In the past month, we’ve been addressing some commonly held misconceptions about the bug bounty model, outlined in our guide, 7 Bug Bounty Myths, Busted. So far we’ve discussed the misconception that bug bounties are all public, examined the types of companies engaging with the bug bounty model, and debunked the perception some have that bug bounties are too risky. This week, we’re talking about the folks that make this economy go ‘round… the security researchers.
Myth #4: You Can’t Trust Hackers
False. With the right guidelines and incentives, white hat hackers are the good guys, security researchers that approach breaking into code like an adversary to help organizations.
The beauty of the bug bounty model is it brings together folks from all different walks of life, allowing organizations to leverage talent from around the globe–something that would be nearly impossible otherwise. Our crowd is made up of tens of thousands security researchers that come from over 100 countries and range in experience–from students just learning about security and hacking to some of the world’s top security talent. These allies are fueled by a desire to help combat cyber attacks using their technical skills and expertise, rather than malicious intent. Central to our mission here at Bugcrowd is cultivating this community.
You’ll see that of these researchers, many work full time in security–commonly as penetration testers and/or security engineers. Many people forget that bug bounty programs are great not only for newbies to get familiarized with security testing but also for industry pros to stay up-to-date on their skills or earn some cash on the side.
Who are they?
Read our recent report, Inside the Mind of a Hacker, to get a full breakdown of our crowd based on geography, age, profession, experience and more. The report also deep into the many motivations of bug hunters. As this market grows and evolves from the small group of hackers it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely.
Bug hunters are young, ambitious, and always looking to expand their knowledge and build on their skill set through the challenge of the hunt. 62% of bug hunters reinvest earnings from bug hunting back into their craft, spending it on security tools and training. Most researchers aren’t “full-time” bug hunters—they hold regular 9-5 jobs… though many would like to be.
We encourage all of our researchers to go through our I.D. verification process in which we verify identity and geography through a third-party provider. This may be useful for organizations that require identity or geography verification for compliance or legal reasons, or if geography may impact application accessibility. This goes beyond the vetting process of many pentesters, who may only go through an interview, reference calls or criminal background check.
The proof of the talent present in these crowdsourced security programs lies within the results. For our customers who require a more refined crowd with specific skill-sets, we run private programs with a skills-vetted and trusted crowd.
Want to learn more about common misconceptions about bug bounty programs? Download our guide to get more in-depth commentary on the seven bug bounty myths in the coming weeks.