Bug bounties can be highly lucrative for top hackers; for instance, those based in India earn 16 times the median salary of a software engineer. And on average, top-earning researchers make 2.7 times the median salary of a software engineer in their home country.
That’s according to HackerOne, the bug-bounty platform, which surveyed nearly 1,700 hackers to get a pulse on this community of internet protectors − what their motives are, how much they’re making and what they’re doing with the bounties they earn (a staggering 24% have donated bounties to charity).
The results show that while 37% of hackers say they hack as a hobby in their spare time, it garners much more for their pocketbooks than most hobbies would: About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties, and the top 3% make more than $100,000 per year. The top 1.1% are making over $350,000 annually. A quarter of hackers rely on bounties for at least 50% of their annual income, and 13.7% say their bounties earned represents 90-100% of their annual income.
Perhaps it’s no surprise then that money remains a top reason for why bug hunters do what they do; however, financial gain has fallen from first place to fourth place in terms of drivers compared to 2016. Above all, hackers are motivated by the opportunity to learn tips and techniques, with “to be challenged” and “to have fun” tied for second place.
In terms of demographics, India (23%) and the United States (20%) are the top two countries represented by the HackerOne hacker community, followed by Russia (6%), Pakistan (4%) and United Kingdom (4%). Nearly 58% of them are self-taught hackers. Despite 50% of hackers having studied computer science at an undergraduate or graduate level, and 26.4% studied computer science in high school or before, less than 5% have learned hacking skills in a classroom.
Further, more than 90% of bug-bounty hackers on HackerOne are under the age of 35, with over 50% under 25 and just under 8% under the age of 18. The majority (45.3%) are between 18 and 24 years old, and 37.3% of hackers are between 25 and 35 years old.
While ethical hacking is becoming increasingly mainstream, there are still hurdles to overcome. Namely, 94% of the Forbes Global 2000 do not have a published vulnerability disclosure policy. As a result, nearly 25% of hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it. However, 72% of hackers combined reported that companies are becoming more open to receiving vulnerabilities than they were before.
“Every day, hackers demonstrate the power of the community by reporting thousands of vulnerabilities to companies and government agencies to make the internet safer for us all,” said Marten Mickos, CEO, HackerOne. “We are blown away by the skills, the passion and integrity of these individuals showcased in this report. The work of the ethical hacker community is significantly reducing the risk of security breaches.”
Bug hunting is a rising tide: More than 1,000 organizations including Google, General Motors, GitHub, Lufthansa, Nintendo, Spotify, Starbucks, the US Department of Defense and others have established bug-bounty programs. HackerOne itself supported 1,000 customer programs and saw more than $23 million in bounties awarded to the ethical hacker community in 2017. The company plans to pay over $100 million in rewards to hackers by 2020.