You may not make a million dollars, but hackers make good money reporting vulnerabilities.
Can you get rich by reporting software bugs? For some, finding vulnerabilities in websites and apps is a bit like doing a crossword puzzle, while for others, it’s their main source of income.
Paying hackers to find flaws in software or services is an increasingly common practice; These "bug bounty" programs allow hackers to get paid for finding bugs, while organizations benefit from the ability to improve their security by paying several thousand dollars for each bug.
HackerOne, which runs similar bug bounty programs for organizations including the US Department of Defense and Google, has released new data on the number of vulnerabilities found by hackers who signed up for its projects and how much they were paid. To date, over 181,000 vulnerabilities have been reported, and more than $100 million has been paid out to hackers who subscribe to its service .
The company said more than $44.75 million in bounties have been awarded to hackers around the world over the past year, up 86% from last year. The vast majority of them are awarded by organizations in the US.
Some bugs can earn decent rewards: HackerOne reported that the average bounty for critical vulnerabilities has increased to $3,650, up eight percent from last year, while the average bounty for a vulnerability is $979. Critical vulnerabilities make up about 8% of all reports, while high severity reports account for 21%.
HackerOne was told that "hacking remains a constant and stable source of income" for some registered hackers. Nearly nine out of ten people are under 35, and one in five said hacking is their only source of income.
Millionaires Bug Bounty
Nine individual hackers have amassed a combined $1 million in less than a decade through HackerOne, showing that bug hunting can pay off handsomely. And over 200 hackers have made over $100,000 and 9,000 hackers have made "something". Of the hackers who discovered at least one vulnerability, half made $1,000 or more.
But even if many don’t make a lot of money chasing bugs, the skills they learn can be good for their careers; four out of five said they would use the skills and experience gained during the hack to find work.
The global coronavirus outbreak appears to have seen a surge in attacks on organizations, but it has also sparked an increase in hackers looking to help find and fix security flaws. HackerOne reported that new hacker registrations have increased by 59% in the months since the pandemic began, and bug reports have increased by 28% – possibly because many people have been forced to stay at home, giving them more time to look for bugs.
But finding bugs for money can become increasingly difficult. As organizations fix more vulnerabilities, the average reward increases, which is good for hunters. However, the remaining vulnerabilities also become harder to identify, requiring more skill and effort to discover.