We are in the age of the hacker. Never before has there been more opportunities to learn, more tools, more welcoming companies and more money up for grabs. At the end of last year, we tapped into our community of ethical hackers to better understand how they like to work, what’s most important to them and what needs to change. The 2018 Hacker Report is the largest survey ever conducted of the ethical hacking community with 1,698 respondents.
3. THE HACKERS’ RESULTS
Money ranks fourth for why bug bounty
hackers hack.
Top hackers earn 2.7x the median salary of
a software engineer in their home country.
12% of hackers make $20,000 or more
annually from bug bounties.
25% of hackers rely on bounties for at least 50%
of their annual income.
India and the United States are the top two
countries represented.
53% of hackers are self-taught.
4. GEOGRAPHY
WHERE HACKERS RESIDE
India, the United States, Russia, Pakistan and the United
Kingdom round out the top five countries represented,
with 43% based in India and the United States combined.
FIGURE 1: GEOGRAPHIC REPRESENTATION OF WHERE HACKERS ARE LOCATED IN THE WORLD
≥ 2 0 %≤5%
6.3%
19.9%
23.3%
Geographic Representation of Where Hackers are Located in the World
5. Visualization of the Bounties by
Geography showing on the left
where the companies paying
bounties are located and on the
right where hackers receiving
bounties are located.
CASH
HOW BOUNTY
MONEY FLOWS
FROM ORGANIZATIONS
TO HACKERS USA: $15,970,630
CANADA: $1,201,485
GERMANY: $458,882
RUSSIA: $308,346
SINGAPORE: $256,280
UK: $252,960
UAE: $143,375
FINLAND: $142,149
MALAYSIA: $138,215
SWITZERLAND: $118,393
$4,641,693
ALL OTHER
USA: $4,150,672
ARGENTINA: $673,403
RUSSIA: $1,296,018
PAKISTAN: $647,339
INDIA: $3,098,250
AUSTRALIA: $1,296,411
UK: $916,035
HONG KONG: $749,770
SWEDEN: $746,326
BOUNTIES PAID BY COMPANIES VS. BOUNTIES PAID TO HACKERS
$9,375,656
GERMANY: $682,528
ALL OTHER
Geographic Money Flow
6. ECONOMICS
BOUNTIES AS AN INCOME SOURCE
Median annual wage of a “software engineer” was derived
from PayScale for each region. The multiplier was found by
dividing the upper range of bounty earners on HackerOne
for the region by the median annual wage of a software
engineer for the related region.
India
Argentina
Egypt
Hong Kong
Philippines
Latvia
Pakistan
Morocco
China
Belgium
Australia
Poland
Canada
USA
MULTIPLIER
Bug Bounties vs. Salary
$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$
$$$$$$$$
$$$$$$$
$$$$$
$$$$$
$$$$
$$$
$$$
$$
$$
$$
$$
$$
SANDEEP
Advice to beginners...
Since bug bounty is booming nowadays, competition between
hackers is increasing. So, have some patience when you are first
starting, and keep improving your recon skills. You have Internet,
you have all the resources—keep reading from others' blogs and
disclosed practical reports on HackerOne. Patience and better
reporting is the KEY.
7. Over 66% of hackers spend 20 hours or less per week hacking.
AGE, APPROXIMATELY HOW MANY HOURS PER WEEK
PEND HACKING? HACKERONE HOURS NOT INCLUDED
1-10 HOURS: 44.2%
10-20 HOURS: 22.4%
20-30 HOURS: 13%
30-40 HOURS: 13%
40+ HOURS: 13.1%
On Average, Approximagely How Many Hours Per
Week Do You Spend Hacking?
IT/SOFTWARE/HARDWARE: 46.7%
STUDENT : 25.2%
CONSULTING : 12.3%
EDUCATION : 7.2%
UNEMPLOYED : 1.9%
FINANCE : 1.5%
GOVERNMENT : 1.1%
TELECOMMUNICATIONS : 0.3%
CONSTRUCTION : 0.7%
STAY AT HOME PARENT : 0.7%
HEALTHCARE : 0.5%
LEGAL : 0.4%
MANUFACTURING : 0.4%
INSURANCE : 0.3%
WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION?
What Best Describes Your
Professional Title?
DEMOGRAPHICS
HACKERS BY NIGHT, STUDENTS AND TECH EMPLOYEES BY DAY
AGE, APPROXIMATELY HOW MANY HOURS PER WEEK
END HACKING? HACKERONE HOURS NOT INCLUDED
1-10 HOURS: 44.2%
10-20 HOURS: 22.4%
20-30 HOURS: 13%
30-40 HOURS: 13%
40+ HOURS: 13.1%
IT/SOFTWARE/HARDWARE: 46.7%
STUDENT : 25.2%
CONSULTING : 12.3%
EDUCATION : 7.2%
UNEMPLOYED : 1.9%
FINANCE : 1.5%
GOVERNMENT : 1.1%
TELECOMMUNICATIONS : 0.3%
CONSTRUCTION : 0.7%
STAY AT HOME PARENT : 0.7%
HEALTHCARE : 0.5%
LEGAL : 0.4%
MANUFACTURING : 0.4%
INSURANCE : 0.3%
WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION?
8. While many hackers are young, nearly 29% have been hacking for 6 years or more.
What's Your Age?
AGE
YOUTHFUL, CURIOUS, GIFTED PROFESSIONALS
WHAT'S YOUR AGE?
18-24 YEARS: 45.3%
25-34 YEARS: 37.3%
35-49 YEARS: 9.2%
13-17 YEARS: 1%
50-64 YEARS: 0.5%
UNDER 13 YEARS: 0.4%
Approximately How Many Years Have You Been Hacking?
APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING?
1-5 YEARS: 71.2%
6-10 YEARS: 18.1%
11-15 YEARS: 6.4%
16-20 YEARS: 2.2%
20+ YEARS: 2.1%
APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING?
1-5 YEARS: 71.2%
6-10 YEARS: 18.1%
11-15 YEARS: 6.4%
16-20 YEARS: 2.2%
20+ YEARS: 2.1%
WHAT'S YOUR AGE?
18-24 YEARS: 45.3%
25-34 YEARS: 37.3%
35-49 YEARS: 9.2%
13-17 YEARS: 1%
50-64 YEARS: 0.5%
UNDER 13 YEARS: 0.4%
9. NICOLE
I’ve always had somewhat of a mindset for security, even
before I knew anything about computer science. Growing up,
my brain was constantly racing to figure out systems in order
to find loopholes and workarounds that I could slip through.
WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK?
WEBSITES: 70.8%
IOS MOBILE APPS: 1.4%
ANDROID MOBILE APPS: 4.2%
DOWNLOADABLE SOFTWARE: 2.5%
WINDOWS MOBILE APPS: 0.1%
COMPUTER HARDWARE: 0.5%
FIRMWARE: 1.3%
OPERATING SYSTEMS: 3.1%
INTERNET OF THINGS: 2.6%
APIs : 7.5%
WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PROD
WEBSITES: 70.8%
IOS MOBILE APPS: 1.4%
ANDROID MOBILE APPS:
DOWNLOADABLE SOFTW
WINDOWS MOBILE APPS
COMPUTER HARDWARE:
FIRMWARE: 1.3%
OPERATING SYSTEMS: 3
INTERNET OF THINGS: 2
APIs : 7.5%
SUPPLY CHAIN PARTNER
EVALUATING TECHNOLO
TECHNOLOGY THAT I U
What is Your Favorite Kind of Platform or Product to Hack?
ATTACK SURFFACE
HACKERS LOVE WEBAPPS
WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK?
WEBSITES: 70.8%
IOS MOBILE APPS: 1.4%
ANDROID MOBILE APPS: 4.2%
DOWNLOADABLE SOFTWARE: 2.5%
WINDOWS MOBILE APPS: 0.1%
COMPUTER HARDWARE: 0.5%
FIRMWARE: 1.3%
OPERATING SYSTEMS: 3.1%
INTERNET OF THINGS: 2.6%
APIs : 7.5%
SUPPLY CHAIN PARTNER: 0.3%
EVALUATING TECHNOLOGY: 0.7%
TECHNOLOGY THAT I USE: 5.0%
10. WHY DO YOU HACK?
TO MAKE MONEY13.1%
TO BE CHALLENGED14.0%
TO LEARN TIPS AND TECHNIQUES14.7%
TO HAVE FUN14.0%
TO SHOW OFF3.0%
TO ADVANCE MY CAREER12.2%
TO HELP OTHERS8.5%
TO DO GOOD IN THE WORLD10.0%
TO PROTECT AND DEFEND10.4%
Why Do You Hack?
MOTIVATION
IT AIN’T ALL ABOUT THE MONEY
FRANS
Personally I hack because I really love to
build stuff and I also love to break stuff...
the best way to know how to build stuff
is to know how you can break it.
11. IBRAHM
How are hackers spending their bounties?
REWARDS
A HOUSE FOR MOM AND A DONATION FOR GOOD
DAVID FRANS
Helping my parents buy a house when
I first came to the U.S.
Donated the bounty…to the EFF. A lot of my money actually goes into
hiring people.
13. NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’
ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS?
THEY ARE FAR MORE OPEN: 33.8%
THEY ARE SOMEWHAT MORE OPEN: 38.4%
THEY ARE NEITHER MORE NOR LESS OPEN: 16.5%
THEY ARE SOMEWHAT LESS OPEN: 4.7%
THEY ARE FAR LESS OPEN: 4.7%
HackerOne has paid out over $23 million in bounties in five years with
a goal of $100 million by the end of 2020.
In Your Opinion, Over the Last Year, What Best Describes Companies'
Reactions to Receiving Vulnerability Reports From Security Researchers?
THE FUTURE
MORE COMPANIES PAYING MORE BOUNTIES
NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’
ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS?
THEY ARE FAR MORE OPEN: 33.8%
THEY ARE SOMEWHAT MORE OPEN: 38.4%
THEY ARE NEITHER MORE NOR LESS OPEN: 16.5%
THEY ARE SOMEWHAT LESS OPEN: 4.7%
THEY ARE FAR LESS OPEN: 4.7%
14. BRETT
At the end of the day, we’re all in this together. We’re
trying to find stuff and fix issues. We’re trying to help
protect the world. That’s what it comes down to.
And I like to be a part of that.
THE HACKERS
#TOGETHERWEHITHARDER