CNBC Disruptor 50

The new bounty hunters chasing the Internet's 'most wanted'

If you want to make money as a bounty hunter today, head to the Wild West of the Internet.

Start-up cybersecurity companies are catching criminals before they act, by hiring "white hat" hackers—the good guys—to run bug bounty programs and find vulnerabilities in client networks.

According to a study released by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, the total average cost of a data breach for companies around the world has increased to $3.8 million, up from $3.5 million a year ago. Since hackers can adapt much more quickly than algorithms can be created, individuals well trained in cybersecurity may now be considered a less expensive solution to stopping the latest type of online security threats.

In short, the online bounty-hunting game can be very lucrative.

Making money getting rid of bugs

Bill Hinton | Getty Images

Bugcrowd, founded in 2012, manages more than 160 bounty programs for companies, including Western Union, Pinterest and Tesla Motors. Bugcrowd "white hats" can receive an award based on the severity of the discovery they make.

In Tesla's case, rewards per bug found are on the lower end of the spectrum, ranging from $25 to $1,000. Google and Facebook, on the other hand, have given out bounties per bug of $22,000 and $33,500, respectively.

The corporate client specifies the extent of a bug bounty program—whether it is reviewing the front-facing website, as in the case of Western Union, Pinterest and Tesla—or going deeper into a company's network, such as with Google and Facebook.

HackerOne, which runs the Yahoo and Twitter bug bounty programs, also pairs researchers with companies through its platform. It charges companies 20 percent of the bounties awarded to researchers. To date, approximately 1,600 researchers on HackerOne's platform have received about $3.48 million in payouts, based on finding 10,557 bugs.

Read MoreMeet the 2015 CNBC Disruptors

Behrouz Sadeghipour has discovered almost 180 bugs during his time as a researcher at Bugcrowd and through other programs. This form of bounty hunting provides a way for him to earn lucrative payouts from major companies, including Yahoo and PayPal.

Sadeghipour found a cross-site scripting (XSS) flaw in both companies' systems, a major vulnerability that would allow a hacker to inject malicious script to obtain information stored in the user's browser.

"Two or three years ago it was difficult for me to find a job in a bug bounty program," said Sadeghipour. "You either had to be hired by a company directly or work for a consulting firm. Now I can research vulnerabilities legally and have a safety net if I decide to hack programs on my own."

Bugcrowd's "white-hat" universe now includes 18,600 researchers who, on average, discover 10 to 12 issues that a company may face per day. Bugcrowd's researchers submit vulnerabilities they find to a secure platform called Crowdcontrol.

Researchers report glitches to Bugcrowd rather than to the company whose network is being tested by the bug bounty program, to make it more manageable for large corporations—many of the findings submitted may be illegitimate or duplicates. Companies can use Bugcrowd's subscription model to have their network tested by researchers for a specific amount of time, depending on their cybersecurity needs.

Two or three years ago it was difficult for me to find a job in a bug bounty program. ... Now I can research vulnerabilities legally and have a safety net if I decide to hack programs on my own.
Behrouz Sadeghipour
Bugcrowd white-hat researcher

Synack, founded in 2013 by two former National Security Agency members, has taken a stricter approach in the bug bounty profit model. It employs an elite group of researchers called the "red team," which operates on a bounty basis to find cybersecurity threats. Yet unlike HackerOne and Bugcrowd, it is not open to anyone who creates a profile.

Synack has a strict vetting process for its red team members—only 10 percent of those who apply get accepted. Meanwhile, it's red team numbers in the hundreds across six continents.

Anshuman Bhartiya, a full-time principal security engineer for the technology company EMC and a member of Synack's red team, received a three-step evaluation process that started with a comprehensive interview. He then had to pass both a written exam and a practical test, where he hacked into an application to find its vulnerabilities. It ended with an extensive background check. Bhartiya now spends a few hours a week as a red team member when not at EMC.

"The bug bounty program has helped me improve my skill set in my full-time job," Bhartiya said, who has discovered five different issues for Synack for which he received payouts ranging from $2,000 to $5,000.

Man vs. machine vs. hacker

Redwood City, California-based Synack, a 2015 CNBC Disruptor, has raised a total of $34 million to date since its launch, from investors that include Google Ventures, Kleiner Perkins Caufield & Byers, and Greylock Partners.

Synack's vice president of strategy and business operations, Gus Anagnos, was poached from PayPal, where he was responsible for developing and leading PayPal's bug bounty program. Anagnos started the program after recognizing the inherent problems that arise when customized software is not able to catch the work of skilled hackers who use homegrown code.

He described PayPal's original security program as having "limited efficacy," fulfilling just the basic ability to meet compliance requirements.

Anangos said one of the key reasons he was lured by the bug bounty model is the opportunity to prove how important human intelligence remains even as the business world becomes more automated.

"It was the value of putting the human element on top of all the other tools that we were using that brought the bar much higher than it was previously at PayPal," Anagnos said.

That value can also be measured in the new income sources for the bug bounty hunters.

"There was one report that came through the other day that allowed a researcher to look at the profile of someone on social media which was not publicly accessible. How would you fix a problem like that with automation?" said Jonathan Cran, Bugcrowd vice president.

By Krysia Lenzo, special to