Bug Bounty Hackers Make More Money Than Average Salaries, Report Finds

Bug bounty programs exist to reward ethical hackers with a financial award (the “bounty”) for responsibly disclosing security vulnerabilities. What types of people participate in bug bounty programs and why do they do it? Those are just a few of the questions that managed bug bounty platform provider HackerOne answers in its 2018 Hacker Report. The 40-page report, released on Jan. 17, is based on answers from 1,698 respondents around the world. Among the key findings in the report is that individuals who participate in bug bounty programs earn on average 2.7 times more than the median salary of a software engineer in their home country. In this slide show, eWEEK looks at the highlights of the HackerOne 2018 Hacker Report.

Most bug bounty payouts come from programs in the United States, according to the HackerOne report. Correspondingly, individuals in the U.S. are the top recipients of bug bounty payouts, followed by researchers located in India.

Bug bounty program participants overall make an average of 2.7 times more than the median software engineer salary in their home country, HackerOne found. Researchers in India see the largest difference, making an average of 16 times the median salary of a software engineer in that country. U.S. researchers, meanwhile, make an average of 2.4 times more than the median salary.

More than 90 percent of bug bounty program hackers are under the age of 35, with nearly half (46.7 percent) working in the IT industry, according to HackerOne’s research.

According to HackerOne, 71.2 percent of respondents to its survey have been hacking for one to five years.

The most widely used tool by bug bounty hunters is the Burp Suite, which is a set of hacking tools from software vendor Portswigger. The Burp Suite is used by 29.3 percent of bug bounty hunters, while 15.3 percent build their own tools and 11.8 percent use network vulnerability scanners.

The top target identified in the HackerOne survey is websites at 70.8 percent, followed in distant second by APIs at 7.5 percent.

Bug bounty hunters use many different attack techniques, with Cross Site Scripting (XSS)—used by 28.8 percent of respondents—as the preferred attack vector.

More bug bounty hunters hack a company because they like a company (13 percent) than they dislike a company (2.1 percent). However, the single biggest reason (23.7 percent) a hacker chooses a particular company to hack is simply based on the bounties offered.