Bug Bounty Programs Are Paying Off for Hackers, HackerOne Finds | eWeek

Bug Bounty Hackers Make More Money Than Average Salaries, Report Finds

1088_BugHuntersSalary
Jan 22, 2018
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More


Bug Bounty Hackers Make More Money Than Average Salaries, Report Finds

Bug Bounty Hackers Make More Money Than Average Salaries, Report Finds

Bug bounty programs exist to reward ethical hackers with a financial award (the “bounty”) for responsibly disclosing security vulnerabilities. What types of people participate in bug bounty programs and why do they do it? Those are just a few of the questions that managed bug bounty platform provider HackerOne answers in its 2018 Hacker Report. The 40-page report, released on Jan. 17, is based on answers from 1,698 respondents around the world. Among the key findings in the report is that individuals who participate in bug bounty programs earn on average 2.7 times more than the median salary of a software engineer in their home country. In this slide show, eWEEK looks at the highlights of the HackerOne 2018 Hacker Report.


Where the Bug Bounty Payouts Go

Where the Bug Bounty Payouts Go

Most bug bounty payouts come from programs in the United States, according to the HackerOne report. Correspondingly, individuals in the U.S. are the top recipients of bug bounty payouts, followed by researchers located in India.


Bug Bounties vs. Salaries

Bug Bounties vs. Salaries

Bug bounty program participants overall make an average of 2.7 times more than the median software engineer salary in their home country, HackerOne found. Researchers in India see the largest difference, making an average of 16 times the median salary of a software engineer in that country. U.S. researchers, meanwhile, make an average of 2.4 times more than the median salary.


Advertisement

Who Are the Bug Bounty Hunters?

Who Are the Bug Bounty Hunters?

More than 90 percent of bug bounty program hackers are under the age of 35, with nearly half (46.7 percent) working in the IT industry, according to HackerOne’s research.


Most Have Been Hacking for Less Than Five Years

Most Have Been Hacking for Less Than Five Years

According to HackerOne, 71.2 percent of respondents to its survey have been hacking for one to five years.


What Tools Do Bug Bounty Hunters Use?

What Tools Do Bug Bounty Hunters Use?

The most widely used tool by bug bounty hunters is the Burp Suite, which is a set of hacking tools from software vendor Portswigger. The Burp Suite is used by 29.3 percent of bug bounty hunters, while 15.3 percent build their own tools and 11.8 percent use network vulnerability scanners.


Websites Are Top Target

Websites Are Top Target

The top target identified in the HackerOne survey is websites at 70.8 percent, followed in distant second by APIs at 7.5 percent.


Cross Site Scripting is a Top Attack Vector

Cross Site Scripting is a Top Attack Vector

Bug bounty hunters use many different attack techniques, with Cross Site Scripting (XSS)—used by 28.8 percent of respondents—as the preferred attack vector.


Why Do Bug Bounty Hunters Choose the Companies They Hack?

Why Do Bug Bounty Hunters Choose the Companies They Hack?

More bug bounty hunters hack a company because they like a company (13 percent) than they dislike a company (2.1 percent). However, the single biggest reason (23.7 percent) a hacker chooses a particular company to hack is simply based on the bounties offered.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.