Profiling White-Hat Vulnerability Researchers

Bugcrowd has released some interesting survey data that provides insights into the white-hat vulnerability researcher community.

Of note, most researchers were male (94%) and make less than $25k per year finding vulnerabilities. A vast majority were motivated by contributing to the well-being of others (93%), while only 19% focused on financial rewards.

I have been a longstanding advocate of formal bug bounty programs. They have given hackers and researchers an alternative to selling their findings to less-than-scrupulous Zero-Day markets that offer very tempting rewards that can exceed a million dollars. But they often sell the information to nefarious buyers intending to exploit the weakness. Programs that provide ethical reporting provide much lower financial rewards to participants but purposefully use their work to fix issues and make technology more trustworthy. Credible bounty programs provide product manufacturers the information so they can close the vulnerability before others can take advantage.

It is no surprise that those who were surveyed prioritized “do good” over materialistic financial gains. This is the crowd we want to find and report weaknesses in technology as they have chosen a virtuous path that benefits all users in the connected electronic ecosystem.