A recent HackerOne survey found that some bug bounties bounty hunters are earning more than 16 times what they would have earned as a software engineer in their own country.
On average however, the top earning researchers make 2.7 times the median salary of a software engineer in their home country, according to the 2018 Hacker Report.
And while money is still a major motivation for ethical hackers, it has fallen from first to fourth place as more hackers are motivated by the opportunity to learn tips and techniques, with “to be challenged” and “to have fun” tied for second.
“One of the biggest differences between the 2016 and 2018 reports was that hackers are motivated by opportunities to learn, be challenged and have fun more than money,” HackerOne Chief Executive Officer Marten Mickos told SC Media. “While money definitely still attracts hackers to different programs, it's not the key driver of what they do.”
The passion for the craft is evident in other ways as well, 37 percent of hackers say they hack as a hobby in their spare time and nearly 58 percent of them are self-taught. Less than 5 percent have learned hacking skills in a classroom despite 50 percent of hackers having studied computer science at an undergraduate or graduate level.
Researchers also found the ethical hacking workforce is still relatively young with more that over 90 percent of bug bounty hackers on HackerOne under the age of 35, over 50 percent under 25, and just under 7 percent under the age of 18, with the majority of hackers between 18 and 24 years old,
“The ethical hacker community is filled with smart, curious, communal and charitable human beings. The biggest takeaway of this report should be that the ethical hacking community is eager to do good in the world,” Mickos said. “They are already finding vulnerabilities.”
Mickos said its important for organization to question whether or not they are opening a channel to receive these vulnerabilities and that it's important to at least open the channel of communication with the hacker community through a vulnerability response program.
The study found ethical hackers are still hitting speed bumps when it comes to hunting bugs as 46 percent of respondents choose not to report vulnerabilities because the company in question didn't have a channel to disclose it, and 9 percent said the company had threatening legal language on its website.
Often the most legal and safest path is to not disclose flaws when companies don't have a vulnerability disclosure policy (VDP) in place which publicly states how a vulnerability can be safely reported and provides “safe harbor” language for the hacker.
“One of the most interesting findings was the comparison between top bug bounty incomes and regional software engineer salaries,” Mickos said. “It concretely demonstrates how lucrative bug bounties are becoming. It's great to see companies place that kind of value on outside perspective.”