The number of high-profile cybersecurity breaches making headlines each week has driven more organizations to adopt crowdsourced security programs—wherein "ethical hackers" seek out bugs and flaws for a fee, according to a Wednesday report from Bugcrowd. These whitehat hackers can earn large amounts of money for their efforts, the report found: The average yearly payout of the top 50 whitehat hackers was $145,000 USD, with over 600 valid submissions.
The crowdsourced security model benefits enterprises by bringing together whitehat hackers worldwide ranging in experience from students to top security talent—allowing companies to leverage pools of untapped talent that would otherwise be impossible to do, the report noted.
The report analyzed data from 750 of Bugcrowd's global whitehat hacker and pen tester community members. Some 43% of these hackers learned how to hack via online resources and blogs, and 41% are self-taught, they reported.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
Two-thirds of whitehat hackers surveyed (66%) said they spend up to 10 hours per week bug hunting, though more than 50% have a regular 9-5 job, the report found. And being a bug hunter can act as an entry point into a cybersecurity career: 81% of hackers said their experience bug hunting has helped them land a job in the cybersecurity field, according to the report.
However, there is still a major gender gap in the whitehat hacking field, the report found: 92% of those surveyed identified as male, and just 4% as female.
Ethical hackers are primarily motivated to bug hunt due to the challenge (64%), professional development (61%), education (57%), and to make the internet a safer place (51%), the report found.
Bug hunters can earn money quickly by seeking out vulnerabilities in code. Elite bug hunters can make up to $500,000 a year by finding those flaws and submitting them to the program owner to fix before a malicious hacker can exploit them, according to the report. Across all programs and industries, the average whitehat hacker payout per vulnerability is now $783—a 73% increase over last year, the report found. And 75% of all P1 vulnerability payouts were above $1,200, up from $926 last year.
SEE: Brute force and dictionary attacks: A cheat sheet (TechRepublic)
In the past year, the largest number of payouts (81%) came from website vulnerabilities, followed by hardware (7%) and API (6%).
Here are the top skills that whitehat hackers currently have, according to the report:
- Web application (96%)
- Network pen testing (85%)
- API assessment (79%)
- Social engineering (79%)
- Source code analysis (78%)
- Mobile: Android (76%)
- Cryptography (67%)
- Binary analysis and reverse engineering (63%)
- Mobile/iOS application (57%)
- OS/Firmware testing (51%)
- Malware analysis (49%)
- IoT/Embedded device (49%)
- Hardware hacking (45%)
- Mobile: BBRY/WINMO (36%)
- Vehicle testing (26%)
The big takeaways for tech leaders:
- Whitehat hackers are primarily motivated to bug hunt due to the challenge (64%), professional development (61%), education (57%). — Bugcrowd, 2018
- The most popular skills for whitehat hackers are web application development, network pen testing, and API assessment. — Bugcrowd, 2018
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy template download (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.