back to article Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering. And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities. A survey of 1,700 bug bounty hunters from more than 195 …

  1. Valeyard


    The thing is that the companies get pentested before going on hackerone etc so the stuff to find is already fairly difficult, after that as soon as a new company is up they're bombarded by some very very good pentesters. A more interesting study would be the median bounty awarded per active user which i suspect would tell a different story...

    1. Anonymous Coward
      Anonymous Coward

      Re: Title

      HackerOne claim to have 100K researchers... I went back and checked my 'empty' signup profile when I signed up in 2014... I was ranked 5000 and something... this also means that there are very few active researchers... if I can get into the top 5% without submitting a single vulnerability. :)

  2. Gunboat Diplomat

    Worth it?

    Personally I'd be bored shitless if I swapped building things for bug bounties so 2.7 times salary seems like a bad trade.

    Also "The top earning hackers on HackerOne have earned more than the average salary of software engineers in their respective countries" makes me suspicious. How much does the average hacker earn compared to an average software engineer?

    1. The Mole

      Re: Worth it?

      Agreed, my experience is the skills of a 'median' developer are rather mediocre and are unlikely generally to be able to find any bugs eligible for bug bounties. On the other hand the median skills of a bug bounty hunter who has successfully managed to claim at least one bug bounty (let alone be able to make a living out of it) are likely to be at least 2.7 times better, if not more...

    2. BebopWeBop

      Re: Worth it?

      or the median?

    3. JLV

      Re: Worth it?

      Yup, notice "median developer" but not quite so clear on "median hacker". Bit further in, the hacker %-ile vs income breakdowns give you some insight and it looks nowhere near as sweet.

  3. G2

    factcheck: fail result

    that's Boba Fett from Star Wars:The New Republic Anthology not from Firefly

    There are some rumours that a Star Wars film centred on Boba Fett will come out around 2020-ish.

    @ElReg: your image was an obvious troll for Star Wars fans... let's call it an article bug :)

    1. Anonymous Coward
      Anonymous Coward

      Re: factcheck: fail result

      "Your image was an obvious troll"

      Er... you don't say?!

      It was *so* transparently obvious- bordering on silly- that it's quite clear it was signposting itself as a joke and not expected to be taken seriously.

      "Firefly: Deep Space Eight", FFS!

  4. James Anderson

    Lottery winners earn more than you.

    Massive amount of winner bias in the survey.

    Would someone who spent a year failing to find a rewarding bug and went back to their day job bother with the survey.

    1. Mike 125

      Re: Lottery winners earn more than you.

      >>and went back to their day job

      ...or killed themselves. There is no sufficient reward for debugging other people's (peoples'.....?) crap code.

  5. sequester

    And I could be earning the same sum but in Bitcoin or Krügerrand if I was a Russian extortionist making actual use of the bugs, what's the point? :-P

  6. Anonymous Coward
    Anonymous Coward

    A lot easier to make 3x as much if you live in a low wage country

    Since bounties are fixed, not adjusted for local salaries.

    1. Naselus

      Re: A lot easier to make 3x as much if you live in a low wage country

      The article did kinda address that by pointing out the ratio is 16:1 in India.

  7. Marty McFly Silver badge

    It's a bunch of bravo-sierra article

    "A survey of 1,700 bug bounty hunters from more than 195 countries"

    The US State department only identifies 195 total states in the world: So it is not possible to have bounty hunters in "more than" 195 states.

    When I see inflated statistics like that, it makes the rest of the data presented questionable.

    1. ArrZarr Silver badge

      Re: It's a bunch of bravo-sierra article

      Because the US State department is the final word on what counts as a country and what doesn't? Come back when they can spell colour correctly.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a bunch of bravo-sierra article


        Upvoted for “colour.”


    2. Christian Berger

      There is a lot of disagreement on what's a country

      I remember the Austrian Children's television asking themselves that question back in the 1980s and they got widely divergent numbers depending who they asked.

      For example back then the Vatican didn't have it's own country code, so for the postal company it wasn't its own country.

  8. Anonymous Coward
    Anonymous Coward

    There's no way the median salary is only $81,193. We are paying new hires straight out of college $80k. I make double that, and I've stayed with the same company for 20 years.

    1. JohnFen

      The US median (not average) is indeed $80k. It's not as ridiculous as you insinuate, because the cost of living varies wildly in different parts of the nation. In some parts, you can live like a king on $80k, and you'll be in the top 5% of earners. In others, $80k means you're poor and likely living in a rundown shack.

      I'm guessing that you happen to be located in an area with a relatively high cost of living, where $80k isn't a ton of money.

  9. J.G.Harston Silver badge

    But how do you get past the problem that employers refuse to employ you to do X unless you are already employed doing X?

  10. Hans 1

    What is the point

    I came across a numpty on the Intertubes YESTERDAY who was running NT4 Terminal Server, you know, the OS that has dozens of remote exec vulns unpatched ... Terminal Server, so networked ... you can write the best, most secure code .... as long as we have numpties like that around, it is pointless ... We need to clean up the industry.

    Corporate fallacy, clients, pink unicorns, whatever your excuse, running EOL software is no longer an option and NO, I do not care what other excuse you can come up with, IT IS NOT AN F'ING OPTION! If your company accepts that, heads MUST FALL or your company will make headlines, sooner or later, and THAT won't be pretty!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like