1(630)802-8605 Ravi.das@bn-inc.net

For those of us who are still job searching like me, the world of freelancing is a great way to make secondary income, or even full time income if you have the steady client base.  This is where the world of Cyber security is now turning to these days.

Yes, there are plenty of great, very well high paying jobs in the field, but now there is even a greater trend towards the freelancing effort.  In fact, if you play your game right, there is a ton of money to be made in this area of Cyber security.

This is especially true in the world of Penetration Testing, and hacking.  Now when I mean hacking, I mean the kind that is ethical and professional.  This is when a business or a corporation hires out a professionally trained individual or team in order to purposely break into their systems to find any weaknesses or vulnerabilities.

These kinds of hackers are known as “White Hat Hackers”, and very often, one kind of cert that they will go after is called the “Certified Ethical Hacker”.  Of course, the name describes it all.  In this regard, just about every tech company is offering lucrative payouts to these kinds of folks who will find any vulnerabilities or weaknesses in their IT systems.

Most of this kind of work is done primarily on a contractual basis, as the hacker does of course have to abide by the organization’s rules and policies.  In today’s headlines, Microsoft has just announced some pretty nice payouts for their “Bug Bounty Program”.

The financial rewards in this case range from $500 all the way to $100,000 depending upon the platform on which the bugs are found on.  Here are the details of what Microsoft is interested in having tested (in terms of platforms):

  • Microsoft and Azure Active Directory accounts;
  • OpenID or OAuth 2.0 standards;
  • Microsoft Authenticator applications for iOS and Android.

With regards to domain extension and sub domains, the following is also being tested upon:

  • windows.net;
  • microsoftonline.com;
  • live.com;
  • live.com;
  • windowsazure.com;
  • activedirectory.windowsazure.com; credential.activedirectory.windowsazure.com;
  • office.com;
  • microsoftonline.com.

With regards to the financial details on the payouts, the top reward can be earned for describing ways in which to bypass multi-factor authentication, or create and implement vulnerabilities in the authentication standards used by Microsoft. Flaws that are discovered in the OpenID and OAuth implementations can earn hackers up to $75,000.

In terms of other hacking payouts, here is the listing:

  • Cross Site Scripting (XSS): $10,000;
  • Authorization issues: $8,000;
  • Sensitive data exposure: $5,000;
  • Execution side-channel program: $250,000;
  • Hyper-V program: $250,000;
  • Mitigation bypass: $100,000;
  • Mitigation bypass techniques: $100,000.

But keep in mind that is not just simply submitting evidence of a hack in that brings in these rewards.  Microsoft also wants a return on their investment, thus they require that a detailed report be submitted describing every minute detail of the hacking attempt:  “A high-quality report provides the information necessary for an engineer to quickly reproduce, understand, and fix the issue. This typically includes a concise write up containing any required background information, a description of the bug, and a proof of concept.”  (SOURCE:  https://www.securityweek.com/microsoft-offers-100000-new-identity-bug-bounty-program).

In a way, it makes sense for Microsoft to contract out this kind of work, after all, it saves a lot of money from having to hire direct, full time employees.  Honestly, I have even explored myself the possibility of getting into this kind of work, but I would have to go through some years of heavy technical training in order to make this kind of $$$.  I’m just better off writing about it.

But for those of you do have this kind of skillset, this is another great way to have a side hustle, or even make it a full time career.  Heck, even one win will equal one year’s worth of salary in a regular job.  But keep in mind, that there is a lot of competition here.  Sure, anybody can submit something, but Microsoft will be very critical and careful as to whom they will award the money out to.

My opinion is start small.  There are many other smaller, tech companies that offer these kinds of Bug Bounty Programs.  They may not pay as much, but it’s a great way to further complement your skillset and build up your resume.  Speaking of which:  Here is the link for more details on Microsoft’s program:

https://www.microsoft.com/en-us/msrc/bounty-microsoft-identity?rtc=1