing, it’s hiring software engineers, product designers and others.

Facebook Bug Program

Facebook forks over big cash for people who discover their bugs. Reginaldo Silva earned $33,500 for discovering a single bug in Facebook’s software.

Since they started their bug bounty program, Facebook has paid more than $3 million in bounties. In 2014, it handed out $1.3 million to 321 researchers worldwide. The average 2014 reward was $1,788.

If you’re the first to find the bug (including bugs on other Facebook products and acquisitions, including Instagram, Parse, Onavo, Oculus, Moves and OSQuery) you’ll be eligible for a minimum $500 reward.

To report vulnerabilities, you use Facebook’s form and provide enough information for the team to be able to reproduce the bug. You can’t interact with other accounts without the account owner’s consent and you must be the first person to share information about the bug. Facebook only awards one bounty per bug.

“There is no maximum reward: each bug is awarded a bounty based on its severity and creativity,” the website says.

To learn more about the rules and procedures for reporting bugs, check out their dedicated “white hat hacker” page.

Your Turn: Do you have the skills to make money as a white hat hacker?

Kristen Pope is a freelance writer and editor in Jackson Hole, Wyoming.