One common criticism of bug bounty programs is that very few hackers actually make money. Not only is this untrue, but it misses the point.
Thomas Claburn recently argued that "you're better off exterminating roaches" than hunting software bugs if you hope to make a living. For "dawgyg," who cleared over $500,000 killing bugs just on HackerOne in 2018 and hopes to make a cool $1,000,000 in 2019, that's the equivalent of one heck of a lot of cockroaches.
Of course, not all hackers will make dawgyg-like money, but that's not the point. According to HackerOne CEO Marten Mickos, over 1,000 hackers have earned at least $5,000, while more than 100 hackers have earned a minimum of $100,000--that's real money. The biggest benefit, says Mickos, is that bug bounties create "opportunity democratized across the entire globe," all while creating improved security for the companies that use bounty programs.
SEE: Research: As overseas business operations grow so do concerns over cyberwarfare and cybersecurity (Tech Pro Research)
I see dead bugs
The hacker community is power-law distributed, Mickos explains. Those who make a lot of bounties make much more than those who are only starting. That said, plenty of people make money with HackerOne and other bounty companies. To date:
- Over 300,000 hackers have signed up on HackerOne;
- about 1 in 10 have found something to report;
- of those who have filed a report, a little over a quarter have received a bounty;
- 1,000 hackers have earned $5,000 or more;
- about 100 hackers have earned $100,000 or more; and
- two hackers have reached or are very close to $1 million in total rewards on HackerOne.
Importantly, hackers can quickly rise in those ranks, making it less an oligarchy of hacker talent that it's sometimes perceived to be and more a democratized system that spreads lots of wealth around. How much? Well, HackerOne alone paid out $19 million in bounties in 2018, a number Mickos says will be "much higher" in 2019.
SEE: Eight things you should know before launching a cybersecurity career (free PDF) (TechRepublic)
Some of that "much higher" number will find its way to people like Thomas Shadwell, a security engineer with Twitch, based in London. A few weeks ago Shadwell wrote up a bug find and collected $7,500 for his troubles. Shadwell had been on the HackerOne platform for a few years without filing many reports, according to Mickos. Maybe his day job at Twitch kept him too busy.
This is what makes the bug bounty programs "so phenomenally powerful," in Mickos' words. "Super smart people who are fully engaged in cybersecurity work in their spare time hunt for vulnerabilities, report them, and help others explain how it was done. The security of the company in question improves. The overall understanding of this type of vulnerability increases in the industry." Oh, and the bug-killer gets supplemental income.
More money, fewer bugs
Yes, some hackers do this full-time, but not most; for most, it is a hobby, and their day job is to study or work. For instance, many are pentesters in their day jobs and bug hunters at night; this allows them to keep up their skills and learn more while earning a nice addition to their regular salary. Some pentesters give up their day job to turn to bug hunting full time, but even if they don't, both the companies paying the bounties and the hackers earning them benefit.
And yet...there's a real chance to turn bug-hunting into a full-time job.
When it comes to power-law distributed sets, such as this one, Mickos tells me, averages and medians mean very little; instead, it makes sense to compare members (hackers in this set) to a peer group of similar members. Concretely, the average earnings may always stay low on bug bounty programs. HackerOne currently has over 320,000 hackers registered, up from 16,000 just three years ago. That increasingly broad base of hackers provides a "breeding ground where everyone is given a chance to show what they can do so that the most promising hackers can be identified and offered a path forward and up."
Many of those 320,000 engineers will never file a report, though many will and, like Shadwell, may find birthday money to spend. The average hacker is probably never going to get rich on bug bounties. Still, Mickos concludes, "Those who participate in earnest are never average. With tenacity and skill anyone has the opportunity to royally beat the average."
Interest in bug bounty programs continues to explode, and for good reason: They offer a great way to align the interests of companies that need to improve security with the people most capable of delivering that security. All for a fee. And, at times, a very royal fee.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Microsoft launches Azure DevOps bug bounty program, $20,000 rewards on offer (TechRepublic)
- Top 5: Reasons you need a bug bounty program (TechRepublic)
- How to develop a bug bounty program (TechRepublic)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)