Profiling White-Hat Vulnerability Researchers

Bugcrowd has released some interesting survey data that provides insights into the white-hat vulnerability researcher community.

Of note, most researchers were male (94%) and make less than $25k per year finding vulnerabilities. A vast majority were motivated by contributing to the well-being of others (93%), while only 19% focused on financial rewards.

I have been a longstanding advocate of formal bug bounty programs. They have given hackers and researchers an alternative to selling their findings to less-than-scrupulous Zero-Day markets that offer very tempting rewards that can exceed a million dollars. But they often sell the information to nefarious buyers intending to exploit the weakness. Programs that provide ethical reporting provide much lower financial rewards to participants but purposefully use their work to fix issues and make technology more trustworthy. Credible bounty programs provide product manufacturers the information so they can close the vulnerability before others can take advantage.

It is no surprise that those who were surveyed prioritized “do good” over materialistic financial gains. This is the crowd we want to find and report weaknesses in technology as they have chosen a virtuous path that benefits all users in the connected electronic ecosystem.

The other interesting aspect of the survey data is that this community is missing a very important demographic. The number of women in the cybersecurity community is growing, but not anywhere near full representation. Given that only 6% of those surveyed were women, it highlights how disproportionate the problem has become. The industry has a long way to go in fully breaking down the barriers necessary to drive inclusion. In my 30 years of experience, I have seen how women are just as capable and contribute on par with the men. With all the work to be done, we need more researchers and diversity promotes more creativity among teams. Women must play a more crucial part in the overall contributions.

Survey metrics can provide insights and help with decisions, but it is important to understand inherent limitations. When consuming such reports, we must always keep in mind the sample set as it provides an important, albeit potentially narrow, facets of the greater vulnerability research community. The 3493 hackers surveyed are likely those who are taking part in ethical bug bounty reporting programs like Bugcrowd and HackerOne. These are not the black-hat hackers who are selling or directly leveraging their discoveries for the benefit of cybercrime and nation-state programs. The income and ethos between the white and black hat vulnerability researchers probably vary greatly. Unfortunately, there is very little data available on their black-hat counterparts. This report is one part of the greater picture.

The full report is available for download here: https://www.bugcrowd.com/blog/demystifying-hackers-bugcrowds-2020-inside-the-mind-of-a-hacker-report/

Interested in more? Follow me on LinkedIn, Medium, and Twitter (@Matt_Rosenquist) to hear insights, rants, and what is going on in cybersecurity.