The report, based on responses from 1,700 part-time and full-time ethical hackers, found that they are attracted to the money, as 48% said good pay was their No. 1 attraction point. The ethical hackers also cited the desire to be their own boss and the ability to work their own hours as 45% listed both points as appealing.
“The work-from-home culture has made employees desire more independence and has further encouraged digital nomads to pursue a remote working career, said Inti De Ceukelaire, head of hackers at Intigriti. “Bug bounty platforms can not only facilitate this, but they also allow people to work wherever they want, whenever they want, and without having to rely on a boss to match their talents with customers or be part of a corporate hierarchy.”
Davis McCarthy, principal security researcher at Valtix, said hacking has turned into a full-blown industry, adding that data has become the new commodity, whether on Wall Street or in the underground — cybercriminals monetize passwords, remote access to corporate networks, exploits and botnets.
“Bug bounty hunting is a great career path for cybersecurity professionals,” McCarthy said. “For people getting into bug bounty hunting, it’s good to make sure the target organization has a bug bounty program, and to check if there are any limitations on what’s acceptable to test. There’s a lot of technical debt in the cloud, and the enterprise shift to using the cloud means there are a lot of opportunities for bug bounty hunters to do some good: find exposed S3 buckets, instances with default passwords, and poorly configured databases. If I was getting into bug bounty hunting now, I’d jump headfirst into cloud security.”
Casey Ellis, founder and CTO at Bugcrowd, said bug bounty hunters are ultimately entrepreneurs in their own right. Ellis said every bug is a startup, and the skills that go into finding bugs effectively are the tools developed over time, so there’s definitely a hustle element which goes alongside the continuous development of technical skills.
“An often overlooked skill is communications and empathy,” Ellis said. “At the end of the day the purpose of all of this is for the defender, as a business, to understand the risk and be able to fix it. Bug bounty hunters who end up doing really well often excel at learning ‘what matters’ from both a business and a technical standpoint, as well as how to communicate that to a variety of different audiences.
We often see bug bounty hunters go on to doing startups over time, which to me is evidence of the fact that it's more about the collection and application of skills than it is about any particular one.”