Profile Of An Ethical Bug Hunter

Uploaded on 2018-06-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Ethical hacking was once the pursuit of security researchers who wanted something to present at their next conference, or lone wolves who enjoyed the thrill of the chase - but not the threat of prison.

Today, ethical hacking has become big business in the form of bug hunting. More and more companies, from the likes of Microsoft and Google, industries giants such as GM and Uber, and even US government agencies such as the Army and Air Force, now run bug-bounty programs and competitions.

Startups such as Bugcrowd and HackerOne that facilitate bug-bounty programs claim hundreds of thousands of ethical hackers on their platform between them, all ready to help check the security posture of an organization and make a buck or two in the progress.

So, who are these Ethical Hackers?
Both HackerOne and Bugcrowd have released demographic reports outlining who their hackers are. Bugcrowd claims 80,000 researchers on its platform, HackerOne just over 160,000.

“In general, members of our community are young males, ages 17 to 25,” says David Baker, CSO of Bugcrowd. “A lot of them have college degrees and work in security industry. A gaming background is huge draw because, once people realise this game model to engage in where they can hack companies and get paid for, it is fun for them.”

“A lot of them are doing this as a spare-time thing to augment cash or doing it as a context to learn more and for the challenge and to increase of skills. 

“The exception to that, and it’s a growing exception, participants from countries with lower purchase power. The lower the purchase power parity rate of the researchers, the less likely they are to jump into this full-time. There’s also a small group we refer to as super-hunters, people who make $250,000 annually or more. There are probably around 20 to 25 of these people.”

While the companies launching bug bounty programs seem to be mostly based in the US and Europe with a growing uptake in the Asia-Pacific region, and the hackers themselves have a similar geographic spread. 
The US, India, and UK are Bugcrowd’s largest geographies, while the US, India, and Russia represent HackerOne’s biggest communities.

The majority of hackers on both platforms are young: 71 percent of bug hunters on Bugcrowd are between 18 and 29 years old, while more than 90 percent of bug-bounty hackers on HackerOne are under the age of 35 (45 percent are ages 18-24, and 37 percent ages 25-34), and the majority on both started hacking in the last few years. More than half have studied computer science at some level.

Nearly half of HackerOne’s audience has a tech-related job (in IT, software, or hardware), a quarter are currently at study, and about 12 percent class themselves as consultants. Bugcrowd’s audience is largely made of penetration testers (22 percent) consultants (18 percent), and students (15 percent). Hackers on both platforms have similar reasons for doing what they do: Learning/professional development, the challenge, and money were listed at the three main drivers for hacking on both platforms, with money coming third on both.

How much do Ethical Hackers Earn? 
How much a hacker can earn obviously depends on a variety of factors.
According to HackerOne’s yearly report, hackers in India can earn an average of 16 times the median salary of a software engineer in the country, while the rest of the world can earn more than 2.5 times the median salary of a software engineer in their home country.

Infoworld:        Image: Nick Youngson

You Might Also Read: 

Ethical Hacking Is A Great Career Option:

Ethical Hackers: We Want You For A New Recruit:
 

 

« Israeli Cybersecurity Company Beats All Hackers
Cryptocurrency Malware Theft Is Worth Millions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

CIRT.GY

CIRT.GY

CIRT-GY is the national Computer Incident Response Team for Guyana.

MSG Systems

MSG Systems

MSG are committed to intelligent IT and industry solutions and offer independent consulting on all aspects of information security.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

Ekran System

Ekran System

Ekran System is an advanced insider threat detection solution for companies of any size.

CyberQ Group

CyberQ Group

CyberQ is an award winning cyber security consultancy and services provider and an innovator in Artificial Intelligence and Automated Cyber Security.

Sierra Ventures

Sierra Ventures

Sierra Ventures is an early-stage venture firm investing globally with a focus on Next Generation Enterprise and Emerging Technologies.

Digital Identification & Authentication Council of Canada (DIACC)

Digital Identification & Authentication Council of Canada (DIACC)

DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.

Technisanct

Technisanct

Technisanct works with Governments, especially Law Enforcement and Defence agencies, helping them in monitoring threats, managing their data and resolving their forensic needs.

Open Data Security (ODS)

Open Data Security (ODS)

Open Data Security is a market leader in the information security sector, offering services to companies, governments and individuals, helping them shield from hackers and cyber attacks.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

Averlon

Averlon

Averlon offers organizations peerless cloud security through Panoptic Cloud Visibility, Predictive Attack Intelligence and Rapid Remediation.

Velotix

Velotix

Velotix empowers organizations to maximize the value of their data while ensuring security and compliance in a rapidly evolving regulatory landscape.

Assurestor

Assurestor

Assurestor's singular focus is delivering leading cloud-based backup and disaster recovery designed to increase levels of IT resilience.