Ethical hackers' top motivation isn't money, according to HackerOne

HackerOne's 2018 report details ethical hackers' motivations, income, demographics, educational backgrounds, and more. It also notes why some white hat hackers don't report vulnerabilities.

How ethical hackers keep systems and data safe

Keren Elazari, a cybersecurity analyst and someone intimately familiar with the hacking world, at TED 2014, courageously voiced something we all needed to hear:

"I think we need hackers, and in fact, they just might be the immune system for the information age. Sometimes they make us sick, but they also find those hidden threats in our world, and they make us fix them."

HackerOne's report vindicates Elazari

The wise old adage "It takes one to know one" gives credence to Elazari's contention, as does the 2018 Hacker Report by HackerOne, a hacker-powered cybersecurity community. As of December 2017, HackerOne reports it has more than 166,000 total registered hackers, more than 72,000 valid vulnerabilities have been submitted, and the platform has paid more than $23.5 million in bounties.

From the 2018 Hacker Report's executive summary: "The internet gets safer every time a vulnerability is found and fixed." This is what hacker/security researchers at HackerOne do: They find potential problems and report them to the affected organizations so the issues are done away with before they can be exploited by bad actors.

"Every day, hackers demonstrate the power of the community by reporting thousands of vulnerabilities to companies and government agencies to make the internet safer for us all," said Marten Mickos, CEO, HackerOne. "We are blown away by the skills, the passion, and integrity of the individuals showcased in this report. The work of the ethical-hacker community is significantly reducing the risk of security breaches."

SEE: Guidelines for building security policies (Tech Pro Research)

Findings from the 2018 Hacker Report

The authors of the 2018 Hacker Report surveyed 1,698 respondents (more than any previous year), and what they found is interesting.

  • On average, top-earning hacker/researchers make 2.7 times the median salary of a software engineer in their home country.
  • Money is one of the top reasons why bug-bounty hunters hack, but it's fallen from first to fourth place. Most of the participants say their motivation is the opportunity to learn tips and techniques. The second most popular reason was evenly split between "to be challenged" and "to have fun."
  • Over 35% of the participants consider vulnerability hacking a hobby. Of those surveyed, 12% have an annual income from bug bounties of $20,000 or more, with 3% earning more than $100,000 per year, and 1% making over $350,000 annually.
  • India (23%) and the US (20%) are the top two countries represented in the survey group.
  • More than half of the respondents studied computer science at an undergraduate or graduate level, with 26% studying computer science in high school.
  • Nearly all of the members of the HackerOne community are under the age of 35, with a majority (45%) between 18 and 24 years old.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The proof is in the Signal

Three percent of survey respondents identified "showing off" as a reason for hacking. This raises the question of how companies like HackerOne prove their value. How do they show they are actually making a difference? That is where Signal comes in. The analysts at HackerOne categorize vulnerability reports into the following Signal Groups.

  • Clear Signal: Vulnerability reports are closed as "resolved." This means the issue was a valid security bug that was fixed by the vulnerability-response team.
  • Nominal Signal: These reports are closed and marked "won't fix" or duplicates of resolved issues. While not contributing to clear signal, many of these reports were technically accurate based on the best information available to the researcher.
  • Noise: These reports are closed as Not Applicable, Spam, or duplicates.

The Hacker Report mentions the bug-bounty programs of GitHub, Facebook, and Google advertise signal rates of 4%, 5%, and 7%, respectively. The report notes that HackerOne's baseline clear-signal percentage is 42%.

SEE: Get them young: How Romania is creating next wave of white-hat hackers in schools (ZDNet)

Not all companies welcome ethical hacking

The HackerOne report states that even though ethical hacking is becoming more accepted by businesses, there are still significant hurdles. "Ninety-four percent of the Forbes Global 2000 do not have a published vulnerability disclosure policy," explains the report. "As a result, nearly one in four hackers have not reported a vulnerability they found because the company didn't have a channel to disclose it."

That said, the report offers hope, mentioning, "Seventy-two percent of the hackers surveyed reported companies are becoming more open to receiving vulnerabilities."

Brett, one of the hacker/security researchers at HackerOne, might have said it best:

"At the end of the day, we're all in this together. We're trying to find stuff and fix issues. We're trying to help protect the world. That's what it comes down to, and I like being a part of that."

Editor's note: The article was updated on Feb. 8, 2018 to reflect that HackerOne's baseline clear-signal percentage is 42%. The baseline clear-signal percentage of 14% was from 2015 data.

Also see

Image: dangrytsku, Getty Images/iStockphoto