Under the hoodie: what makes bug bounty hunters tick?

If you were a company interested in starting a bug bounty program – say, like Google did a few months ago in an effort to clean up the rather grungy Play Store – wouldn’t you like to know what type of person is eager to pull your code apart?
Wouldn’t you want to know who these hackers are? Where they come from? How old they are? If they’re teenagers using homemade tools, or professionals who work with sophisticated technologies? What soft underbellies do they target, and what are their favorite attack vectors?
Are they in it for the money, and if not, what are they in it for?
We can actually answer those questions, because the bug bounty program management website HackerOne asked.
Last month, HackerOne surveyed 1,698 hackers from over 195 countries and territories, all of whom have successfully reported one or more valid security vulnerabilities, as verified by the organization that received the vulnerability report. Also in the mix are findings collected from the HackerOne platform using its proprietary data, which is based on over 900 collective bug bounty and vulnerability disclosure programs.
The result is the 2018 Hacker report: what HackerOne says is the largest documented survey ever conducted of the ethical hacking community.
According to HackerOne, it’s seen a tenfold increase in registered users – as in, ethical hackers – in just two years. As of December 2017, the platform had more than 166,000 registered hackers. It had logged more than 72,000 valid vulnerabilities, for which more than $23.5m had been paid in bug bounties.

Where are they?

If somebody found your bug, that somebody is most likely in India, where 23% of the HackerOne community lives. The United States comes in second with 20%. Russia comes in third with 6%, Pakistan is at 4%, and the United Kingdom is also home to 4% of registered hackers.

How much do they rely on bug bounties as income?

HackerOne compared competitive salaries for an equivalent job to the bug bounty earnings of top performers in each country and noted that the bounties can be “life-changing.” On average, top-earning bug bounty hunters make 2.7 times the median salary of a software engineer in their home country.
But once you get to countries with low median salaries, the multiplier blossoms. It was the highest in India for 2017, with hackers making 16 times the median salary of an India-based software engineer.
That’s quite the incentive to get hacking, the report notes before quoting Troy Hunt, security expert and creator of Have I been pwned:

Most bug bounties (usually) have no geographical boundaries, which means the ROI for the bug hunter can be enormously attractive… Consider what the “return” component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in; this makes bounties enormously attractive and gets precisely the eyes you want looking at your security things. Bounties are a great leveler in terms of providing opportunity to all.

How old?

These are by and large “young, curious, gifted professionals,” HackerOne says. Over 90% of hackers are under the age of 35. The best-represented age group, at 45.3% of registered hackers, is between 18 and 24. They’re closely followed by the 37.3% of hackers who are between 25 and 35 years old. In fact, over 90% of bug bounty hackers on HackerOne are under the age of 35, with over 50% under 25 and just under 8% under the age of 18.
But there are a scattering of both older and younger hackers finding bugs: 0.4% are under the age of 13, and 0.5% are between the ages of 50 and 64.

How did they learn how to do this?

HackerOne found that the vast majority, 58%, are self-taught, while 44% are IT professionals. 67% learned tips and tricks through online resources, blogs and books or through their community (other hackers, friends, colleagues, etc.)

As far as job titles go, the best-represented is that of IT/software/hardware, at 46.7%. That’s followed by “student,” at 25.2%. 13% say they hack full time or 40+ hours per week.

What are their favorite tools?

Build-your-own is the second most popular type of tool they use. Here’s what else they like:

1. Burp Suite 29.3%
2. I build my own tools 15.3%
3. Web proxies and scanners 12.6%
4. Network vulnerability scanners 11.8%
5. Fuzzers 9.9%
6. Debuggers 9.7%
7. WebInspect 5.4%
8. Fiddler 5.3%
9. Chip Whisperer 0.8%

Why hack?

Money is undoubtedly a strong motivation, but according to HackerOne, it’s fallen from the No. 1 motivator in 2016 to its current position at No. 4 on the list.

1. To learn tips & techniques 14.7%
2. To be challenged 14%
3. To have fun 14%
4. To make money 13.1%
5. To advance my career 12.2%
6. To protect and defend 10.4%
7. To do good in the world 10%
8. To help others 8.5%
9. To show off 3%

Many say they share knowledge freely with the community of hackers and security researchers.
They’ve also helped the US Department of Defense (DoD) resolve almost 3,000 vulnerabilities, HackerOne says. In March 2016, the DoD announced “Hack the Pentagon”: the first cyber bug bounty program in the history of the federal government.
It was carefully controlled, with dozens of pre-selected security researchers hunting down vulnerabilities in certain public-facing DoD websites, but it was undeniably effective: more than 138 unique vulnerabilities were found, and the DoD paid out tens of thousands of dollars to 58 hackers, Wired reports.

Where do they spend the loot?

HackerOne got some stories from some of its hackers. Here are two:

IBRAM MARZOUK
One of the things that I did with my bounty money was helping my parents buy a house when I first came to the US, so that’s probably the biggest thing I’ve done with bounty money.

DAVID DWORKEN
The most meaningful result of a bounty for me was actually one from Starterbox where there was some sort of miscommunication where they thought something was a bug and it ended up not being a bug. So [when] I talked to them, we actually just decided to donate the bounty that they had already awarded to the EFF.

According to HackerOne, over 24% of its hackers have donated bounty money to charity organizations. Besides the Electronic Frontier Foundation (EFF), the recipients have included the Red Cross, Doctors Without Borders, Save the Children and local animal shelters. Companies like Qualcomm, Google, and Facebook have “bounty match” promotions, matching any bounties earned that hackers in turn donate to a cause.

Lone wolves or pack animals?

Most – 30.6% – prefer working alone, but they still rely on each other to learn: 31.3% of hackers like to read other hackers’ blogs and publicly disclosed vulnerability results. 13% of hackers sometimes work with peers, 9% regularly work with other hackers, 8.7% of hackers serve as mentors or mentees to other hackers and 7.1% have filed at least one bug report with other hackers as part of a team.

How do they select targets?

Surveyed hackers said they respond primarily to two pheromones: the sweet smell of cash (23.7%), and the sweet smell of the opportunity to learn and hone their skills (20.5%).
Other incentives include going after a brand they like (13%) or going after a brand they don’t like (2.1%). They also like to target companies with good security (8.9%) and companies with lousy security (6.6%), as well as companies with responsive security teams (10.7%).

What’s their favorite attack vector?

Over 28% of hackers surveyed said they prefer searching for cross-site scripting (XSS) vulnerabilities. That’s no surprise: it’s been No. 1 on the OWASP list of the top most critical web application security risks for years. In fact, it was No. 1 in the OWASP 2017 list. HackerOne took the OWASP list and created this flashcard reference guide to download, print, and share “for easy learning!”
Their other favorite attack vectors were SQL injection (23.1%), fuzzing (5.5%) and brute force (4.5%), among other methods.

In aggregate, your prototypical bounty hunter is…

…the kind of person who loves a challenge, loves to pick apart systems to find loopholes, loves to learn, isn’t allergic to cash but tends to be invested in the public good, and is, in the words of Keren Elazari, a vital part of “the internet’s immune system.”