As more companies are growing to see a return on investment for relying on bug bounty programs, more ethical hackers are reaping the rewards of these trusting relationships that help build stronger security.
According to research conducted by Payscale, 30 percent of those who work as ethical hackers have only one to four years of experience. The salary range in the field (largely dominated by men at 93 percent) is anywhere from $53,000 to $108,000. Not only that, but of those 229 ethical hackers who participated in the survey, 100 percent of them rated their job satisfaction at 5 out of 5. They love their work.
Peter Adkins, one of Bugcrowd's top rated researchers, worked his way up to this top rated status in only one year. Adkins has long had an interest in the security space from an offensive not defensive perspective. Adkins has long had an interest in the security space from an offensive not defensive perspective.
"I've always taken things apart," said Adkins. "At the start of last year, I was doing some work home on a modem/router. I can't remember why I took it apart, but I noticed a vulnerability right away," he continued.
After he found a couple glaring vulnerabilities, Adkins contacted the vendor and attempted to work with them on remediation. This process was incredibly frustrating for Adkins as it was nearly impossible for him to get a hold of anyone who could fix the issues. "Some tools have a published security contact, but they aren't readily available. I called, and they said that they had to get a hold of this person. Other times I had to go through the help desk," Adkins said.
Acting as the good guy trying to help out turned out to be a challenge for Adkins who was only alerting them out of a sense of moral obligation. It wasn't his job. It was a hobby.
Eventually, the hobby began to drain his wallet. "Every time I took apart a device, I had to buy the device to test it, which became an expensive hobby. I started looking for other things I could actively do research on. Bugcrowd ran a list of bounty programs, and I was successful at a few of them," Adkins said.
For Adkins, a systems guy who had long worked on implementing and building systems and networks, he said, "I've always had an interest in security and how I can keep the networks secure."
The problem with his hobby, Adkins found, is that most larger enterprises tend to not deal with ethical hackers directly. "A company like Bugcrowd is a liaison between researchers and vendors," Adkins said. Getting a hold of the right people was an obstacle without a reputable middle man. While Adkins did say that every company will react differently, he did have some who responded with anything from 'thanks', or 'thanks but no thanks', all the way to nasty worded letters.
Sign up for CIO Asia eNewsletters.