More than 100,000 hackers now make a career as bounty hunters, claims HackerOne

One-fifth of HackerOne's hackers are full-time bounty hunters - while for others, it's a route into lucrative new IT roles

Hacking as a full-time career is now supporting more than 100,000 bug bounty hunters, with 18 per cent of the contributors to the HackerOne platform claiming to be full-time employed searching for vulnerabilities and security flaws.

Furthermore, nearly 40 per cent of hackers spend 20 hours or more every week searching for bugs, with companies like Microsoft, Facebook and others all expanding their programs in recent years.

These are just some of the findings from the HackerOne 2020 Hacker Report [PDF], published this week.

Not only are more hackers earning most or all of their income from hacking, they're making a good living doing it

In 2019, according to the report, hackers on the platform earned just under $40 million between them, with six passing the $1 million mark in terms of total 'career' earnings during 2019. Others, meanwhile, are able to scoop-up lucrative roles partly as a result of their bug-hunting work. And the amounts being awarded in bug bounties are rising almost exponentially, with last year's $40 million taking cumulative earnings for valid vulnerability reports filed via the HackerOne platform to more than $82 million.

It's also a global activity. While 19 per cent of all the bounties last year went to hackers based in the US, that was followed by India on 10 per cent, Russia on eight per cent, China on seven per cent and Germany on four per cent. Hackers in Egypt and Ukraine also figure highly.

In terms of payers, organisations in the US and Canada paid the bulk of the bounties, followed by a long tail led by the UK, Germany, Singapore, and Russia.

Two-thirds of bug hunters have been put off by organisations from filing reports

"The concept of hacking as a viable career has become a reality. Not only are more hackers earning most or all of their income from hacking, they're making a good living doing it. Besides the seven hackers passing the $1 million earnings milestone, thirteen more hit $500,000 in lifetime earnings and 146 hackers earned $100,000, up from 50 last year. That puts the potential earnings power of a hacking career well above today's global average IT salary of $89,732," claimed the report.

Nevertheless, the bulk of hackers make less than $20,000 per year from bug bounties, making it a well-paid hobby or part-time job rather than a full-time career.

However, warned HackerOne, two-thirds of bug hunters have been put off by organisations from filing reports. "Thirty-eight per cent of hackers said this was due to ‘threatening legal language' posted on the organisation's website regarding the discovery of potential vulnerabilities. In other cases, 21 per cent said the companies didn't have an obvious channel through which to report findings, and another 15 per cent said that the company was unresponsive to previous bug reports."

As a result, organisations are not just putting themselves at risk of security breaches as a result of arguable negligence, but also multi-million pound fines in jurisdictions across Europe subject to either GDPR or similar legislation.