The Bug Bounty Business: Who Are The Bounty Hunters?
HackerOne co-founder Michiel Prins classifies the more than 160,000 security researchers participating in his company's crowdsourced security testing platform into a pyramid.
Bug bounty hunters range anywhere from high school and college students trying to jumpstart their career through public recognition to super-elite hackers only interested in high-impact, challenging vulnerabilities who don't even bother with the low-hanging fruit, Prins said. Young people are pervasive on HackerOne, with more than half of the hackers under age 25 and 8 percent under the age of 18.
Bug hunting can be a lucrative activity for the top hackers, with roughly 12 percent of researchers on HackerOne making $20,000 or more from bug bounties annually. A quarter of researchers on HackerOne rely on bounties for at least half of their income, while 13.7 percent said bounties represent at least 90 percent of their annual income.
HackerOne frequently works with MSSPs who are interested in both helping their customers implement a bug bounty program on HackerOne as well as managing it on the client's behalf, Prins said. Competing platform Bugcrowd partners with VARs, SIs, MSSPs and security consultants to provide greater access to the company's offering and ensure program success, according to the company's website.
The United States and India are, by far and away, the two most common countries of residence for security researchers, with half of Bugcrowd's hackers and 40 percent of HackerOne's hackers living in one of those two countries. No other nation accounts for more than 6 percent of the researchers present on either platform.
India had long held the top slot for the number of researchers on Bugcrowd's platform, but an increase in larger programs with more lucrative and complex bounties helped propel the United States past India in the 2017 rankings. Bug hunters in countries like India and Pakistan tend to focus most heavily on medium-criticality vulnerabilities, Bugcrowd said.
The bounty payouts, though, go much further in developing nations, with India's top bounty hunters earning 16 times the median salary of a software engineer in the nation, HackerOne found. But in higher-wage locations like the United States, HackerOne found that the top bounty hunters earn just 2.4 times the median salary of an American software engineer.
Since launching six years ago, Prins said HackerOne has paid out some $24 million in bounties. And HackerOne believes the industry is about to hit an inflection point, with Prins saying the company expects the amount paid to security researchers to nearly quadruple to $100 million between now and 2020.