Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Oh, yeah, and learning new tricks and protecting stuff, sure

21 Got Tips?

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.

And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.

A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company's data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that's 2.7 times that of typical software engineers in their home countries.

In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.

HackerOne bases its salary figures on data from PayScale. For India, the median annual software engineer salary is $6,418. For the US, it's $81,193.

"Bug bounty programs are taking off and with that comes enormous opportunities for hackers to earn competitive rewards for making the internet safer," Lauren Koszarek, director of communications at HackerOne, told The Register today.

"The top earning hackers on HackerOne have earned more than the average salary of software engineers in their respective countries – signaling the need for security talent, the quality of vulnerabilities these hackers report and their dedication to squashing bugs."


In the report, computer security breach archivist Troy Hunt opined that the lack of geographical barriers for bug hunting makes the economics appealing.

"Consider what the 'return' component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in," he said. "This makes bounties enormously attractive and gets precisely the eyes you want looking at your security things."

In 2016, according to HackerOne, the top reason for hacking was money. The firm's latest data, however, hints at an ethical awakening, or at least a desire not to come off as avaricious in surveys.

Open your doors to white hats before black hats blow them off, US deputy AG urges big biz


Hackers on average cite improving skills (14.7 per cent), having fun (14 per cent), and being challenged (14 per cent) above making money (13.1 per cent) to explain their motivations.

After that, it's career advancement (12.2 percent), protecting and defending (10.4 per cent), doing good (10 per cent), helping others (8.5 per cent) and showing off (3 per cent).

But it would be a mistake to weigh altruism too heavily. In answer to the question, "Why do you choose the companies you hack?", 23 per cent cited the bounty. After that, the most common sentiment was the challenge or opportunity to learn (20.5 per cent), followed by affinity for the company (13 per cent).

According to the survey, approximately 12 per cent of hackers using HackerOne earn at least $20,000 annually from bug bounties, about 3 per cent make more than $100,000, and 1.1 per cent are making more than $350,000. So the majority of bug hunters rely on other income sources.

The majority of that money goes to people outside the US, too,

About 37 per cent of respondents said they hack as a hobby; about a quarter said they rely on bounties for a least half their income; and some 13.7 percent said they earn 90-100 per cent of their annual income from bug finding rewards.

Income variability may explain in part why over 90 per cent of hackers are under the age of 35 – younger people tend to be able to afford the time and risk for such a speculative endeavor; older people, often with obligations to others, tend to have less time for hobbies and more need for a predictable salary.

Positive education

Also worth noting is that 58 per cent of hackers say their hacking skills are self-taught, even if about half of them studied computer science at an undergraduate or graduate level, and just over a quarter of them studied computer science in high school or earlier.

The bug hunting market appears to have plenty of room for expansion. Only six per cent Forbes Global 2000 companies have bug bounty programs. As a consequence, the report says, almost one hacker in every four has opted not to report a flaw because the affected company had no channel for reporting the issue.

"This is still a relatively new concept," said Koszarek. "Bug bounty programs have previously been reserved for companies like Google, Microsoft, and Facebook that have more resources than the average organization."

Koszarek said the number of companies adopting bug bounty or vulnerability disclosure programs has almost doubled in the past year. Legal issues remain an obstacle for some companies to embrace the concept. Koszarek advises that corporate legal teams need to be involved from the outset to map out the scope of bug bounty programs.

"This not only helps organizations maintain clear legal guidelines for their programs, but it also helps guide ethical hackers to the areas you want them to focus on and manage expectations…", she said. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Days after President Trump suggests pausing election over security, US House passes $500m for states to shore up election security

Chances of it getting enacted in time for November – slim to almost nil

Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'

Great – and who will be the first responders?

Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard

Gives you confidence in an era where nobody accepts cash any more

Softly-as-a-service: IBM whispers plan for security SaaS based on a Cloud Pak

Appears to cook a new way to shift containerised wares and get you onto OpenShift

Remember the Titans: Yubico jangles new NFC and USB-C touting security key

Apple crowd included - as NFC can now be used for something other than Apple Pay

Galaxy S20 security is already old hat as Samsung launches new safety silicon

Passport-grade chippery to help mobile devices prove their identity

COVID-19 security tips: Ensure you sack your staff without leaving their IT access enabled, says Secureworks

Infosec biz issues mildly off-the-wall guidance for incident responders

Big Tech trade association warns Uncle Sam against knee-jerk national security measures that harm industry

There'll be 'unintended negative consequences' if we continue like this

Tech Resources

Zero trust strategies to zap ransomware peril

Join industry veteran and security pro Mike Wronski of Nutanix as he explains to Tim Phillips about zero trust strategies combined with HCI can improve your security posture, defend against threats, help prevent your business from being the next victim of ransomware.

Evaluating Vulnerability Assessment Solutions

Find out why vulnerability assessment is important and why you need it

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.

Breach and Attack Simulation For Dummies

This ebook covers attacks on your network. But not the ones you expect — these are actually coming from you.