It usually involves spending hours and hours looking over code to find a weakness or mistake. The rewards are usually high though. So, who does it?
HackerOne surveyed almost 2,000 hackers from almost 200 countries. Everyone surveyed had submitted at least one verified vulnerability. HackerOne also chucked into the mix data from the HackerOne platform, which is used by over 900 bug hunters.
The result of all that is the 2018 Hacker Report – which HackerOne claims is the biggest of ethical hacking ever undertaken.
So, are all the hackers clever Russians? No. No they’re not. A whopping 23% are Indian, where those bounties could replace several year’s worth of wages. Next up is America with 20%. Russia ends up third with a paltry 6%. Pakistan and the UK tie with 4% each.
“Most bug bounties (usually) have no geographical boundaries which means the ROI for the bug hunter can be enormously attractive… Consider what the “return” component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in; this makes bounties enormously attractive and gets precisely the eyes you want looking at your security things. Bounties are a great leveller in terms of providing opportunity to all. ” Troy Hunt, Security Expert and creator of the most excellent ‘Have I been pwned’.
Do they rely on this cash for their income? Hell yeah. On average, one bounty is around 2.7 times the median salary for a software engineer in their country. So yes, it can be a really very nice find. But, that’s the median. When you just look at a poorer country like India, it can be up to 16 times the salary. That’s life-changing stuff right there.
Over 90% are under 35. 45% are between 18 and 24. So, these are young men trying to make a better life for themselves. But how do they learn how to even start?
Tools of the trade
58% are self taught whilst 44% are IT pros. 67% get tips and tricks from blogs or the hacker community.
What tools do they use? Well, natch, most say they roll their own, but here’s how the other tools breakdown:
1 Burp Suite 29.3%
2 I build my own tools 15.3%
3 Web proxies and scanners 12.6%
4 Network vulnerability scanners 11.8%
5 Fuzzers 9.9%
6 Debuggers 9.7%
7 WebInspect 5.4%
8 Fiddler 5.3%
9 Chip Whisperer 0.8%
So why do they do it? It ain’t all about the Benjamins. The number one reason is top learn new tips and techniques. Coming in last place is ‘To show off’. Bragging rights is still a thing then.
What’s their favourite attack method? Cross site scripting. Here’s the breakdown:
Ibram Marzouk was asked what he does with the money, he said:
”One of the things that I did with my bounty money was helping my parents buy a house when I came to the U.S., so that’s probably the biggest thing I’ve done with bounty money.”
So hackers aren’t the villains they’re often made out to be. Chief Security Architect at Acalvio Technologies explains:
“Hackers unfortunately are [often] portrayed as the bad guys, whereas I would argue that for the last 20 or 30 years, we’re actually the good guys. Our job is to help you understand risk, and how you actually mitigate it.”
The dictionary definition sums it all up nicely:
One who enjoys the intellectual challenge of creatively overcoming limitations.