Why more ethical hackers are transitioning to full-time bug bounty careers

Why more ethical hackers are transitioning to full-time bug bounty careers
Intigriti’s second annual Ethical Hacker Report gets the views of 1,700 ethical hackers about cybersecurity career preferences and more

Intigriti is a Business Reporter client

Intigriti’s second annual Ethical Hacker Report gets the views of 1,700 ethical hackers about cybersecurity career preferences and more

It’s a difficult moment to be an HR leader. If you were to ask your average person ten years ago to define a hacker, their answer would likely associate with something criminal. But the world is finally waking up to the fact that not all hacking activity is malicious – and some are actively fighting against the assumption.

Today, millions of professionals are operating in a thriving ethical hacking industry. However, some are moving faster than others.

What is an ethical hacker?

Like malicious hackers, ethical hackers have extensive knowledge of systems, codes and programming. They’re also driven by the same overriding goal: to break through a target’s defence systems. However, as the name suggests, ethical hackers operate within the law, and disclose vulnerabilities to the relevant parties with good intentions.

A bug bounty programme is a secure way for businesses to invite crowdsourced ethical hackers to test the security of their systems, products and platforms. If a hacker finds a genuinely unknown and unique vulnerability, the company will receive a confidential report outlining what needs fixing.

According to Intigriti’s survey of more than 1,700 ethical hackers, bug bounty hunting is becoming one of the most desirable paths for cyber-security talent today. The survey reveals that 96 per cent of those already putting their ethical hacking skills to use would like to dedicate more time to bug bounty hunting in the future. Additionally, 66 per cent are considering it as a full-time career.

What has driven the increasing popularity of bug bounty hunting?

Responses to the pandemic, such as social distancing rules and temporary job retention schemes, opened more time for people to pick up the hobby they always wanted, or to tackle the tasks they never had time for. In the case of many cyber-security professionals, that hobby was ethical hacking.

According to Intigriti’s survey, the most significant appeal of full-time bug bounty hunting is the money, with 48 per cent declaring this as their number one attraction. The average base salary for a penetration tester in the UK is £38,624 (€46,060/$50,903) per annum, according to PayScale, and an additional 25 per cent increase would be significant for part-time bug bounty hunters.

The desire to be their own boss and ability to work their own hours closely follow, with 45 per cent of respondents listing both points as appealing aspects.

The educational benefits of bug bounty hunting are another key driver in this trend. The survey results indicate that this generation of tech talent isn’t getting what they need from employers to keep their skills and knowledge up to date, despite rising cyber-security threats. For information security, for example, 50 per cent of respondents say they turn to bug bounty hunting to learn the most relevant and valuable knowledge. However, just 11 per cent of respondents voted that their jobs were the best avenue to learn.

Should businesses care about this trend?

When combining cyber-security skills shortages with the ongoing war for talent, organisations must pay attention to this trend. It’s the responsibility of security teams to protect their organisation’s networks, information, systems and assets while also managing defences against potential cyber-threats. It’s no secret that this is an arduous task, especially since cyber-threats are constantly evolving and increasingly sophisticated.

Ethical hacking communities are often the first discoverers of evolving security threats. For example, since May 2021, 64 per cent of Intigriti’s ethical hackers have encountered a vulnerability they’ve never seen before. Of this group, 33 per cent don’t believe the vulnerability had the potential to be picked up through traditional security testing methods, such as penetration tests. This is likely one reason why a staggering 90 per cent of respondents agreed that “a penetration test cannot provide continuous assurance that an organisation is secure year-round.”

Considering that an organisation’s security posture will change with each new feature release or update, it’s not only a logical step to implement more security testing but also critical. As attackers shift tactics, cyber-defences must too. The only way to test their effectiveness is to apply continuous pressure against them.

Get more insights and statistics from Intigriti’s second annual Ethical Hacker Report by downloading it today.

About the author: Inti De Ceukelaire, Head of Hackers at Intigriti, is an established bug bounty hunter and media personality in Belgium. He was one of the first members of Intigriti’s US competitor platform, HackerOne, and has been recognised by various social media companies and the US Department of Defense.

In 2018, after a five-day hacking competition in Las Vegas, Inti was presented with the “Most Valuable Hacker” award. Inti has also featured in national and international media as a subject matter expert and for his cyber-security awareness stunts.

Originally published on Business Reporter