New report predicts bounty hunters prevented $8.9bn worth of cybercrime damages last year
The number of Indian hackers on bug bounty platform Bugcrowd has increased dramatically over recent months, overtaking the US as the number one country for the first time.
A new report, ‘Inside the Mind of a Hacker 2020’, was released by Bugcrowd today.
The report analyzed data taken from a survey of 3,493 respondents, plus data from 1,549 Bugcrowd vulnerability disclosure programs from May 2019 to April 2020.
It found that the number of bug hunters from India grew by 83% from the previous year, cementing the country’s reputation as a world leader in information security research.
Deep dive
India has now overtaken the US, which was knocked to second place with 10% of Bugcrowd users, for the first time.
The report reads: “In 2019, 27% of respondents said they lived in the United States, yet only 10% reported living there in 2020.
“Such a significant drop might appear to indicate that the number of security researchers who respond from [the US] is shrinking.
“However, a closer examination of the data shows that the number of respondents from India are merely increasing exponentially faster than other countries that are also experiencing growth.”
Also making up the top five, in order, is Pakistan, Bangladesh, and Indonesia. The UK and Australia came sixth and eighth, respectively.
Top 10 countries where respondents report living
Overcoming stereotypes
The results come as Bugcrowd announced it estimates to have prevented $8.9 billion worth of cybercrime in 2019 alone.
Aside from tracking where security researchers on the Bugcrowd platform live, the report also aims to take a deeper dive into what factors define a hacker.
Bugcrowd founder and chief technology officer Casey Ellis told The Daily Swig that the company wants to dispel the myth of the hooded figure in a dark room.
“This year’s report consciously does away with the typical line of questioning previously seen in the hacking community, like ‘What do you spend your cash on?’, and ‘What’s the most money you’ve ever made in one go?’
“Instead, it takes readers inside the mind of 3,493 global hackers to answer questions like, ‘Are hackers good people?’ and, ‘How much risk am I responsible for?’”
Interestingly, the study also tracked how many hours of sunlight that respondents receive each day.
Ellis explained to The Daily Swig that this was in order to combat the long-held idea that hackers are criminals dwelling in dark basements.
“This year, we’ve collected a mix of data that humanizes hackers and puts a price on the work they do. This ensures the report paints a complete picture of the global hacking community, rather than only focusing on ‘the 1%’ of hackers who have earned millions,” said Ellis.
“We’ve also included quirky data, like how much sunshine they observe and how they perceive themselves, to break down long-held negative stereotypes about hackers.
“For example, hackers are frequently portrayed as operating in dimly-lit basements, but 71% of hackers report seeing way more sun than that stereotype suggests.
“This offers yet more reason to redefine the perception of hackers from being formidable hooded characters to everyday people that you could run into at your local mall.”
Fountain of youth
More than half of those surveyed – 53% – were under 24 years old, identifying an interesting trend in Millennial and Gen Z bug hunters.
Of the survey respondents, 41% were also newcomers, meaning they had joined the platform within the last 12 months.
A further 13% identified as being neurodiverse, an umbrella term to describe a number of conditions including Attention-Deficit Hyperactive Disorder (ADHD) and autism.
Ellis said: “Nearly half of neurodiverse hackers (6%) experience ADHD and thrive in environments of rapid change, such as security research, where creativity and out-of-the-box thinking are rewarded generously.”
Read more of the latest bug bounty news
He added: “These unique strengths include exceptional memory skills, heightened perception, a precise eye for detail, and an enhanced understanding of systems.”
Ellis explained that the data was collected during the onset of the coronavirus outbreak, and so while the pandemic may well affect next year’s results, it has already impacted this year’s report.
He also gave predictions for what we will see in the future, noting that in the next year, he expects more and more organizations to open their own bug bounty programs focused on protecting critical infrastructure and securing remote working.
The report reads: “As organizations observe step-function changes to their risk models related to Covid-19, the prospect of remote-only cybersecurity testing is no longer a deal-breaker.”
It adds: “In line with these trends, and based on conservative estimates, Bugcrowd projects that hackers working on our platform will prevent more than $55 billion in cybercrime by 2025 for organizations worldwide.”
RECOMMENDED Security researcher earns $4k bug bounty after hacking into Starbucks database