The bounty hunters of today aren’t roaming the Wild West with a rifle and a pair of handcuffs — rather, they’re denizens of the online world, hunting for bugs. And boy, are they getting paid.
In a recently released report from Twitter, the social media company revealed that over the last two years, bug bounty hunters have been paid over $300,000 in rewards for finding “threats and attacks against [Twitter’s] users and systems.” Because keeping a vast internet company up and running and safe from malicious parties is a collaborative, and sometimes for-hire, effort.
As Twitter admitted Friday, the Silicon Valley firm has another line of defense that works alongside its “dedicated account-, network-, enterprise-, corporate-, and application-security teams.” Thanks to its bug bounty program, Twitter has tapped into a vast network of security researchers who help alert the firm to any vulnerabilities they find so that the company can fix them before others can exploit them.
The program has been a critical component of Twitter’s defenses since May 2014, and the company calls it “an invaluable resource for finding and fixing security vulnerabilities ranging from the mundane to severe.”
Over the last 24 months, Twitter has received 5,171 submissions from 1,662 researchers, and the company has paid a total of $322,420 to researchers. The average payout is a not-so-shabby $835, and the highest payout to date has been an impressive $12,040. Why the odd amounts? Because it’s Twitter, and everything is in a multiple of $140 (yes, that means that its minimum payment is also $140).
In fact, so lucrative is Twitter’s bug bounty program that you could practically make a living off of reporting vulnerabilities alone. In 2015, the company says, a single researcher made over $54,000 — that either speaks to the researcher’s prowess … or the multiplicity of Twitter’s security issues.
And if you’re really looking for a big payout, try to find a remote code execution vulnerability — Twitter pays $15,000 a pop for one of those. But they’ve yet to receive such a report.
“We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond,” the company concludes. And of course, if you want to turn your bug bounty hunting skills into a real job, Twitter also notes that it’s hiring on its security team.