Security researchers looking to earn a living as bug bounty hunters would to do better to pursue actual insects.
Using data from bug bounty biz HackerOne, security shop Trail of Bits observes that the top one per cent of bug hunters found on average 0.87 bugs per month, resulting in bounty earnings equivalent to an average yearly salary of $34,255 (£26,500).
That's a bit less than the median wage for a pest control worker in, say, Mississippi, according to the US Bureau of Labor Statistics. It's also lower than the average UK salary of £27,000.
And these are the top cyber exterminators. who bring in the big bucks. Newbies make considerably less.
Citing MIT Press' New Solutions for Cybersecurity, Trail of Bits argues that bug bounty programs appeal mainly to developers in labor markets where wages are significantly lower than in the US, or students learning cybersecurity. Suprisingly enough the biz suggests that other options, like hiring security consultants and penetration testers (which, suprise surprise is Trail of Bits' own business,) may make more sense for companies than a bug bounty program.
"It’s nice to think that you have 300,000 sets of eyes scrutinizing your code, but this number includes zombie accounts and people who never find a single bug," the company said in a blog post Monday. "In reality, only an elite few are getting the work done and cashing in."
Marten Mickos, CEO HackerOne, took issue with Trail of Bits' figures. "This study is not representative," he said in an email to The Register.
"If it is based on HackerOne data, it is only based only on a fragment of it. The hacker community is indeed power-law distributed. The top performers are orders of magnitude more productive than newcomers. The beauty is that many newcomers rise very quickly in the ranks. Within this merit-based system, there is unlimited opportunity for one with skill and will."
Bug bounty botox
However, in a phone interview with The Register, Katie Moussouris, founder and CEO of Luta Security, creator of Microsoft's first bug bounty program, and contributor to the MIT book, concurs with Trail of Bits' conclusions, noting that internal security talent tends to be a better investment.
"There's a natural cap on the amount of money you can put in defensive bounties," she said, noting that the market for offensive bounties is a different kettle of fish. "A bounty price can't really exceed what an in-house security person will make."
Bug bounty programs, said Moussouris, aren't necessarily helpful or right for every organization.
"A lot of organizations have heard the term 'bug bounty' and they see glossy marketing materials highlighting the best possible outcomes but not covering the worst and most disastrous ones," she said.
Companies often think bug bounty programs are as safe as hiring a penetration tester but they're absolutely not, said Moussouris.
I found a security hole in Steam that gave me every game's license keys and all I got was this... oh nice: $20,000READ MORE
"I call it 'bug bounty botox' when people are more interested in seeming like they're better on security than actually improving," she said.
The risks, she explained, include not attracting top bug hunters, attracting too many reports of trivial bugs, and getting more bug reports than the sponsoring organization can actually fix.
"If you don't have internal capabilities, bug bounties won't do you any good and neither will a penetration test," she said.
The UK government, she said, is not going to start a bug bounty program. Instead, she said, it's working with her company to improve its internal processes to the point where various government agencies can all sustainably fix incoming bug reports.
In short, a bug bounty program may be useful, but don't outsource 100 per cent of security of your product to strangers on the internet. ®