HackerOne's 2018 report details ethical hackers' motivations, income, demographics, educational backgrounds, and more. It also notes why some white hat hackers don't report vulnerabilities.
"I think we need hackers, and in fact, they just might be the immune system for the information age. Sometimes they make us sick, but they also find those hidden threats in our world, and they make us fix them."
HackerOne's report vindicates Elazari
The wise old adage "It takes one to know one" gives credence to Elazari's contention, as does the 2018 Hacker Report by HackerOne, a hacker-powered cybersecurity community. As of December 2017, HackerOne reports it has more than 166,000 total registered hackers, more than 72,000 valid vulnerabilities have been submitted, and the platform has paid more than $23.5 million in bounties.
From the 2018 Hacker Report's executive summary: "The internet gets safer every time a vulnerability is found and fixed." This is what hacker/security researchers at HackerOne do: They find potential problems and report them to the affected organizations so the issues are done away with before they can be exploited by bad actors.
"Every day, hackers demonstrate the power of the community by reporting thousands of vulnerabilities to companies and government agencies to make the internet safer for us all," said Marten Mickos, CEO, HackerOne. "We are blown away by the skills, the passion, and integrity of the individuals showcased in this report. The work of the ethical-hacker community is significantly reducing the risk of security breaches."
SEE: Guidelines for building security policies (Tech Pro Research)
Findings from the 2018 Hacker Report
The authors of the 2018 Hacker Report surveyed 1,698 respondents (more than any previous year), and what they found is interesting.
- On average, top-earning hacker/researchers make 2.7 times the median salary of a software engineer in their home country.
- Money is one of the top reasons why bug-bounty hunters hack, but it's fallen from first to fourth place. Most of the participants say their motivation is the opportunity to learn tips and techniques. The second most popular reason was evenly split between "to be challenged" and "to have fun."
- Over 35% of the participants consider vulnerability hacking a hobby. Of those surveyed, 12% have an annual income from bug bounties of $20,000 or more, with 3% earning more than $100,000 per year, and 1% making over $350,000 annually.
- India (23%) and the US (20%) are the top two countries represented in the survey group.
- More than half of the respondents studied computer science at an undergraduate or graduate level, with 26% studying computer science in high school.
- Nearly all of the members of the HackerOne community are under the age of 35, with a majority (45%) between 18 and 24 years old.
The proof is in the Signal
Three percent of survey respondents identified "showing off" as a reason for hacking. This raises the question of how companies like HackerOne prove their value. How do they show they are actually making a difference? That is where Signal comes in. The analysts at HackerOne categorize vulnerability reports into the following Signal Groups.
- Clear Signal: Vulnerability reports are closed as "resolved." This means the issue was a valid security bug that was fixed by the vulnerability-response team.
- Nominal Signal: These reports are closed and marked "won't fix" or duplicates of resolved issues. While not contributing to clear signal, many of these reports were technically accurate based on the best information available to the researcher.
- Noise: These reports are closed as Not Applicable, Spam, or duplicates.
The Hacker Report mentions the bug-bounty programs of GitHub, Facebook, and Google advertise signal rates of 4%, 5%, and 7%, respectively. The report notes that HackerOne's baseline clear-signal percentage is 42%.
Not all companies welcome ethical hacking
The HackerOne report states that even though ethical hacking is becoming more accepted by businesses, there are still significant hurdles. "Ninety-four percent of the Forbes Global 2000 do not have a published vulnerability disclosure policy," explains the report. "As a result, nearly one in four hackers have not reported a vulnerability they found because the company didn't have a channel to disclose it."
That said, the report offers hope, mentioning, "Seventy-two percent of the hackers surveyed reported companies are becoming more open to receiving vulnerabilities."
Brett, one of the hacker/security researchers at HackerOne, might have said it best:
"At the end of the day, we're all in this together. We're trying to find stuff and fix issues. We're trying to help protect the world. That's what it comes down to, and I like being a part of that."
Editor's note: The article was updated on Feb. 8, 2018 to reflect that HackerOne's baseline clear-signal percentage is 42%. The baseline clear-signal percentage of 14% was from 2015 data.
- HackerOne predicts its bug bounty payments will quintuple by 2020 (TechRepublic)
- HackerOne CEO: The tech industry has some 'catching up to do' on software security (TechRepublic)
- Insider secrets of a white hat hacker on security that actually works (TechRepublic)
- Video: Why organizations need ethical hackers now more than ever (TechRepublic)
- Ethical hackers: How hiring white hats can help defend your organisation against the bad guys (TechRepublic)
- How to develop a bug bounty program (TechRepublic)