Survey of bug bounty hunters shows who pans for pwns
Asking the crowd for help in fixing security problems is going mainstream. Microsoft, Facebook, and other tech giants have offered “bug bounties”—cash rewards or other prizes and recognition—to individuals discovering vulnerabilities in their products for years. (Ars even made it onto Google’s security wall of fame in 2014 for reporting a Google search bug, though we didn’t get a cash payout.)
But now, with even the government embracing “bug bounty” programs in an attempt to close vulnerabilities in systems before attacks happen, companies that manage “crowdsourced” vulnerability-disclosure programs are starting to move deeper into more conservative corporate territory. And as they do, companies like HackerOne, Synack, and Bugcrowd are placed in the position of having to convince people who view all hackers as security risks that their vulnerability hunters come in peace, just as the ranks of their “crowds” of would-be white hats swell.
To help cast a better light on its ranks, Bugcrowd today released numbers detailing the demographics of its 65,000-strong “crowd.” That release is buttressed by a survey of 500 sample members that offers some insight into who exactly signs up to participate in the public and private bug bounty programs run by the company. And the sketch the “Mind of a Hacker 2.0” report provides of the vulnerability-hunting community is one you might have pieced together on your own if you spent any time at a security conference lately: increasingly experienced and professional, diverse (at least from a national origin standpoint), highly educated, and mostly under 30.