Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.
And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.
A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company's data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that's 2.7 times that of typical software engineers in their home countries.
In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.
HackerOne bases its salary figures on data from PayScale. For India, the median annual software engineer salary is $6,418. For the US, it's $81,193.
"Bug bounty programs are taking off and with that comes enormous opportunities for hackers to earn competitive rewards for making the internet safer," Lauren Koszarek, director of communications at HackerOne, told The Register today.
"The top earning hackers on HackerOne have earned more than the average salary of software engineers in their respective countries – signaling the need for security talent, the quality of vulnerabilities these hackers report and their dedication to squashing bugs."
In the report, computer security breach archivist Troy Hunt opined that the lack of geographical barriers for bug hunting makes the economics appealing.
"Consider what the 'return' component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in," he said. "This makes bounties enormously attractive and gets precisely the eyes you want looking at your security things."
In 2016, according to HackerOne, the top reason for hacking was money. The firm's latest data, however, hints at an ethical awakening, or at least a desire not to come off as avaricious in surveys.
Open your doors to white hats before black hats blow them off, US deputy AG urges big bizREAD MORE
Hackers on average cite improving skills (14.7 per cent), having fun (14 per cent), and being challenged (14 per cent) above making money (13.1 per cent) to explain their motivations.
After that, it's career advancement (12.2 percent), protecting and defending (10.4 per cent), doing good (10 per cent), helping others (8.5 per cent) and showing off (3 per cent).
But it would be a mistake to weigh altruism too heavily. In answer to the question, "Why do you choose the companies you hack?", 23 per cent cited the bounty. After that, the most common sentiment was the challenge or opportunity to learn (20.5 per cent), followed by affinity for the company (13 per cent).
According to the survey, approximately 12 per cent of hackers using HackerOne earn at least $20,000 annually from bug bounties, about 3 per cent make more than $100,000, and 1.1 per cent are making more than $350,000. So the majority of bug hunters rely on other income sources.
The majority of that money goes to people outside the US, too,
About 37 per cent of respondents said they hack as a hobby; about a quarter said they rely on bounties for a least half their income; and some 13.7 percent said they earn 90-100 per cent of their annual income from bug finding rewards.
Income variability may explain in part why over 90 per cent of hackers are under the age of 35 – younger people tend to be able to afford the time and risk for such a speculative endeavor; older people, often with obligations to others, tend to have less time for hobbies and more need for a predictable salary.
Also worth noting is that 58 per cent of hackers say their hacking skills are self-taught, even if about half of them studied computer science at an undergraduate or graduate level, and just over a quarter of them studied computer science in high school or earlier.
The bug hunting market appears to have plenty of room for expansion. Only six per cent Forbes Global 2000 companies have bug bounty programs. As a consequence, the report says, almost one hacker in every four has opted not to report a flaw because the affected company had no channel for reporting the issue.
"This is still a relatively new concept," said Koszarek. "Bug bounty programs have previously been reserved for companies like Google, Microsoft, and Facebook that have more resources than the average organization."
Koszarek said the number of companies adopting bug bounty or vulnerability disclosure programs has almost doubled in the past year. Legal issues remain an obstacle for some companies to embrace the concept. Koszarek advises that corporate legal teams need to be involved from the outset to map out the scope of bug bounty programs.
"This not only helps organizations maintain clear legal guidelines for their programs, but it also helps guide ethical hackers to the areas you want them to focus on and manage expectations…", she said. ®