Software

Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Oh, yeah, and learning new tricks and protecting stuff, sure

21 Got Tips?

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.

And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.

A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company's data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that's 2.7 times that of typical software engineers in their home countries.

In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.

HackerOne bases its salary figures on data from PayScale. For India, the median annual software engineer salary is $6,418. For the US, it's $81,193.

"Bug bounty programs are taking off and with that comes enormous opportunities for hackers to earn competitive rewards for making the internet safer," Lauren Koszarek, director of communications at HackerOne, told The Register today.

"The top earning hackers on HackerOne have earned more than the average salary of software engineers in their respective countries – signaling the need for security talent, the quality of vulnerabilities these hackers report and their dedication to squashing bugs."

Economics

In the report, computer security breach archivist Troy Hunt opined that the lack of geographical barriers for bug hunting makes the economics appealing.

"Consider what the 'return' component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in," he said. "This makes bounties enormously attractive and gets precisely the eyes you want looking at your security things."

In 2016, according to HackerOne, the top reason for hacking was money. The firm's latest data, however, hints at an ethical awakening, or at least a desire not to come off as avaricious in surveys.

Open your doors to white hats before black hats blow them off, US deputy AG urges big biz

READ MORE

Hackers on average cite improving skills (14.7 per cent), having fun (14 per cent), and being challenged (14 per cent) above making money (13.1 per cent) to explain their motivations.

After that, it's career advancement (12.2 percent), protecting and defending (10.4 per cent), doing good (10 per cent), helping others (8.5 per cent) and showing off (3 per cent).

But it would be a mistake to weigh altruism too heavily. In answer to the question, "Why do you choose the companies you hack?", 23 per cent cited the bounty. After that, the most common sentiment was the challenge or opportunity to learn (20.5 per cent), followed by affinity for the company (13 per cent).

According to the survey, approximately 12 per cent of hackers using HackerOne earn at least $20,000 annually from bug bounties, about 3 per cent make more than $100,000, and 1.1 per cent are making more than $350,000. So the majority of bug hunters rely on other income sources.

The majority of that money goes to people outside the US, too,

About 37 per cent of respondents said they hack as a hobby; about a quarter said they rely on bounties for a least half their income; and some 13.7 percent said they earn 90-100 per cent of their annual income from bug finding rewards.

Income variability may explain in part why over 90 per cent of hackers are under the age of 35 – younger people tend to be able to afford the time and risk for such a speculative endeavor; older people, often with obligations to others, tend to have less time for hobbies and more need for a predictable salary.

Positive education

Also worth noting is that 58 per cent of hackers say their hacking skills are self-taught, even if about half of them studied computer science at an undergraduate or graduate level, and just over a quarter of them studied computer science in high school or earlier.

The bug hunting market appears to have plenty of room for expansion. Only six per cent Forbes Global 2000 companies have bug bounty programs. As a consequence, the report says, almost one hacker in every four has opted not to report a flaw because the affected company had no channel for reporting the issue.

"This is still a relatively new concept," said Koszarek. "Bug bounty programs have previously been reserved for companies like Google, Microsoft, and Facebook that have more resources than the average organization."

Koszarek said the number of companies adopting bug bounty or vulnerability disclosure programs has almost doubled in the past year. Legal issues remain an obstacle for some companies to embrace the concept. Koszarek advises that corporate legal teams need to be involved from the outset to map out the scope of bug bounty programs.

"This not only helps organizations maintain clear legal guidelines for their programs, but it also helps guide ethical hackers to the areas you want them to focus on and manage expectations…", she said. ®

Sign up to our NewsletterGet IT in your inbox daily

21 Comments

Keep Reading

Days after President Trump suggests pausing election over security, US House passes $500m for states to shore up election security

Chances of it getting enacted in time for November – slim to almost nil

Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'

Great – and who will be the first responders?

Remember the Titans: Yubico jangles new NFC and USB-C touting security key

Apple crowd included - as NFC can now be used for something other than Apple Pay

Galaxy S20 security is already old hat as Samsung launches new safety silicon

Passport-grade chippery to help mobile devices prove their identity

Big Tech trade association warns Uncle Sam against knee-jerk national security measures that harm industry

There'll be 'unintended negative consequences' if we continue like this

Zoom continues its catch-up security sprint with new training, bug bounty tweaks and promise of crypto playbook

Sigh. How many users did it have before it started this stuff?

US voting hardware maker's shock discovery: Security improves when you actually work with the community

Black Hat ES&S takes the bold step of not ignoring vulnerability reports

Tech Resources

Evaluating Vulnerability Assessment Solutions

Find out why vulnerability assessment is important and why you need it

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.

The Enterprise Buyer’s Guide for FIDO Credentials

Choosing secure credentials for your organization is a balancing act. This guide will help you navigate the complexity of the credential selection process.