The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find
•
4 likes•1,724 views
We are in the age of the hacker. Never before has there been more opportunities to learn, more tools, more welcoming companies and more money up for grabs. At the end of last year, we tapped into our community of ethical hackers to better understand how they like to work, what’s most important to them and what needs to change. The 2018 Hacker Report is the largest survey ever conducted of the ethical hacking community with 1,698 respondents.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find
Similar to The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find (20)
More from HackerOne
More from HackerOne (15)
Recently uploaded
Recently uploaded (20)
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find
- 1. THE 2018 HACKER REPORTInsights on the hacker mindset, who they are, and the types of vulnerabilities they find.
- 2. 166,000+ Hackers 72,000+ Valid Vulnerabilities Submitted $23,500,000+ Bounties Paid THE HACKERONE PLATFORM * as of December2017 HackersAreHeroes… and1,698ofthemresponded toquestionsforthisreport.
- 3. THE HACKERS’ RESULTS Money ranks fourth for why bug bounty hackers hack. Top hackers earn 2.7x the median salary of a software engineer in their home country. 12% of hackers make $20,000 or more annually from bug bounties. 25% of hackers rely on bounties for at least 50% of their annual income. India and the United States are the top two countries represented. 53% of hackers are self-taught.
- 4. GEOGRAPHY WHERE HACKERS RESIDE India, the United States, Russia, Pakistan and the United Kingdom round out the top five countries represented, with 43% based in India and the United States combined. FIGURE 1: GEOGRAPHIC REPRESENTATION OF WHERE HACKERS ARE LOCATED IN THE WORLD ≥ 2 0 %≤5% 6.3% 19.9% 23.3% Geographic Representation of Where Hackers are Located in the World
- 5. Visualization of the Bounties by Geography showing on the left where the companies paying bounties are located and on the right where hackers receiving bounties are located. CASH HOW BOUNTY MONEY FLOWS FROM ORGANIZATIONS TO HACKERS USA: $15,970,630 CANADA: $1,201,485 GERMANY: $458,882 RUSSIA: $308,346 SINGAPORE: $256,280 UK: $252,960 UAE: $143,375 FINLAND: $142,149 MALAYSIA: $138,215 SWITZERLAND: $118,393 $4,641,693 ALL OTHER USA: $4,150,672 ARGENTINA: $673,403 RUSSIA: $1,296,018 PAKISTAN: $647,339 INDIA: $3,098,250 AUSTRALIA: $1,296,411 UK: $916,035 HONG KONG: $749,770 SWEDEN: $746,326 BOUNTIES PAID BY COMPANIES VS. BOUNTIES PAID TO HACKERS $9,375,656 GERMANY: $682,528 ALL OTHER Geographic Money Flow
- 6. ECONOMICS BOUNTIES AS AN INCOME SOURCE Median annual wage of a “software engineer” was derived from PayScale for each region. The multiplier was found by dividing the upper range of bounty earners on HackerOne for the region by the median annual wage of a software engineer for the related region. India Argentina Egypt Hong Kong Philippines Latvia Pakistan Morocco China Belgium Australia Poland Canada USA MULTIPLIER Bug Bounties vs. Salary $$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$ $$$$$$$$ $$$$$$$ $$$$$ $$$$$ $$$$ $$$ $$$ $$ $$ $$ $$ $$ SANDEEP Advice to beginners... Since bug bounty is booming nowadays, competition between hackers is increasing. So, have some patience when you are first starting, and keep improving your recon skills. You have Internet, you have all the resources—keep reading from others' blogs and disclosed practical reports on HackerOne. Patience and better reporting is the KEY.
- 7. Over 66% of hackers spend 20 hours or less per week hacking. AGE, APPROXIMATELY HOW MANY HOURS PER WEEK PEND HACKING? HACKERONE HOURS NOT INCLUDED 1-10 HOURS: 44.2% 10-20 HOURS: 22.4% 20-30 HOURS: 13% 30-40 HOURS: 13% 40+ HOURS: 13.1% On Average, Approximagely How Many Hours Per Week Do You Spend Hacking? IT/SOFTWARE/HARDWARE: 46.7% STUDENT : 25.2% CONSULTING : 12.3% EDUCATION : 7.2% UNEMPLOYED : 1.9% FINANCE : 1.5% GOVERNMENT : 1.1% TELECOMMUNICATIONS : 0.3% CONSTRUCTION : 0.7% STAY AT HOME PARENT : 0.7% HEALTHCARE : 0.5% LEGAL : 0.4% MANUFACTURING : 0.4% INSURANCE : 0.3% WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION? What Best Describes Your Professional Title? DEMOGRAPHICS HACKERS BY NIGHT, STUDENTS AND TECH EMPLOYEES BY DAY AGE, APPROXIMATELY HOW MANY HOURS PER WEEK END HACKING? HACKERONE HOURS NOT INCLUDED 1-10 HOURS: 44.2% 10-20 HOURS: 22.4% 20-30 HOURS: 13% 30-40 HOURS: 13% 40+ HOURS: 13.1% IT/SOFTWARE/HARDWARE: 46.7% STUDENT : 25.2% CONSULTING : 12.3% EDUCATION : 7.2% UNEMPLOYED : 1.9% FINANCE : 1.5% GOVERNMENT : 1.1% TELECOMMUNICATIONS : 0.3% CONSTRUCTION : 0.7% STAY AT HOME PARENT : 0.7% HEALTHCARE : 0.5% LEGAL : 0.4% MANUFACTURING : 0.4% INSURANCE : 0.3% WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION?
- 8. While many hackers are young, nearly 29% have been hacking for 6 years or more. What's Your Age? AGE YOUTHFUL, CURIOUS, GIFTED PROFESSIONALS WHAT'S YOUR AGE? 18-24 YEARS: 45.3% 25-34 YEARS: 37.3% 35-49 YEARS: 9.2% 13-17 YEARS: 1% 50-64 YEARS: 0.5% UNDER 13 YEARS: 0.4% Approximately How Many Years Have You Been Hacking? APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING? 1-5 YEARS: 71.2% 6-10 YEARS: 18.1% 11-15 YEARS: 6.4% 16-20 YEARS: 2.2% 20+ YEARS: 2.1% APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING? 1-5 YEARS: 71.2% 6-10 YEARS: 18.1% 11-15 YEARS: 6.4% 16-20 YEARS: 2.2% 20+ YEARS: 2.1% WHAT'S YOUR AGE? 18-24 YEARS: 45.3% 25-34 YEARS: 37.3% 35-49 YEARS: 9.2% 13-17 YEARS: 1% 50-64 YEARS: 0.5% UNDER 13 YEARS: 0.4%
- 9. NICOLE I’ve always had somewhat of a mindset for security, even before I knew anything about computer science. Growing up, my brain was constantly racing to figure out systems in order to find loopholes and workarounds that I could slip through. WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK? WEBSITES: 70.8% IOS MOBILE APPS: 1.4% ANDROID MOBILE APPS: 4.2% DOWNLOADABLE SOFTWARE: 2.5% WINDOWS MOBILE APPS: 0.1% COMPUTER HARDWARE: 0.5% FIRMWARE: 1.3% OPERATING SYSTEMS: 3.1% INTERNET OF THINGS: 2.6% APIs : 7.5% WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PROD WEBSITES: 70.8% IOS MOBILE APPS: 1.4% ANDROID MOBILE APPS: DOWNLOADABLE SOFTW WINDOWS MOBILE APPS COMPUTER HARDWARE: FIRMWARE: 1.3% OPERATING SYSTEMS: 3 INTERNET OF THINGS: 2 APIs : 7.5% SUPPLY CHAIN PARTNER EVALUATING TECHNOLO TECHNOLOGY THAT I U What is Your Favorite Kind of Platform or Product to Hack? ATTACK SURFFACE HACKERS LOVE WEBAPPS WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK? WEBSITES: 70.8% IOS MOBILE APPS: 1.4% ANDROID MOBILE APPS: 4.2% DOWNLOADABLE SOFTWARE: 2.5% WINDOWS MOBILE APPS: 0.1% COMPUTER HARDWARE: 0.5% FIRMWARE: 1.3% OPERATING SYSTEMS: 3.1% INTERNET OF THINGS: 2.6% APIs : 7.5% SUPPLY CHAIN PARTNER: 0.3% EVALUATING TECHNOLOGY: 0.7% TECHNOLOGY THAT I USE: 5.0%
- 10. WHY DO YOU HACK? TO MAKE MONEY13.1% TO BE CHALLENGED14.0% TO LEARN TIPS AND TECHNIQUES14.7% TO HAVE FUN14.0% TO SHOW OFF3.0% TO ADVANCE MY CAREER12.2% TO HELP OTHERS8.5% TO DO GOOD IN THE WORLD10.0% TO PROTECT AND DEFEND10.4% Why Do You Hack? MOTIVATION IT AIN’T ALL ABOUT THE MONEY FRANS Personally I hack because I really love to build stuff and I also love to break stuff... the best way to know how to build stuff is to know how you can break it.
- 11. IBRAHM How are hackers spending their bounties? REWARDS A HOUSE FOR MOM AND A DONATION FOR GOOD DAVID FRANS Helping my parents buy a house when I first came to the U.S. Donated the bounty…to the EFF. A lot of my money actually goes into hiring people.
- 12. ofhackershavedonatedbounty moneytocharityorganizations,and companieslikeQualcomm,Google, andFacebookmatchbountiesthat hackersdonate. OVER24% REWARDS A HOUSE FOR MOM AND A DONATION FOR GOOD SAM The most meaningful purchase I made with bounty money is actually a car. For a really long time it was just one car in our house of three, and I really don’t come from a wealthy background. It was really an issue trying to find a way to get around for everyone’s jobs, so when I got into bug bounty I said, I’m going to get a car that everyone can use and I think it really helped.
- 13. NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’ ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS? THEY ARE FAR MORE OPEN: 33.8% THEY ARE SOMEWHAT MORE OPEN: 38.4% THEY ARE NEITHER MORE NOR LESS OPEN: 16.5% THEY ARE SOMEWHAT LESS OPEN: 4.7% THEY ARE FAR LESS OPEN: 4.7% HackerOne has paid out over $23 million in bounties in five years with a goal of $100 million by the end of 2020. In Your Opinion, Over the Last Year, What Best Describes Companies' Reactions to Receiving Vulnerability Reports From Security Researchers? THE FUTURE MORE COMPANIES PAYING MORE BOUNTIES NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’ ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS? THEY ARE FAR MORE OPEN: 33.8% THEY ARE SOMEWHAT MORE OPEN: 38.4% THEY ARE NEITHER MORE NOR LESS OPEN: 16.5% THEY ARE SOMEWHAT LESS OPEN: 4.7% THEY ARE FAR LESS OPEN: 4.7%
- 14. BRETT At the end of the day, we’re all in this together. We’re trying to find stuff and fix issues. We’re trying to help protect the world. That’s what it comes down to. And I like to be a part of that. THE HACKERS #TOGETHERWEHITHARDER