More IT pros turn to bounty hunting, says report


The uptick in cyberattacks appears to have had a mirror effect on the cybersecurity community, with researchers increasingly turning to bug bounty hunting to supplement their income, according to research.

Intigriti, which runs a platform for bug bounties – a fee paid to ethical hackers by organizations for discovering and reporting weaknesses in their cyber defenses – said in its latest annual report that the number of analysts signing up had risen year-on-year by 43% in the twelve months to April. Tellingly, the number of exploits submitted to Ingriti had also increased by exactly the same proportion – suggesting that there is ample work out there for white-hat hackers.

ADVERTISEMENT

The rise means that another 50,000 cybersecurity researchers have joined Intigriti’s platform in the past year, with total bounty payouts rising by 65% to 4.3 million euros. On average, the number of vulnerabilities submitted has increased to 1,600 a month, though not all of these will necessarily be rewarded with a fee.

And with the US Department of Justice (DoJ) relaxing its rules on ethical or white-hat hackers to create a distinction between them and cybercriminals motivated purely by money or state allegiance, this upwards trend looks set to continue.

Last month the DoJ said that hackers deemed to be operating in “good faith” will no longer be charged with malicious hacking offenses under the Computer Fraud and Abuse Act.

Inti De Ceukelaire, head of hackers at Intigriti, welcomed the move.

"There's no denying that the US Department of Justice's recent revised policy regarding "good faith hackers" is big news for the ethical hacking community,” he said. “This is not only a welcome step forward in recognizing the important work done by ethical hackers but an exciting turning point for cybersecurity within the jurisdiction of US courts."

Freelance hacking – an industry that wants to grow

According to Intigriti, most bug bounty hunters are part-timers, with 54% having a full-time job elsewhere and 32% studying at university or a similar institution. Perhaps unsurprisingly, they are predominantly a young crowd, with 73% falling under the age of 30 and just 7% aged 40 or more.

Most of the younger respondents said they would consider turning bounty hunter full-time (77%,) although currently, only 14% do this, with most saying they spend up to 20 hours a week doing it as a sideline.

ADVERTISEMENT

When asked why they would do it as their main job, nearly half (48%) said they were motivated by the money, with 45% saying they wanted to be their own boss and 41% that they found the work interesting.

Clarifying its statement, the DoJ said: “Good faith security research means accessing a computer solely for purposes of [...] testing, investigation, and/or correction of a security flaw or vulnerability, [...] and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

But with just 36% of ethical hackers saying their main reason for wanting to do bug bounty hunting full time is to make companies more secure, it’s unclear whether all of them will benefit from the DoJ’s apparent new lenience. Moreover, one-quarter of hackers said they had not chosen to report a bug to schemes that offered no compensation.

“If a hacker spends their time and finds real vulnerabilities that would damage the company if in the wrong hands, it simply doesn’t seem right that they don’t get paid,” said one Intigriti associate named only as Leorac.

"Unfortunately, there are still many misconceptions around ethical hackers' intentions,” said De Ceukelaire. “However, this revised policy demonstrates that the US Department of Justice is finally recognizing the distinction between ethical and malicious hackers, which will help reassure other organizations still carrying hesitations. Far more importantly, it will clear the way for ethical hackers to work within the US without legal threats arising from the nature of their work."

Others cited less mercenary motives for joining a bug bounty program, with one in ten saying they relished the chance to “outsmart malicious hackers” and a like proportion that they enjoyed being able to work alone. It remains to be seen whether divergent opinions about motivation from the ethical hacker community will have any bearing on how the DoJ interprets its own changes to the Computer Fraud and Abuse Act.

Diverse in some ways, less so in others

One thing that appears to be beyond doubt is that most bug bounty hunters are – for the foreseeable future – male, with just 5% of Intigriti hackers identifying as female. “We’re trying to change that,” said Intigriti. “One way we can help diversify the industry is to influence the next generation of female security talent by bringing those already defying stereotypes to the forefront.”

To help accomplish this, Intigriti says it has donated all the sponsorship money from a bug bounty conference held in March to Women in Cybersecurity, a grant-funded foundation.

In terms of ethnicity, bug bounty hunters appear to be a far more diverse bunch. The top five countries noted by Intigriti for ethical hackers on its list of associates are India, the US, Belgium, Brazil, and the United Kingdom, respectively.

ADVERTISEMENT

And that diversity appears to be growing too – Intigriti said that the number of nations signing up to its platform in the year to April had risen 36%. The most effective hackers listed in Intigriti’s books by country were Belgium, the Netherlands, France, India, and the US.

It appears that bug bounty hunters are making a significant contribution to the fight against cybercrime, with two-thirds saying they had discovered an exploit they had not seen before in the past year. Of these, one in three said they did not think such exploits could have been discovered during a penetration test – where an ethical hacker is explicitly given permission to attack a client company’s cyberdefenses – and nine in ten believe that such “cannot provide continuous assurance that an organization is secure year-round.”

Given that two-thirds of Intigriti’s respondents have direct experience of pentesting themselves, this highlights the importance of bug bounty programs to the future of cybersecurity. But in a further sign that money is indeed a key motive for many ethical hackers, eight in ten said that “being paid for their time” was the biggest indicator of a pentester’s efficacy.