Bounties and greater independence are prime motives for hackers hoping to do more freelance bug hunting

Ethical hackers keen to dedicate more time to bug bounty hunting

Lured by both money and the prospect of greater freedom, ethical hackers are increasingly keen on bug bounty hunting, with two thirds considering it as a full-time career.

That’s according to a new report (PDF) from Belgian bug bounty platform Intigriti, which also found that 96% of ethical hackers would like to dedicate more time to chasing bounties generally.

The main appeal is the money – the top attraction for 48% of those surveyed – just ahead of the desire to be their own boss and the ability to work their own hours. Other reasons include the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

According to the report, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students.

Despite this, though, 22% get more than a quarter of their total income from bounty payouts – a hefty boost, given that the average base salary for a penetration tester in the UK is around £38,000 ($51,000).

Bug bountiful

“Full-time bug bounty hunting fits nicely with what many professionals desire today: flexibility, creativity, remote working, and engaging projects,” Inti De Ceukelaire, Intigriti's head of hackers, tells The Daily Swig.

“However, full-time bug bounty hunting works much in the same way as any freelance job. The professional may earn more one month than another due to the opportunities available to their skillset, for example. Therefore, most researchers want to bring their abilities to a specific level before taking the leap into full-time bug bounty hunting.”

RELATED Bug Bounty Radar // The latest bug bounty programs for June 2022

Interestingly, many ethical hackers say they aren’t getting what they need from their employers to keep their skills and knowledge up to date, despite rising cybersecurity threats. In the case of general information security expertise, for example, half (50%) said they turn to bug bounty hunting to pick up the most relevant and useful knowledge, with just 11% giving their job as first choice.

“Finding the right balance between developing skills and tackling current demands is difficult when cyber threats continually evolve,” says De Ceukelaire. “However, bug bounty programs offer a sustainable solution to this problem because it involves continuous vulnerability research.”

Meanwhile, many respondents said that penetration tests can’t provide continuous assurance that an organization is secure year-round. Since May 2021, two thirds of Intigriti’s ethical hackers say they’ve encountered a vulnerability they’d not previously come across before, with a third of these saying they didn’t believe that the bug could have been picked up through a traditional pen test.

Safe harbor

Reassuringly for Intigriti and its competitors, the survey found that hackers are generally keen to find bug hunting opportunities through intermediary platforms – indeed, a quarter say it’s the only way they’re prepared to engage.

Nearly six in ten (57%) respondents said this was because working directly with vendors typically lacked the protection of a legal framework, while 42% said the processes are usually less refined than those of a bug bounty platform. Other reasons included having less support available and a lack of a triage department.

Read more of the latest bug bounty news

Unfortunately, says De Ceukelaire, with bug bounty still being a relatively new testing approach, many organizations are slow to allocate any budget – and this could be an expensive mistake.

Indeed, a quarter of respondents said they’d previously found vulnerabilities but declined to report them because the relevant vulnerability disclosure program didn’t offer financial rewards.

“Despite their strong desire to help, many security researchers expect payment for their reports. For more severe findings, reporting a vulnerability requires hours of the researcher’s time, and in some cases, it can take them days,” says De Ceukelaire.

“Therefore, what a company offers will significantly determine which researcher profiles their bug bounty program attracts – from beginners to full-time professionals.”

YOU MIGHT ALSO LIKE US export ban on hacking tools tweaked after public consultation