[na85]

6 figures from breaking systems and reporting them responsibly?

Sounds amazing, what's the catch?

[tptacek]

There's no catch. You want a job as a pentester. That job is in high demand.

[kasey_junk]

Frankly low 6 figures sounds low for a software job. How do you attract talent at that level?

[tptacek]

The median bounty hunter isn't an SFBA software developer.

[kasey_junk]

Is it international arbitrage? Or something else cause low 6 figures is now the going rate all over the states.

*not trying to be argumentative just trying to price the market.

[tptacek]

It's a combination of the lower value of the median bug bounty submission (we hear about the high-ticket vulnerabilities, but most of them are pretty low-test) and the fact that huge numbers of bounty participants are abroad. I know there are people who claim to make high-6's and even low-7's from bounties, but they're very rare. I think most people who participate in bounties would be best off financially by using them to build a portfolio they can exploit to pivot into consulting or full-time work of some other sort.