ONE IN FOUR ethical hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.
That’s according to HackerOne’s ‘2018 Hacker Report‘, which surveyed 1,698 members of the hacking community – making it the largest documented survey ever conducted of the ethical hacking community.
One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).
This doesn’t mean the hackers don’t try – with HackerOne noting that many attempt to contact firms via social media and email but are “frequently ignored or misunderstood.”
Things are getting better, though, as 72 per cent of those quizzed said that companies are becoming more open to receiving vulnerabilities than they were before.
Unlike a bug bounty program, such as those offered by Intel, Google, Microsoft and Samsung, a VDP does not offer hackers financial incentives for their findings, HackerOne notes. Despite this, the Department of Defense resolved almost 3,000 vulnerabilities without offering devs a cash reward.
Bug bounties are where the big money’s at, though. The report reveals that 12 per cent of hackers on HackerOne make $20,000 or more annually from bug bounties, over 3 per cent take home more than $100,000 per year, and 1.1 per cent are making over $350,000 annually.
A quarter of hackers rely on bounties for at least 50 per cent of their annual income, and 13.7 per cent say their bounties earned represents 90- 100 per cent of their annual income.
HackerOne notes that the top hackers based in India earn 16x the median salary of a software engineer through bug bounty programmes.
That don’t mean the hacking community is all strippers and Cristal, as one in four hackers say they have donated bounty money to charity. Money is no longer hackers’ top reason for, er, hacking either, with respondents claiming that they do are motivated by the opportunity to learn tips and techniques, with “to be challenged” and “to have fun” tied for second. µ
Source : Inquirer