Ethical hackers contracted via HackerOne earned a total of US$40 million (£31 million) in 2019 - nearly as much as the US$42 million (£32.5 million) that the company has been paid for bounties in all previous years since it started up in 2012, according to a report published by the company.
The company’s 600,000 individuals on its books, working on more than 1,700 customer programmes, have discovered more than 150,000 vulnerabilities.
As its hacker base diversifies, hackers from Switzerland and Austria earned a combined over 950 percent more than in the previous year, and hackers from Singapore, China, and other countries in APAC earned over 250 percent more than in 2018.
Among the report respondents nearly 40 percent devote 20 hours or more per week to their search for vulnerabilities and 18 percent of survey respondents described themselves as full-time hackers - which - if representative of the whole cohort - would indicate 108,000 ful time bug bounty hunters out there. And although this is only one company, and there is nothing to stop freelancers working for multiple organisations, nonetheless it does provide a baseline minimum number that does not include those employed at pentesters whose contracts preclude freelance work.
In an email to SC Media UK, Jake Moore, Cybersecurity Specialist at ESET commented: “Ethical hacking remains a difficult area for most companies to fully understand, but it is a vital extra tool in the cyber-security tool kit.
“Ethical hacking can often find extensive vulnerabilities that other methods cannot, which highlights the critical protection it offers. Larger companies employ ethical hackers or agencies like this to act as an extra, independent pair of eyes to observe code, finding details that may go unnoticed in-house.
“Of course, it comes with a risk, but it’s about weighing that up against the risk of the type of attack a business may face from threat actors. More and more, we are seeing the value that ethical hacking can bring – as the financial reward that comes with it.”
The risks include, who are you employing to attack your system - and what if they get a better offer for vulnerabilities discovered, as SC Media UK was told by high profile hackers Laurie Love and Jake Davis at a roundtable event.
Nonetheless, high profile companies such as General Motors, Google, Goldman Sachs, Toyota and IBM do use HackerOne’s services to find the bugs that their own teams did not.