Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Oh, yeah, and learning new tricks and protecting stuff, sure

Got Tips? 21

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering.

And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities.

A survey of 1,700 bug bounty hunters from more than 195 countries and territories by security biz HackerOne, augmented by the company's data on 900 bug bounty programs, has found that white-hat hackers earn a median salary that's 2.7 times that of typical software engineers in their home countries.

In some places, the gap is far more pronounced. In India, for example, hackers make as much as 16 times the median programmer salary. In the US, they earn 2.4 times the median.

HackerOne bases its salary figures on data from PayScale. For India, the median annual software engineer salary is $6,418. For the US, it's $81,193.

"Bug bounty programs are taking off and with that comes enormous opportunities for hackers to earn competitive rewards for making the internet safer," Lauren Koszarek, director of communications at HackerOne, told The Register today.

"The top earning hackers on HackerOne have earned more than the average salary of software engineers in their respective countries – signaling the need for security talent, the quality of vulnerabilities these hackers report and their dedication to squashing bugs."


In the report, computer security breach archivist Troy Hunt opined that the lack of geographical barriers for bug hunting makes the economics appealing.

"Consider what the 'return' component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in," he said. "This makes bounties enormously attractive and gets precisely the eyes you want looking at your security things."

In 2016, according to HackerOne, the top reason for hacking was money. The firm's latest data, however, hints at an ethical awakening, or at least a desire not to come off as avaricious in surveys.

Open your doors to white hats before black hats blow them off, US deputy AG urges big biz


Hackers on average cite improving skills (14.7 per cent), having fun (14 per cent), and being challenged (14 per cent) above making money (13.1 per cent) to explain their motivations.

After that, it's career advancement (12.2 percent), protecting and defending (10.4 per cent), doing good (10 per cent), helping others (8.5 per cent) and showing off (3 per cent).

But it would be a mistake to weigh altruism too heavily. In answer to the question, "Why do you choose the companies you hack?", 23 per cent cited the bounty. After that, the most common sentiment was the challenge or opportunity to learn (20.5 per cent), followed by affinity for the company (13 per cent).

According to the survey, approximately 12 per cent of hackers using HackerOne earn at least $20,000 annually from bug bounties, about 3 per cent make more than $100,000, and 1.1 per cent are making more than $350,000. So the majority of bug hunters rely on other income sources.

The majority of that money goes to people outside the US, too,

About 37 per cent of respondents said they hack as a hobby; about a quarter said they rely on bounties for a least half their income; and some 13.7 percent said they earn 90-100 per cent of their annual income from bug finding rewards.

Income variability may explain in part why over 90 per cent of hackers are under the age of 35 – younger people tend to be able to afford the time and risk for such a speculative endeavor; older people, often with obligations to others, tend to have less time for hobbies and more need for a predictable salary.

Positive education

Also worth noting is that 58 per cent of hackers say their hacking skills are self-taught, even if about half of them studied computer science at an undergraduate or graduate level, and just over a quarter of them studied computer science in high school or earlier.

The bug hunting market appears to have plenty of room for expansion. Only six per cent Forbes Global 2000 companies have bug bounty programs. As a consequence, the report says, almost one hacker in every four has opted not to report a flaw because the affected company had no channel for reporting the issue.

"This is still a relatively new concept," said Koszarek. "Bug bounty programs have previously been reserved for companies like Google, Microsoft, and Facebook that have more resources than the average organization."

Koszarek said the number of companies adopting bug bounty or vulnerability disclosure programs has almost doubled in the past year. Legal issues remain an obstacle for some companies to embrace the concept. Koszarek advises that corporate legal teams need to be involved from the outset to map out the scope of bug bounty programs.

"This not only helps organizations maintain clear legal guidelines for their programs, but it also helps guide ethical hackers to the areas you want them to focus on and manage expectations…", she said. ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Zoom continues its catch-up security sprint with new training, bug bounty tweaks and promise of crypto playbook

Sigh. How many users did it have before it started this stuff?

Microsoft brings K8s Security Center out of preview, replaces CoreOS Container Linux with Flatcar

Azure security dashboard now covers Kubernetes service - at a price

Google's OpenSK lets you BYOSK – burn your own security key

Now there's no excuse

Access Analysis, GuardDuty and Inspector gadgets not enough? Here comes another AI-driven security tool for AWS

What have you got for us, Detective?

SecureX gon give it to ya: Cisco muscles into the integrated security game

Push to get punters inhaling one cloudy product

Resistance is futile: Some Cisco security appliances are ticking time bombs of fail thanks to faulty resistors

After 18 months, they can just fall over. The fix is asking Borgzilla for a new one

US telcos tossed yet another extension to keep going with Huawei kit despite America's 'security threat' concerns

It's clearly not a pressing issue – this is the fourth time now

Tech Resources

Webcast Slide Deck | How to simplify data protection on Amazon Web Services

The way we backup and restore has changed, but the outcomes are often just as bad. If you’re waiting hours to restore, or keeping terabytes of data because you don’t know if you can delete it, you’re wasting your time and your money. So imagine a service that restores in seconds, even individual files. Join Sebastian Straub, N2WS’s “personable IT magician” and Danny Michael, Head of IT at Gett, who promise to show us a better way in a live Regcast.

Ransomware Hostage Rescue Manual

Free your files! Get the most informative and complete hostage rescue manual on ransomware.

Detect Threats Early and Follow Attacker Movement Across the Network

The addition of Network Traffic Analysis to InsightIDR means teams have all of their critical security data in one place.

2020 SANS Network Visibility and Threat Detection Survey

Read the report to learn how to do more with the network data you already have and what to look for in a network visibility tool.