Bounty hunters in the law enforcement field are often thought of as these long haired, wild men who will do whatever it takes to track down the person who has run afoul of the law. Bug bounty hunters perhaps have the same passion for tracking down code-based flaws, but you would be hard pressed to pick them out of a lineup.Instead of tracking down perpetrators, bug bounty hunters are tracking down any vulnerabilities in companies\u2019 sites.It\u2019s not often that you get to hack into live websites without the threat of the law.Jonathan Singer, a security engineerWith the headlines of hackers finding vulnerabilities oh so familiar, bug bounty hunters have become a necessity. Just last month Google paid out $75,000 in bug bounties to fix 159 flaws in Chrome. Even Microsoft added a bug bounty program in September, offering to pay the minimum of $500 for bugs found.While money is a nice incentive (and the bug bounty hunters won\u2019t turn any of it down), they are happy with a pat on the back and some recognition for their work. It\u2019s a way to work legally on a site without fear of being served with a lawsuit.\u201cIt\u2019s not often that you get to hack into live websites without the threat of the law,\u201d said Jonathan Singer, a security engineer in the security consulting business. \u201cI already try to contact companies if it is safe to do so. Responsible disclosure is the best policy, but more places needed to embrace it.\u201dA bug bounty hunter who gave only his handle, Bitquark, said he enjoys taking advantage of routes through a system which the designer may not have intended or planned for.\u201cSpending hours picking away at something before finally landing a bug is enormously gratifying.\u201dThe staff information security engineer at Tesla Motors found success in the bug bounty world when he found an SQL injection flaw in Facebook. This find netted him a $15,000 reward. The flaw led to remote code execution in the Oculus developer portal.The engineer, in his 30's, said he might pick at a project from time to time, but there are others that are timed that might require a more concerted effort.Singer has been a bug bounty hunter for just over a year.\u201cIt is still a hobby for me, kind of like a weekend warrior gig,\u201d he said. \u201cMy 9-to-5 is already spent with compliance and policy, so this is kind of a way to unwind, see what challenges exist and maybe get some swag or cash.\u201dOn a site like Bugcrowd, you can find a list of the open bug bounties along with a rundown of some of the contributors. Companies shown on Bugcrowd include EMC, Google, IBM, Microsoft and Yahoo. Each layout in minute detail what is open to scrutiny on their sites and what are available for rewards. For example, Google lists a $20,000 reward for anyone who can find remote code execution of their accounts.google.com.For Sebastian Neef, Tim Philipp Sch\u00e4fers and Julien Ahrens, they collected a five-figure reward for their finding a path traversal vulnerability on PayPal\u2019s main domain. In doing so, they were able to download any file from the server.Neef and Sch\u00e4fers founded Internetwach.org in 2012, with Ahrens joining them a year later. When asked if they juggled a family while going to college or holding down a job along with being a bug bounty hunter, they said they are not married \u201cbut sometimes a girlfriend makes life more time consuming and we all know family\/ girlfriend is more important than bug hunting.\u201dNeef (21) studies computer science at the technical university in Berlin, while Sch\u00e4fers (19) also studies economy and computer science at Bielefeld. Ahrens is the old man of the group at the age of 29 and works at secunet Security Networks AG. They got into the bug bounty profession as a side job when they started hearing about the hacker group Anonymous.\u201cNaturally the media tried to defame all kind of hackers as criminals. It was clear that small mistakes can lead to big data leaks,\u201d they said.The threesome advise anyone who wants to get into the business to be prepared to think outside of the box and be creative in your approach. They gave the following list of attributes a bug bounty hunter should have:Creative: Try to find new ways to bypass\/combine\/exploit specific situations, to think of new attack-vectorsThinking like a developer: The person has to empathize with the developer who wrote the application. Only that way you'll be able to think about edge-cases or understand the application's work\/data-flow.Thinking like a bad boy: Try to push the limit. Don't stop before you're root on the target machinePolite\/calm: It's not always easy to explain a complex security issue to a developer. A very important key to success is the possibility to communicate your thoughts properly, as you want the developer to fix your security findings.Realistic: Always consider the real impact and the resulting risk for the business.Responsible: Discovering a critical bug usually puts a huge burden on your shoulders. Act accordingly.\u201cHaving a look at the security community, we can tell that there are a lot of top-notch bug hunters who fulfill nearly all of the above points. On the other hand, there are \u2018unskilled\u2019 or new bug hunters who try to make some quick bucks by using one-click-tools and sometimes go as far as threatening the business owners. We refuse to call these people \u2018bug hunters\u2019,\u201d they said.They enjoy bug bounty hunting because it gives them the freedom to break things whenever they want. \u201cBy submitting useful reports the chances are good that more and more companies will get the idea about responsible disclosure,\u201d they said in calling bug bounty hunting the ultimate in crowdsourcing.The common mistakes that these bug bounty hunters find usually involve basic configuration mistakes or missing best practice issues. When going for more severe bugs, standards like Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF) are not uncommon.Most development frameworks take care of basic XSS and CSRF issues. They have noticed a decrease in SQL Injection bugs and that can be underpinned by ORMs and prepared statements which do a good job preventing SQL profile websites and\/or tools.\u201cSecurity is about practice. Try and try again, and keep trying, and keep learning new things,\u201d Singer added. \u201cI see some researchers jump in headfirst and try to hack everything in sight. Best of luck to them, but in reality it is not that simple.\u201dThe bug bounty hunters cautioned about going it alone to find vulnerabilities before getting approval from the site owner. Sites like Bugcrowd can help set up the legal documentation to protect the bounty hunters.