BugBounty.info

Financial

5 min read

Financial

Bug bounty income is real income. The IRS doesn't care that it came from a bug bounty platform instead of an employer. I've seen people get surprised by this the hard way, so let's just get it out of the way early.

It's Income. Report It.

In the US, bounty payments are taxable as self-employment income. That means:

  • Federal income tax at your marginal rate
  • Self-employment tax: 15.3% on the first ~$168k (2024 figure, it adjusts annually), which covers both sides of Social Security and Medicare
  • State income tax if your state has it

The number that shocks people: if you're in the 22% federal bracket and paying self-employment tax, you're looking at roughly 37% of your gross bounty income going to taxes. Plan for it. Set aside 35-40% of every payment in a separate account. Do not touch it. Treat it like it was never yours.

If you're making meaningful bounty income, get a CPA who understands self-employment or freelance income. Not a family friend who does W-2 returns. A real one. The cost of a good accountant is trivial compared to the cost of doing this wrong.

Quarterly Estimated Taxes (US)

Once you're earning bounty income, you'll need to file quarterly estimated taxes. The due dates are roughly April, June, September, and January. Miss them and you owe penalties on top of the tax.

The IRS safe harbor rule: pay either 100% of last year's tax liability or 90% of this year's, and you won't owe underpayment penalties. When in doubt, overpay and get a refund.

Other Jurisdictions, Briefly

I'm not a tax professional anywhere, but here's the pattern: almost everywhere with an income tax treats bounty payments as taxable. The UK treats it as miscellaneous income or potentially trading income if you're doing it seriously. Canada treats it as business income. Australia is similar.

The consistent advice regardless of country: don't assume it's untaxed because it comes from a US company or a platform based elsewhere. Find a local accountant or tax advisor who can give you jurisdiction-specific guidance. The platforms will often issue 1099s (US) or equivalent forms anyway, so there's a paper trail whether you account for it or not.

Payment Methods by Platform

Not all payment methods are equal. Here's what actually works:

PayPal. Most common on HackerOne and Bugcrowd. Works fine for small amounts. For large payouts, PayPal has a history of holding funds or requiring verification at the worst times. Keep your account in good standing and verify your identity proactively, not when you're waiting on a $10k payment.

Wire transfer. Available on most major platforms for larger payouts. Slower (3-5 business days), but it goes directly into your bank. No middleman that can hold your money. Preferred for anything over $1,000 if you have the option. Know your bank's incoming wire details and test it once with a small amount before you need it for something big.

Crypto. Some programs and platforms offer this. It solves the international transfer problem well. It creates its own tax accounting problem, because in the US (and many other countries) receiving crypto as income means you record the USD value at receipt, and any later sale is a capital gains event. If you receive crypto, log the date, amount, and USD value immediately. Don't let this pile up.

Check. Still offered by some programs, especially older corporate programs running their own BBPs. Checks are slow and annoying. Accept them if it's your only option, but advocate for wire if you're dealing with a program regularly.

Platform credits / swag. Not income in the tax sense. Also not rent money. Nice for CTFs, not a business model.

Income Tracking: Do It from Day One

The discipline that separates people who have a sustainable bounty practice from people who scramble at tax time: track everything as it happens.

What to record for every payment:

  • Date received
  • Platform
  • Program name
  • Report ID or brief description
  • Gross amount paid
  • Payment method
  • Tax withheld (some international programs withhold)

A spreadsheet works fine. There are no special tools required. What matters is doing it consistently.

Why you need this beyond taxes:

  • You'll want to know which platforms and programs are actually paying you. The answer is often surprising.
  • When you're deciding whether to go deeper on a target or move on, historical income data tells you things your memory doesn't.
  • If you ever apply for a mortgage or business loan, you need income documentation. Bug bounty income is real income but it takes more paperwork to prove.

See a sample tracking structure in Tooling.

Business Expenses

If you're treating this seriously, some expenses are deductible against your self-employment income:

  • VPS and cloud infrastructure for testing
  • Security tools and software subscriptions
  • Conference attendance (if you're there for professional development, not just fun)
  • Home office deduction if applicable
  • Books, courses, training

Keep receipts. Track them in the same spreadsheet. Your accountant will ask for them.

The Honest Bottom Line

Bug bounty income is great money when it's flowing. It is genuinely unpredictable. Budget off your average, not your best month. Save aggressively when income is good because dry spells are real.

Talk to an accountant before you're earning serious money, not after. The advice is cheap. The mistakes are not.

See also: Career Strategy, Mental Health

Graph View

Backlinks