A survey of 1,700 bug bounty hunters registered on the HackerOne platform reveals that top white-hat hackers make on average 2.7 times more money than the average salary of a software engineer in the same country.
The reported numbers are different for each country and may depend on a bug bunter’s ability to find bugs, but the survey’s results highlight the rising popularity of bug hunting as a sustainable profession, especially in less developed countries, where it can help talented programmers live a financially care-free life.
India is the best place to be a bug hunter
According to HackerOne’s report, it pays to be a vulnerability researcher in India, where top bug hunters can make 16 times more compared to the average salary of a software engineer.
Other countries where bug hunting can assure someone a comfortable living are Argentina (x15.6), Egypt (x8.1), Hong Kong (x7.6), the Philippines (x5.4), and Latvia (x5.2).
But bug hunting is also a sustainable profession in developed countries as well, though the differences between average yearly bug bounty payouts and a software engineer’s average salary are far smaller.
For example, a top bug bounty hunter makes 2.4 times more than the average software engineer in the US, 2.5 times than one in Canada, 1.8 times more than one in Germany, and 1.6 times than software engineers in Israel.
More details about the profession of bug bounty hunting and other vulnerability research statistics are available in HackerOne’s 40-page 2018 Hacker Report.
If you don’t have the time to peruse through the report, below are some of its key findings:
⊛ 58% of bug bounty hackers are self-taught.
⊛ 37% of white-hat hackers say they hack as a hobby in their spare time (not their primary job).
⊛ About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties.
⊛ Over 3% o bug hunters are making more than $100,000 per year.
⊛ 1.1% are making over $350,000 annually.
⊛ 13.7% say bounties earned represent 90-100% of their annual income.
⊛ India (23%) and the United States (20%) are the top two countries represented on the HackerOne platform, followed by Russia (6%), Pakistan (4%), and the United Kingdom (4%).
⊛ Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.
⊛ US companies have paid over $15 million to bug hunters via HackerOne in 2017.
⊛ US bug hunters racked over $4.1 million in bug rewards, while Indian white-hat hackers earned over $3 million.
⊛ “Websites” was the overwhelming winner to the question of “What is Your Favorite Kind of Platform or Product to Hack?” with a 70.8% score.
⊛ “Money” was not the primary motivation for getting into bug hunting. It ranked only fourth.
⊛ XSS was the favorite vulnerability white-hat hackers liked to search for.
⊛ Almost 30% of respondents said they use Burp Suite for hunting bugs. Other ranked tools include: