MIND OF A
HACKER The bug bounty community is a truly global group of people, coming from all walks of life, with diverse backgrounds, technical skills and expertise. This diversity is what fuels the power of the crowdsourced cybersecurity economy, connecting a community of skilled, creative individuals with organizations that need their help.
As this market grows and evolves from the small group of hackers it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely. This summer we set out to gain more insight on the makeup of the bug bounty community to shed light on some of those motivations. From our data, we created this report which... • Provides a glimpse into the Bugcrowd community as a whole • Identifies five distinct types of bug hunters and what they’re motivated by • Explores program variables that can motivate and encourage different kinds of bug hunters and the community as a whole We encourage bug hunters to read on to learn more about your fellow peers, and bounty program owners and managers to use this as an opportunity to learn how to improve your programs and encourage engagement with this skilled and vibrant community.
SNAPSHOT OF THE BUGCROWD COMMUNITY Since 2013 we’ve enjoyed watching and helping our community grow into the vibrant, self-educating group of talented and passionate security researchers that it is today in 2016. The true value of the community, however, is its’ diversity and quality. Born from varying geographic locations, backgrounds and experiences, this community comes from all walks of life.
TOTAL RESEARCHER SIGN UPS AS OF SEPTEMBER ‘16
AVERAGE YEAR OVER YEAR GROWTH AS OF SEPTEMBER ‘16
COUNTRIES REPRESENTED AS OF SEPTEMBER ‘16
Bugcrowd researchers come from all over the world, and as of September 1, 2016, the United States (29%) and India (28%) have the most sign-ups, followed by the United Kingdom (6%), Australia (3%), and Germany (2%). Researcher sign-ups by region is represented below. The countries with the most submissions vary slightly, as do countries with the most bounty payouts. Read more about researcher activity and quality by geography in our 2016 State of Bug Bounty Report.
SKILL SETS AND EXPERTISE
When asked which technologies they had intermediate to advanced skill in, 95% of respondents of our500 aforementioned survey felt they to 999 had intermediate or advanced knowledge of web application testing, 48% in Android, 28% in iOS and 15% in499 IoT. While the Bugcrowd 100 to community is made up of security researchers with expertise across numerous technologies, accessibility, and opportunity 10 to complexity 99 contribute largely to these responses. Less than 10 Web App APIs/Web Services Code Review Mobile App - Android Network Infrastructure Linux Desktop/Server software Mobile App - iOS Reverse Engineering Network Appliance Malware Analysis IoT/hardware Mobile App - other Mobile OS/Baseband SCADA 0%
AGE, EDUCATION + PROFESSION
Based on our survey responses, we found that on the whole, this community is relatively young. Nearly 60% were between 18 and 29 years old, followed by 34% who were between 30 to 44. Additionally, bug bounty hunters are no strangers to the classroom according to survey data. Those with a college degree made up the largest group among participants (37%), followed by those with graduate degrees (21%). Of all survey participants, 84% had attended college for some period of time. While most respondents are employed outside of bug hunting or identify as students, 15% of respondents identified as full time bug hunters and we see this number growing. Furthermore, their professions varied–the most common professions reported were software developer/engineer (23%) followed by penetration tester (17%) and security engineer (15%).
L EARN MO RE ABOU T B U GCR OWD’S COM M U NIT Y >
WHO ARE THEY? Through our recent survey, we gained insight into several groups of researchers that share some common traits. Below we’ve highlighted the characteristics of five distinct types of bug hunters that we’ve seen so far in the Bugcrowd community based on what their primary and secondary motivators are. As this community continues to expand, we expect these personas to evolve, and for new ones to emerge.
KNOWLEDGE-SEEKERS Although they only bug hunt part-time, The Knowledge-Seekers are excited about getting more involved with bug hunting. Most of these hunters are new to the bug bounty scene and have been at it for less than a year. While they’ve improved their skills and submitted some quality reports in the past year, 69% said they plan to submit more bugs in the next year. These researchers may not bug hunt full-time right now, but a good portion (38%) responded that they want to become a full-time bug hunter in the future.
“I THINK BUG BOUNTIES ARE GETTING MORE AND MORE POPULAR AND COMPANIES WILL BE MORE LIKELY TO USE THEM IN THE FUTURE TO REDUCE HOLES IN THEIR INFRASTRUCTURE. IT’S A WIN-WIN SITUATION AS IT ALSO GIVES THE OPPORTUNITIES TO YOUNG SECURITY PASSIONATES TO IMPROVE THEIR EXPERIENCE ON REAL SYSTEMS AND EXPAND THEIR KNOWLEDGE.”
MOTIVATORS: Education, challenge, fun AGE: 55% are 18-29, making them one of the younger groups LOCATION: 30% from US, 18% from India, 4% from Sweden, 4% from UK EDUCATION: Nearly 60% have a either a bachelor’s or advanced degree, with 18% of these researchers still identifying as students
CAREER ASPIRATIONS: They are interested in security, as 38% aspire to be a full-time bug hunter in the future, followed by 28% who want to be a top security engineer at a highly esteemed company YEARS OF EXPERIENCE: This group is largely new to bug bounty hunting, with nearly 90% having less than two years experience and 67% with less than a year
NICOLAS DEVILLERS, FRANCE LEARN MORE ABOUT NIKAIW
“PRIVATE PROGRAMS WITH ONLY A HANDFUL OF DEDICATED RESEARCHERS IS WHERE I’VE HAD THE MOST SUCCESS AS A BUG BOUNTY HUNTER. THESE PROGRAMS ARE GREAT BECAUSE YOU CAN REALLY BEGIN TO BUILD A RELATIONSHIP WITH THE COMPANY OVER THE LIFETIME OF THE PROGRAM, IMPROVING THE COMPANY’S SECURITY AND YOUR BUG HUNTING EXPERIENCE AT THE SAME TIME.” LUKE YOUNG, UNITED STATES LEARN MORE ABOUT BOREDENGINEER
For the Hobbyists, bug hunting is about the money and the fun of the hunt. Most of these hunters have day jobs in software security and use bug bounties as a side gig to inject variety into their penetration testing and earn some extra income, which they mostly spend on leisure and bills. Most of these researchers quite enjoy this hobby, as nearly 60% of these researchers plan to do more bug hunting in the next year.
MOTIVATORS: Expendable income, fun EDUCATION: This is the most educated group, with over 80% having at least some college. 38% are college grads and 15% completed grad school
PROFESSION: These bug hunters are employed outside of bug hunting. 22% are software engineers or developers, 19% are penetration testers, 18% are security engineers, and 16% are students YEARS OF EXPERIENCE: This group has the most experience bug hunting, with 30% having 5+ years of experience under their belts, 19% with 3-4 years, and 22% with 1-2 years TIME SPENT HUNTING: 62% spend less than 5 hours a week hunting, which is less than the other personas BOUNTY SELECTION CRITERIA: High potential to find valid vulnerabilities, challenging target, untouched program
FULL-TIMERS The Full-Timers use bug bounties as their main gig, with 55% of this group saying they do bug bounties as their main source of income, and 65% of respondents plan to do even more bug hunting in the next 12 months. With the money they make bug hunting, they spend it paying their bills and living expenses. Likely due to the geographic concentration of this group in India, more than 55% say they need to earn less than $50K to be able to do bug bounty research full-time. We expect to see this group’s country origin diversify over the next year, as total bounty earnings continue to rise across all researchers, and already know of multiple researchers in North America and Europe that bounty hunt full time.
MOTIVATORS: Primary source of income LOCATION: Geography varies, but majority from non-Western regions CAREER ASPIRATIONS: 55% aspire to be a full-time bug hunter YEARS IN BUG HUNTING: 72% have been bug hunting for less than two years
“SECURITY IS WHAT I LOVE AND BUG BOUNTIES OPEN THE POSSIBILITY OF DOING SECURITY WORK, IN MY CASE INTO WEB APPLICATIONS, WITHOUT THE POSSIBILITY OF GETTING JAILED AND ALSO MAKING THE WEB MORE SECURE. ONE BUG MIGHT TAKE HOURS TO FIND, BUT EVERY SINGLE BUG IS THRILLING TO LOOK FOR. IN ADDITION, BUG BOUNTY EQUALS PROFIT, CONSIDERING THE EXCHANGE RATE FROM BOUNTIES PAID IN USD TO PHILIPPINE PESO.”
TIME SPENT HUNTING: This group participates in bug bounties more than other groups, typically 10 - 30 hours
CLIFFORD TRIGO, PHILIPPINES LEARN MORE ABOUT CLIFFORDTRIGO
BOUNTY SELECTION CRITERIA: Broad scope, addressed in following section
I SPENT A LOT OF TIME AS A TEENAGER PROGRAMMING WEBSITES AND LEARNING APPLICATION SECURITY, SO I ALREADY HAD A LOT OF PASSION FOR BUG BOUNTY HUNTING BEFORE IT WAS EVEN A THING. I THINK THAT PASSION, WITH THE ADDED INCENTIVE OF MONEY IS WHAT DRIVES ME TO KEEP HUNTING FOR BOUNTIES IN THE FEW HOURS I HAVE A NIGHT. IT ALSO HELPS ME STAY RELEVANT AND UP-TO-DATE ON THE LATEST APPLICATION SECURITY TECHNIQUES TO BRING BACK TO MY COMPANY.
The Virtuosos tend to have the most security industry experience. They have worked in the industry longer than any other group, as 33% of this group have been at it for at least five years. For these bug hunters, what drives them to do bug bounty research is primarily the thrill of the challenge. Most of these researchers have full time jobs, as nearly 60% of them only bug hunt part-time and do not aspire to hunt full-time.
MOTIVATORS: Challenge, education, money, skill retention EDUCATION: This group is also very educated, with 71% having graduated from college and another 31% having received a graduate degree
PROFESSION: These bug hunters mostly have full time jobs. 31% are security engineers or penetration testers, with another 31% working as a software engineer or developer YEARS IN SECURITY: 33% have been in the security industry for at least five years, making them the most experienced in the security industry. TIME SPENT HUNTING: Similar to the Hobbyists, they spend limited time bug hunting–63% spent five hours or fewer per week and 65% submitted five bug reports or fewer in the past year BOUNTY SELECTION CRITERIA: Challenging target, broad scope and potential to find a valid bug
BRETT BUERHAUS, UNITED STATES LEARN MORE ABOUT BBUERHAUS
PROTECTORS The Protectors are a bit more altruistic than others in the community–their major motivation is making the Internet and the products they use safer. This group of researchers ranges in security industry experience, with 40% having less than a year of security industry experience, and 50% having 3+ years of industry experience. While money isn’t a primary motivator for this hacker, 58% say that it’s fairly important that a program offers rewards, with another 13% saying they only hack on programs with rewards. These researchers are interested in both private and public programs (34%), although 24% say they prefer private programs but will do both.
MOTIVATORS: To make the internet safer, challenge, education PROFESSION: This group is also made up of professionals with 26% working as software engineers or developers and 18% as security engineers
“SECURITY IS EVERYWHERE. YOU CAN’T IGNORE IT, THAT’S A FACT. WHEN I TALK ABOUT SECURITY, PEOPLE IMMEDIATELY UNDERSTAND AND RESPECT WHAT I’M DOING. PEOPLE HAVE A HUGE AMOUNT OF RESPECT FOR MAKING THE WORLD A BETTER PLACE, AND THAT’S WHAT WE’RE DOING. WE’RE DOING IT ONE COMPANY AT A TIME.”
CAREER ASPIRATIONS: 34% aspire to become a security consultant, 32% want to become a full-time bug hunter YEARS IN SECURITY: 32% have 5+ years in the security industry TIME SPENT HUNTING: 47% bug hunt for five hours or fewer per week, 26% spend 6-10 hours BOUNTY SELECTION CRITERIA: High potential to find a vulnerability, broad scope, untouched program
FRANS ROSEN, SWEDEN LEARN MORE ABOUT FRANSROSEN
ADVICE FOR HACKERS, FROM HACKERS TIP #1:
“FOR THOSE WHO HAVE NOT YET STARTED ON BUG BOUNTIES: DIVE IN, YOU WILL FIND BUGS AND IT WILL BE WORTH YOUR TIME. I OFTEN TALK TO PEOPLE THAT THINK PUBLIC BUG BOUNTIES ARE NOT WORTH THEIR TIME BECAUSE “ALL THE BUGS HAVE ALREADY BEEN FOUND”. I ASSURE YOU, THAT IS DEFINITELY NOT THE CASE!” MONGO, PORTUGAL
“LINKEDIN PROFILES, COMPANY ‘CAREERS’ PAGES AND PUBLIC MAILING LISTS ARE YOUR FRIEND! IF YOU WANT TO KNOW WHAT YOU’RE LIKELY TO ENCOUNTER IN A GIVEN STACK, SEE WHAT SORT OF DEVELOPERS, Q.A. AND OPERATIONS SKILL-SETS A COMPANY IS EMPLOYING.” DARKARNIUM, CANADA
“NEVER IGNORE THAT ‘WAIT THIS DOESN’T LOOK RIGHT’ FEELING. KEEP POKING AT IT! WHEN YOU FIND A VULNERABILITY, SPEND SOME TIME PLAYING WITH IT AND LEARN FROM WHAT YOU FIND. THERE IS ALWAYS SOMETHING UNIQUE ABOUT A SPECIFIC VULNERABILITY THAT COULD BE USEFUL TO KNOW IN THE FUTURE.” FUZZYBEAR, UNITED STATES
“PATIENCE. IT CAN TAKE TIME TO REALLY LEARN THE APPLICATION AND THE BETTER YOU UNDERSTAND HOW THE APPLICATION WORKS, AND HOW A NORMAL USER IS INTENDED TO USE THE APPLICATION, YOU START TO GET A FEEL FOR WHERE THE MORE INTERESTING THINGS ARE.” CDUNHAM, UNITED STATES
“I WOULD SUGGEST THE NEW RESEARCHERS TO TEST ON KUDOS ONLY PROGRAMS IN THEIR INITIAL STAGES SO THAT THEY GET EXPERIENCE WITH REAL WEBSITES AND INCREASE THEIR RANKS IN THE RESPECTIVE PLATFORMS LEADING TO PRIVATE INVITES.” VISHNU_VARDHAN_REDDY, INDIA
“READ VULNERABILITY WRITE-UP’S FROM OTHER RESEARCHERS AND TRY TO LEARN FROM THEM...USE TWITTER TO CONNECT TO OTHER RESEARCHERS AND FOLLOW THEM. IT’S USUALLY A GREAT RESOURCE TO FIND OUT ABOUT VULNERABILITIES. AND FINALLY, SHARE YOUR KNOWLEDGE WHEN YOU COME ACROSS FUN BUGS!” MICO, UNITED KINGDOM
“ASK QUESTIONS. THERE ARE COOL PEOPLE OUT THERE THAT COULD HELP YOU. ASK AND YOU SHALL RECEIVE.” NIJAGAW, ENGLAND
“DO NOT RELY ON AUTOMATED SCANNERS: MOSTLY IN BUG BOUNTY PROGRAMS, VENDORS WOULD HAVE USED DOZENS OF AUTOMATED VULNERABILITY SCANNERS, AND PATCHED THE FINDINGS...I DON’T MEAN THAT AUTOMATED VULNERABILITY SCANNERS ARE NOT HELPFUL, BUT IN THE BUG BOUNTY WORLD, IT’S RARE TO FIND A VALID BUG USING VULNERABILITY SCANNERS.” MAZEN160, UNITED ARAB EMIRATES
“ONCE YOU’VE FLESHED THE BUG OUT, WRITE A GREAT REPORT - DON’T LET YOUR AWESOME BUG BE LET DOWN BY A TWO-MINUTE “IT’LL DO” SUBMISSION. MAKE IT SHINE. A GOOD BUG REPORTED POORLY IS A POOR SUBMISSION. PUNCH OUT A REPORT THAT’LL BE SHOWN TO MANAGEMENT AS JUSTIFICATION FOR THE PROGRAM’S EXPENDITURE.” JUSTINSTEVEN, AUSTRALIA
E XPLORE MO RE RESEAR CH ER SP OT L IGH TS A ND INT ERV IEWS >
HOW CAN UNDERSTANDING RESEARCHER MOTIVATIONS HELP YOU RUN A SUCCESSFUL BUG BOUNTY PROGRAM? Bug bounty programs have evolved from the public, open-to-anyone contests that they started as in 1995. Since then, a number of variables have surfaced, adding more complexity to the bug bounty ecosystem. The four main variables that our customers most commonly adjust to craft their programs are scope, program type (i.e. public or private), rewards and public disclosure policy. These variables work both independently, and in tandem with one another, to motivate specific behavior, and in some cases, attract different types of researchers. As a bug bounty program matures, the goal is to tap into each and every one of the above personas, as each researcher brings his or her own perspective to a program. That is the true benefit of crowdsourced security testing, but we know that can’t always be immediately achieved. Below we have outlined some considerations to weigh when looking into setting up your program or taking your program to the next level.
SCOPE An organization’s applications, business goals and priorities will determine the scope for a program. To learn more about what to consider when setting up a scope, read our resource on scoping 101. The breadth of scope appeals to different kinds of people with different skills and there are pros and cons to each. WIDE SCOPE: To most researchers, a wide open scope (think *.company.com) signifies that an organization takes their application security seriously, as they generally believe ‘bad guys don’t adhere to scope, so why should a bug bounty?’ Oftentimes, bug hunters like the Virtuosos, Full-Timers and the Protectors, only take part in these kinds of programs. Having a wide scope, however, can be hard to manage straight out of the gate, and can make it difficult to bring focus to more complex applications.
View Constant Contact’s program across multiple targets
NARROW SCOPE: Having a narrow scope can be successful for more specialized or complex targets that your organization wants to draw attention to, appealing to a specific technical skill a bug hunter might have. On the flip side, more focused programs may attract folks that are just starting out like the Knowledge Seekers. Additionally, they are often run as private programs, discussed further in the next section.
Learn about Instructure’s private program on their LMS, Canvas
PROGRAM TYPE There are multiple uses and reasons for opting to run either a public or private bounty program, which you can read in our guide to private vs. public. While 86% of survey respondents stated that they participate in both private and public programs, with varying degrees of preference, both types can attract specific types of researchers. PRIVATE PROGRAMS: Invite-only programs optimize for a smaller group of researchers who have been invited based on four measures; activity, accuracy, impact and trust. For participants in these programs, this means there will be less competition, which to many researchers translates into greater efficiency and lower duplicate rates. These people are, generally speaking, more experienced or skilled, such as Virtuosos and Full-Timers. PUBLIC PROGRAMS: These open-to-anyone programs naturally attract a larger pool of people, regardless of motivator, as they are accessible to any researcher. Many companies start with a private program prior to going public so they can learn the ropes operationally with a smaller group of invited researchers, typically from the Virtuosos or Full-Timers for the reasons mentioned above. Once the program goes public, they attract additional researchers from the Knowledge Seekers, Hobbyists and Protectors.
Read more about Aruba’s private bug bounty program
Learn why Western Union took their program from private to public
Learn more about the best uses for public and private bug bounty programs.
REWARDS Topics of discussion around bug bounty rewards include types of rewards, monetary or nonmonetary, as well as what appropriate minimum and maximum monetary rewards should be. Read our Defensive Vulnerability Pricing Model to learn more about how organizational security maturity, target complexity and criticality can determine appropriate reward range for your program. As we mentioned before, not everyone is motivated by money, but the presence of monetary incentivisation can activate specific types of people, namely those who spend more time bug hunting, such as Full-Timers, and those who are typically more experienced. That being said, 56% of all survey respondents stated that it was ‘fairly important’ to them that a program offered monetary rewards, followed 20% of respondents who only participate in programs that offer rewards.
In 2016, Jet.com increased their reward ranges–read why
Furthermore, rewards aren’t just about the money. With the adoption of a marketplace model, rewards are the chosen metric to represent value–whether that’s time, skill or expertise. To bug hunters such as the Knowledge Seekers and Virtuosos, earning a bounty is less about getting money in their pockets, but the value of their work. In many cases, programs may start out as strictly responsible disclosure, in order to gain attention from those not primarily motivated by money such as Protectors, Virtuosos or Knowledge Seekers, and eventually add and even increase rewards.
Learn more about FitBit’s commitment to security research
PUBLIC DISCLOSURE POLICY Disclosure policies vary from program to program, as each organization defines its own unique policy for vulnerabilities reported through their bounty program. Read more about Bugcrowd’s disclosure policies and benefits, as well as how trust impacts the disclosure process between researchers and vendors. Overall, 73% of survey respondents stated that it was either ‘fairly important’ or a non-issue if a program had a coordinated disclosure policy, and yet offering one may affect what kinds of researchers will work on a program. For bug hunters like the Full-Timers and Virtuosos, public disclosure can be a form of prestige– expressing the skill or knowledge it took to find something noteworthy. For bug hunters such as the Protectors, it can also be an educational tool–teaching peers about vulnerabilities found in the wild, or consumers about their risk. Being able to disclose vulnerabilities can also provide career opportunities and community klout for individuals just getting started like the Knowledge Seeker.
Learn more about Tesla’s unique disclosure policy & public program
THANK YOU In just a few short years, the bug bounty space has evolved from a small-scale culture-driven novelty into a thriving industry with some ‘zeros’ behind it and real earning potential. With that evolution, we’ve seen both sides of the marketplace mature, and expect this trend to continue for years to come. The growth of the security community has coincided with an increase in bug bounties with more complex attack surfaces that require researchers with more skill sets and a wealth of experience. As the bug bounty market has become more efficient in its ability to connect talent with the need for security testing, the community needs to continue to self-educate and increase the breadth and depth of our skills. At Bugcrowd, we see it as part of our responsibility to understand and support the community of researchers, and it is our hope that by exposing the broader audience to the nuance and diversity present in this community, we can help grow the overall market opportunity for researchers all over the world. While we don’t see this as an all-inclusive report on the bug hunter community, we do believe this an exciting first look at bug bounty hunters, some of their motivations, and the factors in play when they choose the bug bounty programs they work on. Thanks to everyone who has supported Bugcrowd in the past several years. We also want to extend our appreciation for the individuals who have consistently given us feedback, helping improve Bugcrowd so that it continues to better support the needs and desires of this diverse community. Finally, to those who helped contribute to this report, in small and big ways–thank you.
-Sam Houston, Sr. Community Manager
+1 (888) 361-9734