Meet the modern software tester: Bug hunters profiled

Young men predominate as bug hunters, many of whom are gamers, work in IT or security, and have studied computer science.

Meet the ethical hacker: Bug hunters profiled — Pixel2013 / Matejmo / Getty Images

Ethical hacking was once the pursuit of security researchers who wanted something to present at their next conference, or lone wolves who enjoyed the thrill of the chase (but not the threat of prison).

Today, ethical hacking has become big business in the form of bug hunting. More and more companies—from the likes of Microsoft and Google, industries giants such as GM and Uber, and even US government agencies such as the Army and Air Force—now run bug-bounty programs and competitions.

Startups such as Bugcrowd and HackerOne that facilitate bug-bounty programs claim hundreds of thousands of ethical hackers on their platform between them, all ready to help check the security posture of an organization and make a buck or two in the progress.

So, who are these ethical hackers?

Both HackerOne and Bugcrowd have released demographic reports outlining who their hackers are. Bugcrowd claims 80,000 researchers on its platform, HackerOne just over 160,000.

“In general, members of our community are young males, ages 17 to 25,” says David Baker, CSO of Bugcrowd. “A lot of them have college degrees and work in security industry. A gaming background is huge draw because, once people realize this game model to engage in where they can hack companies and get paid for, it is fun for them.”

“A lot of them are doing this as a spare-time thing to augment cash or doing it as a context to learn more and for the challenge and to increase of skills. The exception to that—and it’s a growing exception—participants from countries with lower purchase power. The lower the purchase power parity rate of the researchers, the less likely they are to jump into this full-time. There’s also a small group we refer to as superhunters, people who make $250,000 annually or more. There are probably around 20 to 25 of these people.”

ethical hackers global priorities — The average submission priority for ethical hackers by region. Scale: 1 = most critical, 5 = least critical.

While the companies launching bug bounty programs seem to be mostly based in the US and Europe with a growing uptake in the Asia-Pacific region, and the hackers themselves have a similar geographic spread.The US, India, and UK are Bugcrowd’s largest geographies, while the US, India, and Russia represent HackerOne’s biggest communities.

The majority of hackers on both platforms are young: 71 percent of bug hunters on Bugcrowd are between 18 and 29 years old, while more than 90 percent of bug-bounty hackers on HackerOne are under the age of 35 (45 percent are ages 18-24, and 37 percent ages 25-34), and the majority on both started hacking in the last few years. More than half have studied computer science at some level.

Meet the hacker: Matt Layton

Role:Security engineer at Audible, bug bounties as a side project for about 18 months.

Education: Computer Science degree from Adelphi University.

Highest payout: $2,000 “thanks to a very lucky find.”

What makes bug bounties appealing: “Bug hunting can be a unique learning experience and provide the opportunity to look at different technologies and infrastructures in a real-world situation. It’s rare to find that true, real-world learning environment. Of course, the money is always great, but the thrill of the hunt is better. There’s nothing like finding a bug after working on it for hours. It’s a confidence boost and validation that you’re learning and getting better.”

On the changing perception of bug bounty programs: “I think more and more companies are beginning to see what kind of value a bug-bounty program can provide. I can imagine it’s very intimidating to have a swarm of hackers scouring your company’s applications and services. But seeing so many success stories from some very reputable companies, it’s hard to miss the value.”

Would you submit an issue to a company that didn’t have a vulnerability disclosure policy? “I’d be very nervous to submit an issue to a company without a disclosure program. We’ve all heard stories in the past where companies were not too happy about getting a vulnerability report from a security researcher.”

Nearly half of HackerOne’s audience has a tech-related job (in IT, software, or hardware), a quarter are currently at study, and about 12 percent class themselves as consultants. Bugcrowd’s audience is largely made of penetration testers (22 percent) consultants (18 percent), and students (15 percent).

Hackers on both platforms have similar reasons for doing what they do: Learning/professional development, the challenge, and money were listed at the three main drivers for hacking on both platforms, with money coming third on both.

How much do ethical hackers earn on bug bounties?

How much a hacker can earn obviously depends on a variety of factors.

According to HackerOne’s yearly report, hackers in India can earn an average of 16 times the median salary of a software engineer in the country, while the rest of the world can earn more than 2.5 times the median salary of a software engineer in their home country.

Globally, 37 percent of hackers on the platform hack as a hobby in their spare time, around a quarter rely on bounties for at least 50 percent of their annual income, and 14 percent say their bounties represent 90 to 100 percent of their annual income.About 12 percent make $20,000 or more annually from bug bounties. About 3 percent earn more than $100,000 per year, with 1 percent making more than $350,000 annually.

Meet the hacker: Tommy ‘dawgyg’ DeVoss

Role: Full-time hacker for the last 12 months.

Education: Pursuing a degree in network security, involved with hacking since the mid-1990s.

Highest payout: $10,000 for being able to double spend cryptocurrency, $10,000 for a privilege escalation vulnerability, several $10,000 payouts for SQL injections and file-system access.

What makes bug bounties appealing: “The money is the most appealing part, but other things such as learning new things constantly, and the community members also make it very appealing.It feels like we are all friends, rather than basically competitors when it comes to finding the bugs.”

On the changing perception of bug bounty programs: “Companies are much more understanding now than they were even two years ago. They seem to be seeing the value that having bug-bounty programs brings to their overall security, and programs have gotten much better with interacting with the community.”

Would you submit an issue to a company that didn’t have a vulnerability disclosure policy? “I won’t risk testing a site without their permission, because messing with the CFAA is not worth the hassle or bounties potentially received by testing random sites.”

But the majority earn less than this. Founder Michiel Prinssays the lowest reward HackerOne recommends is $100 for what he described as the “low-hanging fruit vulnerabilities.” “The average reward a hacker earns is around $500. Then we’ve had hackers that earn up to $30,000 for one vulnerability. For the average hacker, this is more of a supplemental income, and then we have a few rock stars that are making almost $300,000 a year, and for some of them that is still their side income!”

And what about spending it? According to Bugcrowd, the majority of rewards get spent reinvesting in tools and development, with living expenses and ‘fun stuff’ representing the other two main ways to spend.

The temptations of unethical hacking

While ethical hackers can make small fortunes, unethical hacking still pays handsomely. Last year, Vice reported that hackers who found high-level vulnerabilities in iPhones could earn nearly ten times as much selling these vulnerabilities on the dark web compared to actually reporting them to Apple.

This story, "Meet the modern software tester: Bug hunters profiled" was originally published by IDG Connect.

Next read this:

Dan Swinhoe is UK Editor of CSO Online