Security Staff Acquisition & Development, Application security

Two-thirds of ethical hackers considering bug bounty hunting as a full-time career

Pictured: A computer keyboard is seen in this cropped image with Javascript in the background. (“Coding Javascript” by Christiaan Colen is marked with CC BY-SA 2.0.)

Research from Intigriti on Tuesday found that 96% of ethical hackers would like to dedicate more time to bug bounty hunting in the future, and 66% are considering it as a full-time career.

The report, based on responses from 1,700 part-time and full-time ethical hackers, found that they are attracted to the money, as 48% said good pay was their No. 1 attraction point. The ethical hackers also cited the desire to be their own boss and the ability to work their own hours as 45% listed both points as appealing.

“The work-from-home culture has made employees desire more independence and has further encouraged digital nomads to pursue a remote working career, said Inti De Ceukelaire, head of hackers at Intigriti. “Bug bounty platforms can not only facilitate this, but they also allow people to work wherever they want, whenever they want, and without having to rely on a boss to match their talents with customers or be part of a corporate hierarchy.” 

Davis McCarthy, principal security researcher at Valtix, said hacking has turned into a full-blown industry, adding that data has become the new commodity, whether on Wall Street or in the underground — cybercriminals monetize passwords, remote access to corporate networks, exploits and botnets.

“Bug bounty hunting is a great career path for cybersecurity professionals,” McCarthy said. “For people getting into bug bounty hunting, it’s good to make sure the target organization has a bug bounty program, and to check if there are any limitations on what’s acceptable to test. There’s a lot of technical debt in the cloud, and the enterprise shift to using the cloud means there are a lot of opportunities for bug bounty hunters to do some good: find exposed S3 buckets, instances with default passwords, and poorly configured databases. If I was getting into bug bounty hunting now, I’d jump headfirst into cloud security.”

Casey Ellis, founder and CTO at Bugcrowd, said bug bounty hunters are ultimately entrepreneurs in their own right. Ellis said every bug is a startup, and the skills that go into finding bugs effectively are the tools developed over time, so there’s definitely a hustle element which goes alongside the continuous development of technical skills.

“An often overlooked skill is communications and empathy,” Ellis said. “At the end of the day the purpose of all of this is for the defender, as a business, to understand the risk and be able to fix it. Bug bounty hunters who end up doing really well often excel at learning ‘what matters’ from both a business and a technical standpoint, as well as how to communicate that to a variety of different audiences.
We often see bug bounty hunters go on to doing startups over time, which to me is evidence of the fact that it's more about the collection and application of skills than it is about any particular one.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.