As the bug bounty market continues to grow and the adoption of bug bounties increases across industries, it has become more and more common for researchers to use their bug bounty experience to grow their career. Bug bounties offer the opportunity for researchers to gain and exhibit real world security experience.
Several successful bug bounty hunters have parlayed their experience into security jobs at major companies. To do this successfully, here are some pro-tips:
- Conduct yourself professionally and respectfully in your communication, in both bug submissions and online communication. Don’t publicly tweet complaints or flame attacks on a company.
- If the bounty program allows public disclosure of findings, request permission from a bounty program to post your major valid bug submissions on your personal blog. Sharing your successful techniques helps others learn and will build your reputation in the security community.
- If you find a bounty program that you like, stick with it and build a relationship with the program owner. Several bounty hunters have been hired by companies that noted the skills from researchers in their bounty program.
- Cite your bounty experience in your resume, with a focus on the high impact vulnerabilities you’ve found and the companies you’ve found them in (just don’t disclose a vendor name unless you’re allowed to!).
- Remember, the security industry is a small industry. Treat others with respect, create high quality work, and network with other security researchers. Companies are often on the hunt for great talent, even contacting Bugcrowd directly for potential hire suggestions. A skilled researcher with a good reputation will have much success and many opportunities
Network with fellow security researchers
The security community is global and very interconnected. Meeting fellow researchers and learning from one another is a great way to increase your skills, grow your professional network, and open yourself up to potential job opportunities. Here are some suggestions for where to meet security researchers: