I've got to respect the transparency and spirit of this post. Major props. What I really love is seeing all the partnerships that have gone into some of his work over the years. Didn't realize how mammoth of a task some of these reports must have been that were only made possible via collaboration.
A friend of mine looked at the feasibility of getting into bug bounty as a professional career. He mentioned that if you're not specialized on a specific attack, you have no chance.
I think it's quite refreshing to see that Shubham Shah is a strong counter example.
Is he really strong counter example? If you actually count bounties he got this year so far, it's less than $50,000. I think he could easily earn more working as some kind of security engineer (with way less flexibility though).
Automation of niche bug classes is the name of the game for high earners. Or you're the 0.01% and find new vulnerabilities in services that will pay big bucks for them. For example account takeovers in Google, FB and the like or remote code execution in high profile software have payouts that are a minimum of five figures.
[+] [-] drsh0|5 years ago|reply
[+] [-] mellosouls|5 years ago|reply
From the other side (bounty program manager -this was linked to in another article on the assetnote blog):
https://medium.com/@collingreene/bug-bounty-5-years-in-c95cd...
[+] [-] melvinroest|5 years ago|reply
I think it's quite refreshing to see that Shubham Shah is a strong counter example.
[+] [-] Hitton|5 years ago|reply
[+] [-] doopy1|5 years ago|reply
[+] [-] agustif|5 years ago|reply
[+] [-] pakwa|5 years ago|reply
Do you see much demand on the mobile security side, either as a specialist or focussing on mobile bounties?
[+] [-] GregoryVPerry|5 years ago|reply
[deleted]