Profile Of An Ethical Bug Hunter

Ethical hacking was once the pursuit of security researchers who wanted something to present at their next conference, or lone wolves who enjoyed the thrill of the chase - but not the threat of prison.

Today, ethical hacking has become big business in the form of bug hunting. More and more companies, from the likes of Microsoft and Google, industries giants such as GM and Uber, and even US government agencies such as the Army and Air Force, now run bug-bounty programs and competitions.

Startups such as Bugcrowd and HackerOne that facilitate bug-bounty programs claim hundreds of thousands of ethical hackers on their platform between them, all ready to help check the security posture of an organization and make a buck or two in the progress.

So, who are these Ethical Hackers?
Both HackerOne and Bugcrowd have released demographic reports outlining who their hackers are. Bugcrowd claims 80,000 researchers on its platform, HackerOne just over 160,000.

“In general, members of our community are young males, ages 17 to 25,” says David Baker, CSO of Bugcrowd. “A lot of them have college degrees and work in security industry. A gaming background is huge draw because, once people realise this game model to engage in where they can hack companies and get paid for, it is fun for them.”

“A lot of them are doing this as a spare-time thing to augment cash or doing it as a context to learn more and for the challenge and to increase of skills. 

“The exception to that, and it’s a growing exception, participants from countries with lower purchase power. The lower the purchase power parity rate of the researchers, the less likely they are to jump into this full-time. There’s also a small group we refer to as super-hunters, people who make $250,000 annually or more. There are probably around 20 to 25 of these people.”

While the companies launching bug bounty programs seem to be mostly based in the US and Europe with a growing uptake in the Asia-Pacific region, and the hackers themselves have a similar geographic spread. 
The US, India, and UK are Bugcrowd’s largest geographies, while the US, India, and Russia represent HackerOne’s biggest communities.

The majority of hackers on both platforms are young: 71 percent of bug hunters on Bugcrowd are between 18 and 29 years old, while more than 90 percent of bug-bounty hackers on HackerOne are under the age of 35 (45 percent are ages 18-24, and 37 percent ages 25-34), and the majority on both started hacking in the last few years. More than half have studied computer science at some level.

Nearly half of HackerOne’s audience has a tech-related job (in IT, software, or hardware), a quarter are currently at study, and about 12 percent class themselves as consultants. Bugcrowd’s audience is largely made of penetration testers (22 percent) consultants (18 percent), and students (15 percent). Hackers on both platforms have similar reasons for doing what they do: Learning/professional development, the challenge, and money were listed at the three main drivers for hacking on both platforms, with money coming third on both.

How much do Ethical Hackers Earn? 
How much a hacker can earn obviously depends on a variety of factors.
According to HackerOne’s yearly report, hackers in India can earn an average of 16 times the median salary of a software engineer in the country, while the rest of the world can earn more than 2.5 times the median salary of a software engineer in their home country.

Infoworld:        Image: Nick Youngson

You Might Also Read: 

Ethical Hacking Is A Great Career Option:

Ethical Hackers: We Want You For A New Recruit:
 

 

« Israeli Cybersecurity Company Beats All Hackers
Cryptocurrency Malware Theft Is Worth Millions »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Blue Ridge Networks

Blue Ridge Networks

Blue Ridge offers a suite of solutions that enable secure remote access to the enterprise network with protection and control of endpoints.

ReversingLabs

ReversingLabs

ReversingLabs develops cyber threat detection and mitigation tools that address the the latest directed attacks, advanced persistent threats and polymorphic malware.

Savanti Consulting

Savanti Consulting

Savanti provides practitioner-led cyber security services tailored to meet each organisation’s unique requirements.

Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC)

Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC)

C-MRiC collaborates on initiatives, ranging from national cyber security, enterprise security, information assurance, protection strategy, climate control to health and life sciences.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Samurai Digital Consulting

Samurai Digital Consulting

Samurai Digital Security are a cyber and Information security services provider, specialising in penetration testing, incident response, user awareness and information governance solutions.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

StrikeReady

StrikeReady

StrikeReady have developed CARA, an advanced technology solution that offers personalized and proactive assessment and remediation of future and current risk in real-time.

McCrary Institute - Auburn University

McCrary Institute - Auburn University

The McCrary Institute seeks practical solutions to real-world problems in the areas of cyber and critical infrastructure security.

Arqit Quantum

Arqit Quantum

Arqit's mission is to use transformational quantum encryption technology to keep safe the data of our governments, enterprises and citizens.

CACI International

CACI International

CACI is at the forefront of developing and delivering technological breakthroughs that transform and optimize government operations.

Computer Services Inc (CSI)

Computer Services Inc (CSI)

CSI is a leading fintech, regtech and cybersecurity solutions partner operating at the intersection of innovation and service.

Securance Consulting

Securance Consulting

Since 2002, Securance has empowered enterprises to assume proactive security, compliance, and risk management strategies.

ClearShark

ClearShark

Since 2001, ClearShark has been a go-to adviser in the U.S. Public Sector for creating customized and integrated solutions for the most secure of networks.

Defimoon

Defimoon

DeFimoon is the International Blockchain Development & Security Agency. We provide professional services and solutions at the highest quality on world-leading chains.

Clear Ridge Defense

Clear Ridge Defense

Clear Ridge was founded in April 2015 with the mission and vision to support Joint, Service Cyber Components, and commercial clients in specialized cyber support.