Profile Of An Ethical Bug Hunter

Uploaded on 2018-06-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Ethical hacking was once the pursuit of security researchers who wanted something to present at their next conference, or lone wolves who enjoyed the thrill of the chase - but not the threat of prison.

Today, ethical hacking has become big business in the form of bug hunting. More and more companies, from the likes of Microsoft and Google, industries giants such as GM and Uber, and even US government agencies such as the Army and Air Force, now run bug-bounty programs and competitions.

Startups such as Bugcrowd and HackerOne that facilitate bug-bounty programs claim hundreds of thousands of ethical hackers on their platform between them, all ready to help check the security posture of an organization and make a buck or two in the progress.

So, who are these Ethical Hackers?
Both HackerOne and Bugcrowd have released demographic reports outlining who their hackers are. Bugcrowd claims 80,000 researchers on its platform, HackerOne just over 160,000.

“In general, members of our community are young males, ages 17 to 25,” says David Baker, CSO of Bugcrowd. “A lot of them have college degrees and work in security industry. A gaming background is huge draw because, once people realise this game model to engage in where they can hack companies and get paid for, it is fun for them.”

“A lot of them are doing this as a spare-time thing to augment cash or doing it as a context to learn more and for the challenge and to increase of skills. 

“The exception to that, and it’s a growing exception, participants from countries with lower purchase power. The lower the purchase power parity rate of the researchers, the less likely they are to jump into this full-time. There’s also a small group we refer to as super-hunters, people who make $250,000 annually or more. There are probably around 20 to 25 of these people.”

While the companies launching bug bounty programs seem to be mostly based in the US and Europe with a growing uptake in the Asia-Pacific region, and the hackers themselves have a similar geographic spread. 
The US, India, and UK are Bugcrowd’s largest geographies, while the US, India, and Russia represent HackerOne’s biggest communities.

The majority of hackers on both platforms are young: 71 percent of bug hunters on Bugcrowd are between 18 and 29 years old, while more than 90 percent of bug-bounty hackers on HackerOne are under the age of 35 (45 percent are ages 18-24, and 37 percent ages 25-34), and the majority on both started hacking in the last few years. More than half have studied computer science at some level.

Nearly half of HackerOne’s audience has a tech-related job (in IT, software, or hardware), a quarter are currently at study, and about 12 percent class themselves as consultants. Bugcrowd’s audience is largely made of penetration testers (22 percent) consultants (18 percent), and students (15 percent). Hackers on both platforms have similar reasons for doing what they do: Learning/professional development, the challenge, and money were listed at the three main drivers for hacking on both platforms, with money coming third on both.

How much do Ethical Hackers Earn? 
How much a hacker can earn obviously depends on a variety of factors.
According to HackerOne’s yearly report, hackers in India can earn an average of 16 times the median salary of a software engineer in the country, while the rest of the world can earn more than 2.5 times the median salary of a software engineer in their home country.

Infoworld:        Image: Nick Youngson

You Might Also Read: 

Ethical Hacking Is A Great Career Option:

Ethical Hackers: We Want You For A New Recruit:
 

 

« Israeli Cybersecurity Company Beats All Hackers
Cryptocurrency Malware Theft Is Worth Millions »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

PubNub

PubNub

PubNub enables developers to build secure realtime Mobile, Web, and IoT Apps.

ThetaRay

ThetaRay

ThetaRay’s solution for Industrial cyber security protects against unknown cyber-attacks that target industry and critical infrastructure.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

Latvian Information & Communications Technology Association (LIKTA)

Latvian Information & Communications Technology Association (LIKTA)

LIKTA brings together leading Latvian companies, organizations and professionals in the field of Information & Communications Technology

Secure Recruitment

Secure Recruitment

Secure Recruitment is a specialist Executive Search business that focuses its efforts on attracting specific exceptional talent in Cyber Security.

Plexal

Plexal

Plexal is East London's innovation centre and co-working space. We offer startups flexible memberships, giving them access to office space plus all the benefits and support they need to scale.

CyGlass

CyGlass

CyGlass simply and effectively identifies, detects, and responds to threats to your network without requiring any additional hardware, software, or people.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

Cympire

Cympire

Cympire significantly increases an organisation’s Cyber Resilience through continuous Training and Assessment. Cyber Security Training Platform. Cloud-based and fully customizable Cyber Range.

Harvey Nash

Harvey Nash

Harvey Nash is a leading global provider of talent and technology solutions.

Bright Pixel Capital

Bright Pixel Capital

Bright Pixel Capital is a venture capital company with a focus on Cybersecurity, Retail Technologies, Digital Infrastructure and Emerging Technologies.

Antigen Security

Antigen Security

Antigen Security is a Digital Forensics, Incident Response and Recovery Engineering firm helping businesses and service providers prepare for, respond to, and recover from cyber threats.

IBM Security

IBM Security

IBM manufactures and markets computer hardware, middleware and software, and offers hosting and consulting services in areas ranging from mainframe computers to nanotechnology.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.

Netcom Training

Netcom Training

Netcom Training are a dynamic and forward-thinking training provider, passionate about creating change within the IT, tech and digital industries.