Ethical hackers earned nearly US$40 million in bug bounties in 2019, which was almost equal to payouts for all previous years combined, according to the 2020 Hacker Report by bug bounty platform provider HackerOne.

The popularity of white hat hacking as a career is soaring, so much so that, for some, it has become a lucrative career option. The hackers once saw themselves as inhabitants of the darkest recesses of the internet, but times have changed, notes the platform’s fourth annual report.

No fewer than 850 white hats are joining the ranks of the 600,000-strong community on average every day. No wonder since seven bug hunters have already surpassed US$1 million in lifetime earnings from their pursuits, while 13 more hit the US$500,000 mark. A total of 146 bug hunters have earned more than US$100,000, which is almost triple the number of white hats who earned that much in 2018.

Based on a survey published in the report, however, most members of the community consider ethical hacking as a way to supplement their incomes. By contrast, just about 22% of respondents claim that hacking makes up their whole incomes. That is corroborated with 40% of participants stating that they devote 20 hours a week to sleuthing for vulnerabilities, while just 18% consider themselves full-time ethical hackers.

Although white hats want to help organizations, two-thirds of them chose not to report their findings due to a variety of reasons. Four in ten stated that it was due to “threatening legal language” listed on the organization’s website, while one in five said that “companies didn’t have an obvious channel through which to report findings”. In some cases, the companies didn’t respond to bug reports.

“That’s thousands of bugs that have gone unreported, and a significant amount of untapped potential,” notes the report.

The thrill of the challenge remains the biggest motivation for hacking for most, while financial remuneration comes in a close second. But the order switches when it comes to the question of what attracts them to particular bounty programs. The bounties offered are overwhelmingly in first place when white hats choose a company to hack and the challenge or opportunity to learn is the second greatest motivator. Governments lead the way with their progressive approach, by organizing bounty programs, such as identifying vulnerabilities in the digital assets of the US Air Force.

As for the bounties themselves, ethical hackers from the United States earned one-fifth of all the bounties last year, while India was second with a 10% portion of the rewards. Meanwhile, their peers from Austria and Switzerland increased their haul from bounties almost tenfold compared to the previous year and white hats from the APAC region earned 250% more year-on-year.

HackerOne has seen the number of its members almost double in the past year, with most of its users being under the age of 35. Hackers from India were the most productive, accounting for 18% of all the reports submitted in the last year, with US-based white hats submitting 11% of the total.

To date, more than 150,000 software vulnerabilities have been reported through the platform.