Asking the crowd for help in fixing security problems is going mainstream.Microsoft, Facebook, and other tech giants have offered “bug bounties”—cash rewards or other prizes and recognition—to individuals discovering vulnerabilities in their products for years. (Ars even made it onto Google’s security wall of fame in 2014 for reporting aGoogle search bug, though we didn’t get a cash payout.)
But now, with even the government embracing “bug bounty” programs in an attempt to close vulnerabilities in systems before attacks happen, companies that manage “crowdsourced” vulnerability-disclosure programs are starting to move deeper into more conservative corporate territory. And as they do, companies like HackerOne, Synack, and Bugcrowd are placed in the position of having to convince people who view all hackers as security risks that their vulnerability hunters come in peace, just as the ranks of their “crowds” of would-be white hats swell.
To help cast a better light on its ranks, Bugcrowd today released numbers detailing the demographics of its 65,000-strong “crowd.” That release is buttressed by a survey of 500 sample members that offers some insight into who exactly signs up to participate in the public and private bug bounty programs run by the company. And the sketch the “Mind of a Hacker 2.0” report provides of the vulnerability-hunting community is one you might have pieced together on your own if you spent any time at a security conference lately: increasingly experienced and professional, diverse (at least from a national origin standpoint), highly educated, and mostly under 30.
This is the second time Bugcrowd has published a report on the company’s bug-hunt participants, but the company has been tracking demographics internally since Bugcrowd’s launch, according to founder, chairman, and CTO Casey Ellis. “The view behind [releasing the report] is, nobody knows what a hacker looks like,” Ellis told Ars in a phone interview. “When you do a Google image search on ‘hacker,’ you get this screen full of people in Guy Fawkes masks or hunched over laptops doing bad things—and that’s the perception of what it means to be a hacker, not just in the public’s mind, but in the mind of the folk we’re trying to work with and trying to connect with these people.” The goal of the report, Ellis explained, is to “basically humanize and demystify” the hacker community for the rest of the world.
“One of the things that’s been really interesting and has, to be honest, been consistent since we started the company is this prevalence of younger people using security research and bug bounty programs as an on-ramp into the security industry in general. Obviously, they’ve got the technical prowess, they’ve got the interest in the offensive side of it, and they want to contribute and make things safer as well.”
For most of them, bug hunting is a part-time endeavor, though 27 percent have aspirations of becoming full-time bug hunters. And 62 percent responded that they pour at least part of the money they earn bug-hunting back into professional development or to acquire more security-testing tools.
Drawn by the challenge of finding vulnerabilities in the systems of major government and corporate organizations, the number of bug hunters active with BugCrowd has grown 141 percent since last year. A little less than half (46 percent) have three or more years’ experience in the security industry; 41 percent have been involved in bug-bounty hunting for one to two years. But 14 percent have no experience in the security industry and come from other IT fields, and 15 percent label themselves as students.
“We have people coming in from backgrounds like software engineering and gaming and all sorts of other places where they’re clearly going to be helpful when it comes to discovering vulnerabilities and communicating that information, but they don’t have a track record of having had a career,” said Ellis. “And that’s one of the great things about this model is that it’s meritocratic—it doesn’t really matter what your resume says if you’re able to deliver a result.”
Those abilities are reflected in the education level of participants. More than 82 percent of the bounty-seekers surveyed by Bugcrowd had at least some form of higher education, with 16 percent holding a master’s degree or higher. Most of their skills are Web-focused—82 percent claim a high level of proficiency in Web application testing, while 60 percent claimed to be highly skilled in Web API testing. But more than half claimed to be social engineering experts as well, and about 40 percent claimed expertise in source code analysis and Android application testing.
Perhaps because of the increasing visibility of bug bounty programs here, the number of bug hunters in the US has swelled over the past year, surpassing India as the country most represented in BugCrowd’s rolls—27.7 percent of the company’s 65,000 contributors are US-based, while 23 percent are from India.
“The way the community has grown is, it’s mostly organic,” said Ellis. “People join because their peers talk about bug bounty programs, and the community tends to grow along pre-existing interest-based networks. Also, the demand [for bug bounty programs] is still largely here in the US—it’s spread worldwide, but most of the demand is still in Silicon Valley.” The network effect also explains Australia’s over-representation in the Bugcrowd pool of talent (about 4 percent), since “I’m from here,” Ellis explained.
Great Britain (with 6 percent) and Canada (with just under 3 percent) round out the top five, but bug bounties have drawn participants from 216 countries.