HackerOne’s 2018 report demonstrates the positive impact of hacking
The term “hacker” often conjures up negative images among the public, but those in tech circles understand the art of hacking as an important part of software development. HackerOne recently released their report on the positive impact of hacking and some statistics about the burgeoning professional hacking community.
HackerOne aims to build bridges between organizations and the global hacker community whose efforts make the internet more secure. By providing incentives for hackers to seek out bugs and report them before criminals can exploit them, HackerOne is providing a means for talented hackers to leverage their skills for good. HackerOne is a major player in bug bounties, which, as their report outlines, have proven to be powerful tools for improving the state of the code we rely on every day.
When asked in 2016 why they participated in bug bounty programs, the most common answer was money. In HackerOne’s 2018 report, however, money fell to fourth place. The top reported reason for hacking in 2018 was to learn tips and techniques. The second listed reason was a tie, with some reporting they enjoy the challenge of hacking and others simply saying they find it to be fun. For many, however, bug bounties can serve as a great way to make a living. Top hackers in India, for example, make 16 times the median income of software engineers.
“One of the most interesting findings was the comparison between top bug bounty incomes and regional software engineer salaries,” said Marten Mickos, CEO of HackerOne. “It concretely demonstrates how lucrative bug bounties are becoming. It’s great to see companies place that kind of value on outside perspective.”
Seeking bug bounties can be lucrative. Although 37 percent of participants view hacking as a hobby, 12 percent of hackers are able to make at least $20,000 per year, and three percent bring in more than $100,000. The top 1.1 percent of hackers brought in $350,000 per year. Hacking is an important stream of revenue for many hackers, with one quarter of hackers relying on hacking for more than half of their income and 13.7 percent using hacking for 90 percent of more of their income.
Vulnerabilities Aren’t Always Reported
Upon discovering a vulnerability, hackers typically want to report it so it can be fixed. Too often, however, companies don’t provide a channel for hackers to report their findings. HackerOne’s report revealed that nearly one in four hackers haven’t been able to report a vulnerability because there was no channel for disclosing it. Furthermore, there can be legal ramifications for revealing a vulnerability even if the hacker’s intentions are good.
“The ethical hacker community is filled with smart, curious, communal and charitable human beings,” said Mickos.
The biggest takeaway of this report should be that the ethical hacking community is eager to do good in the world. They are already finding vulnerabilities. As an organization, are you opening a channel to receive those vulnerabilities? It’s important to at least open the channel of communication with the hacker community through a vulnerability response program.
Fortunately, companies are becoming more open to vulnerability disclosures, and many now provide a safe means for hackers to report them. Hackers also reported having an easier time reporting vulnerabilities compared to previous years, with more than 38 percent claiming that companies are somewhat more open to receiving vulnerability reports and almost 34 percent reporting companies are far more open to receiving them.
Among those surveyed, less than five percent reporting having hacking-specific classroom education in the past. Furthermore, 58 percent report being self-taught hackers. Many have some amount of computer science or programming education. About half of all hackers received at least some undergraduate or graduate computer science experience, and more than a quarter received relevant education in high school or earlier.
Hackers hail from across the globe. India was the most represented country, accounting for 23 percent of hackers. The United States was close behind at 20 percent. Other noteworthy countries included Russia, home to six percent of hackers, and Pakistan and the United Kingdom, each with approximately four percent.
A Burgeoning Community
The hacker community traces its roots to the 1960s, and the subculture has long played a critical role in computing. However, bug bounties and other programs are helping to coalesce a more cohesive community. Even though hackers might want to keep some of their techniques secret in order to maximize their earnings, most are happy to share information with others. Solo work dominates the field, but hackers are increasingly working as part of a team.
Hacker events have been around for decades, but the increasing professionalism and maturity of the field have lead to more welcoming events. Many hackers find live hacking to be a fun and educational experience, and the communication these events foster has a beneficial effect on hacking and its reputation.
The concept of “security through obscurity” remains throughout parts of the tech industry, but experts are increasingly viewing the concept as fundamentally flawed. Furthermore, open source software serves as the backbone of the internet, and companies are seeing the benefits of collaborative software. Although there will always be malicious hackers seeking to exploit vulnerabilities, the hacker community is making tremendous strides in uncovering and patching vulnerabilities before they can be abused.
HackerOne solutions are designed to help companies and government agencies discover critical security vulnerabilities before they can be criminally exploited. HackerOne are partner members of Cloud28+, the open community of over 700 innovative technology businesses, built to accelerate digital transformation around the globe. It’s members located across North America, EMEA, Latin America and Asia. Join free or find out more here.