What motivates bug hunters?
Crowdsourced security penetration testing outfit Bugcrowd has released its second annual “Mind of a Hacker” report, to provide insight into bug hunters’ motivations and preferences, and help companies tailor their bug bounty initiatives so they can lead to better results for everyone.
The most interesting insights gleaned from the answers of the 500 or so bug hunters who participated in the survey are as follows:
- They come from all over the world (216 countries), but the overwhelming majority of them are located in the US and India
- The majority is young and very young: 71% of them are between 18-29 years old (up from 60% last year) and 8% are yet to reach 18 years of age.
- Most bug hunters are highly educated (82% of bug hunters have completed some form of higher education)
- Most of them (86%) are working in the security industry (penetration testers, security consultants, etc.). 14% have no experience in the security industry (outside of bug hunting), and instead hold broader IT positions such as software engineers, developers or system administrators.
- They have knowledge of an expertise in many technologies:
Bug hunter personas
The polled bug hunters’ motivations to participate in bug bounty programs are diverse:
Based on this information, Bugcrowd places them in one of five main groups:
- Hobbyists – Motivated by having fun and earning additional income, most have considerable experience in bug hunting.
- Full-Timers – they use bug bounties as their main source of income and spend more time on bug hunting than others. Also, most of them plan to increase their bug hunting efforts.
- Virtuosos – They are motivated by the challenge of bug hunting and want to be part of the security elite, so they use bug hunting to perfect their craft, and to earn money to buy security tools and professional development.
- Protectors -Their main motivation is to make the cyber-world safer for everyone. 27% of them aspire to become a full-time bug hunter. 57% would need $50K or more to become a full-time bug hunter. They are attracted to bug bounty programs that have a broad scope, challenging targets, and a high potential to find a valid bug.
- Knowledge Seekers – Most are new to the bug bounty scene, and are doing it for fun, education, and as a challenge. 29% aspire to be penetration testers, and 27% aspire to be full-time bug hunters.
How do researchers choose a bug bounty program to participate in?
Broad scope and a high potential to find bugs is important to most, meaning that bug hunters are very results driven:
“As the bug bounty ecosystem matures, the goal is to tap into each of the researcher personas, as they each bring his or her own perspective and expertise to the table,” the company noted.