GCU graduate turns freelance bug bounty hunter

Tamar Everson

Over the summer, students usually support themselves with a little part-time work – anything from pulling pints behind a bar to stacking shelves in a supermarket.

But one Glasgow Caledonian University (GCU) graduate is looking to turn bounty hunter to bring in the cash during the holidays.

Tamar Everson has just graduated from the BEng Digital Security, Forensics and Ethical Hacking programme, and will spend the next couple of months using the skills he has developed at GCU to operate as a freelance bug bounty hunter − a hacker who is paid to find vulnerabilities in software and websites.

“Bug-bounty rewards range from a t-shirt to thousands of pounds,” says Tamar. “So far, I have only submitted a couple of bounties. One of them gave me $100, and the other gave me free postage on an order I was making with the website. How much you earn is down to chance. You may spend a week searching to find nothing, or a couple of hours to find a bug worth thousands. When you’re taking on a bounty, you need to consider the time/reward ratio. Looking for complex bugs can take a long time, for example, and the reward may not always be worth it.”

 “I learned about penetration testing, as it’s more formally known, through my course at GCU,” says Tamar. “I discovered, and signed up to, the bug bounty website Bugcrowd, and just started trying to find bugs. Sometimes, though, I am just browsing the internet and notice something that doesn’t look right, so pole around a little and realise it’s a security vulnerability. I then contact the relevant person to report it.

“The way bug bounties work is that a company puts out an advertisement saying: ‘Please try to hack us, we will pay you.’ Anyone can take up the offer, but they only pay for genuine unreported bugs that are found, so you need to know what you’re doing. Everything has to be done ethically and in line with the Computer Misuse Act 1990.

“One of the most common issues found is cross-site scripting. This is a vulnerability that could allow a hacker to insert code into a website which lets them upload malicious software or steal usernames and passwords.”

“While I was researching my honours project, I discovered there is a critical shortage of cyber-security experts in the world. According to the Scottish Qualifications Authority, there is a shortage of 2 million experts worldwide. In the UK, we are one of the better prepared countries in terms of the talent we have, but there is still a critical shortage. We need more people to study the brilliant programmes, such as those taught at GCU.”