How well can bug hunting pay?

Top-earning ethical hackers are rewarded with 2.7 times more money than the median salary of a full-time software engineer in their home country, a recent survey about the economics, geography and other aspects of bug hunting has revealed.

In some countries, the financial allure of looking for security vulnerabilities is (even) more striking, according to the findings of a survey in The 2018 Hacker Report released recently by bug bounty platform provider HackerOne. The conclusions relied on input from nearly 1,700 white hat hackers across the world in what is described as “the largest documented survey ever conducted of the ethical hacking community”. All those surveyed have successfully reported at least one valid security flaw.

India and Argentina stand out in particular, as the white hat hackers there were found to be paid 16 and 15.6 times, respectively, more than what a typical software engineer earns in the country. Bug hunting on its own can also apparently ensure a comfortable living to white hats living in Egypt, Hong Kong and the Philippines, where the multipliers range between 8.1 and 5.4.

Speaking of financial rewards, apparently money is in fact no longer the top motivator for the hackers’ efforts to expose security flaws. It’s fallen to fourth place since 2016, as the white hats now claim to be even more incentivized by a chance to “learn tips and techniques”— “To be challenged” and “to have fun” were tied for second place.

Among other intriguing discoveries, one in four ethical hackers said that they have not reported holes in not-so-wholesome systems, because “the company didn’t have a channel to disclose it”. Still, the bug hunters claim to have attempted to flag the flaw with the company through other means, only to be “frequently ignored or misunderstood”.

On the flip side, nearly-three fourths of the hackers said that companies have recently been more open to receiving reports about flaws. One in three believe that organizations have in fact been “far more open” to receiving vulnerability reports.

Over 90% of the white hats are younger than 35, and most of them are self-taught. Nearly one-half of all those quizzed have a full-time job in the IT industry.

The white hats tend to focus their efforts on identifying vulnerabilities in websites (70.8%), followed by APIs (7.5%), “technology that I’m a user of” (5%), and Android apps (4.2%). As for favorite attack vectors, cross-site scripting took the crown (28%), with SQL injection (23.1%) coming next.

Last week, the discovery of an Android remote exploit chain earned a six-figure payout to a Chinese researcher, the highest ever in the history of Google’s Android Security Rewards program and a worthy addition to the list of some of the heftiest bug bounties ever paid. Not all such efforts come with windfalls, however.

Meanwhile, it was announced several weeks ago that ethical hackers are set to help the United Kingdom’s National Health System in order to improve its cybersecurity posture.

HackerOne has seen a ten-fold increase in the number of its users in two years. At 23% and 20% of the 166,000-strong community, India and the United States, respectively, are by far the top two countries represented. Over 72,000 valid vulnerabilities have been submitted to the platform, with the bug bounty hunters earning over $23.5 million in return.

Author , ESET

Follow us

Copyright © 2018 ESET, All Rights Reserved.