A simple question with a complex answer, according to HackerOne research.
You get what you pay for in the cybersecurity industry, but bug bounty programs are not just about the money, according to new research.
In today’s world, where data breaches and information leaks have come close to a daily occurrence, it is too easy to merge the terms “cybercriminal” and “hacker.” However, they are not one and the same — someone who breaks into networks without consent, for example, is a criminal, while hackers tackle problems, may work with companies to shore up their defenses, investigate malware and find product vulnerabilities so vendors can improve the security of their products.
This is why bug bounties are becoming more and more popular. By offering security researchers financial incentives, companies ranging from Apple to United Airlines are able to tap into a pool of external experts rather than rely purely on in-house staff to find every security flaw in networks and software which could place the corporation — and customers — at risk.
However, is it all about the money? The answer is a resounding no, according to platform HackerOne’s 2016 Bug Bounty hacker report.
The bug bounty program says that out of 617 researchers surveyed, all of which have submitted valid security flaws to various programs, 72 percent say they do it purely for the money — but 70 percent said they also hacked for the fun of it, and 66 percent enjoy the challenge bug bounty programs offer.
In addition, 51 percent said they hack “to do good in the world.”
While bug bounty schemes can be lucrative, with almost 11 percent of respondents making over $50,000 per year and six percent making more than $100,000 per year, over half of hackers — 57 percent — have participated in programs in the last six months which offer no financial reward at all.
In total, 17 percent of respondents said they rely solely on bug bounty program to stay afloat, and 26 percent said that between 76 percent and 100 percent of their income comes from bug bounty rewards. (However, it is worth noting that 27 percent of respondents were not willing to share their income levels.)
It also seems that company loyalty comes into play. In total, over 30 percent of respondents claims they participate in particular bug bounty programs because they like a company and want to help out.
Hackers can be found worldwide. On the HackerOne platform, contributors come from over 100 countries, with the majority in India — 21 percent — followed by the US at 19 percent. The majority of hackers report themselves to be under 34 years old.
Cyberthreats are not going away anytime soon. For as long as cybercriminals ranging from script kiddies to state-sponsored threat actors exist, security experts are going to be needed — and while you get what you pay for, it is also good to know that many researchers do it for the love of the job.