Jacob Riggs is a security expert interested in helping organisations secure their systems. Surrounded by a disco of RGB lights and humming high-end hardware, he can usually be found cradled by his gaming chair staring intensely at two 49” monitor screens as verbose command outputs fly around his screens. But fear not, he’s a hacker, and he’s one of the good guys.
In the realm of hacking, Riggs is also referred to as a bug bounty hunter, a term that addresses a certain breed of well-intentioned hackers that seek to identify and responsibly disclose weaknesses in software and systems developed and owned by some of the world’s greatest technology corporations before they can be exploited by the bad guys. They don’t always do this for free, of course, and many businesses volunteer to pay (and sometimes very handsomely) for submissions that assist them in hardening the code and configurations that are critical to their business operations. With appetising rewards in a market showing a low barrier for entry, being a bug bounty hunter is becoming more and more popular as a result of the large number of vulnerabilities that are surfacing every day.
Riggs, on the other hand, does not hold a university degree in computer science or coding. After one of his peers began tweeting about the bounties he was receiving as a bug hunter on social media, Riggs turned to the internet for insight, reading blogs and books from other security researchers, and watching educational guides on the subject nonstop to learn the profession. In fact, he claims that his first prize was little more than a “£75 bug from a random organisation.” Nonetheless, the thrill of the chase had him hooked, and in 2017 he turned his hunting hobby into a part-time profession.
His friends were initially perplexed, but after he described his work and the rewards began to pour in, they recognised that this was a legitimate money-making opportunity, and one that serves an important purpose. “You are also assisting vulnerable organisations, but also sometimes their customers and the wider community,” Riggs says.
More than 200 organisations, including Google, Microsoft, PayPal, Yahoo, IBM, and Twitch have been identified as having security flaws in their systems during the course of the last four years. Earlier this year, he received his greatest payoff to date, a tidy £25,000 (from an unnamed company, according to him). “I was surprised, but I guess I got lucky,” he said. The typical 30 year-old would do things like travel and get oneself a new hacker toy, in this case upgrading a few components in his PC, in order to commemorate the occasion.
However, the bug for which he is most well-known—the one that, in many ways, established him as a serious bug hunter—didn’t generate a single penny in revenue. In the summer of 2021, he discovered a critical vulnerability in a system belonging to the UK Ministry of Defence that could allow attackers to gain access to highly classified data. He reported the vulnerability to the MoD, and they recognised him for his discovery by sending him a hacker coin in the post, but without a bug bounty he was not eligible for financial reward.
That episode of non-payment was unfortunate because it was not a unique incident. Other businesses have offered him everything from merchandise to exclusive invites and tours in lieu of monetary compensation. And while Riggs claims he appreciates the professional courtesy of receipting a shirt from the Dutch government, which reads “I hacked the Dutch government and all I got was this lousy t-shirt,” he admits that it’s only something he sees as a novelty.
His earnings are sufficient for him, he claims. He estimates that in additional to his regular full-time salary, he currently earns around about £35,000 per year from bounty rewards, which is roughly the average salary for a junior position in his industry.
For many bug hunters, this is the way things work: there are large fluctuations in pay, and those that occupy the field full-time are frequently forced to live on earnings that might otherwise be unsustainable. However, it is possible that this is beginning to change. Companies such as Bugcrowd and HackerOne (both of which Riggs has collaborated with) are making things easier for the bug-hunting community by creating schemes that allow hunters to earn more money more regularly while also connecting them with companies who are prepared to pay.
Riggs says he appreciates the impact his work has in whatever form it manifests itself. However, while he prefers to maintain full-time employment at present, he may consider other leads in the bug hunting space if opportunities present themselves.