Future Job: Corporate Bug Hunting

HR professionals take note: look out for bug hunting skills in resumes.

The insight comes from Bugcrowd's latest Inside the Mind of a Hacker Report, which examines the demographics and motivations of the bug hunting community.

It showed a growing prevalence for bug hunting that in turn is leading to new inroads in cybersecurity careers. According to the report, 81 percent credited their experience bug hunting for helping them get a job in cybersecurity.

"Bug bounties have impacted my life by teaching me skills that I didn't know from doing traditional pentesting," said Phillip Wylie, security researcher at Bugcrowd.

Bug hunting is already a lucrative side job for many. The Bugcrowd hacker community, for example, carry out 50 percent bug hunting on top of a regular nine-to-five job.

They are focused on their infosec careers with nearly 32 percent wanting to be full-time bug hunters, and more than 20 percent looking to be top security engineers or CISOs at large tech companies, said the report.

The depth and breadth of this community are meaningful for an industry currently facing a massive skills shortage, with Cybersecurity Ventures predicting there will be 3.5 million cybersecurity job openings by 2021.

"Cybersecurity isn't a technology problem, it's a people problem - and in the whitehat hacker community there's an army of allies waiting and ready to join the fight," said Casey Ellis, founder and CTO at Bugcrowd.

"Bug hunting is a perfect entry point for would-be infosecurity professionals to gain real-world experience, as well as for seasoned professionals to hone their skills and supplement their income. With cybercrime expected to more than triple over the next five years, bug hunting addresses the dire need for security skills at scale."

Other key findings include:

  • Bug hunters are continuous learners: Professional development continues to be a top motivation for hackers, with security tools for professional development being among the top two items hackers spend their bug hunting earnings on (in addition to living expenses). The three top reasons hackers give for participating in bug bounty programs are the challenge, professional development and education, respectively.
  • Driven by the hacker hustle: Bug hunters are extremely driven, with 66 percent spending up to 10 hours per week bug hunting. That is significant given more than 50 percent are bug hunting on top of a regular nine to five job. Nearly 72 percent of the hacker community are ages 18-29 – they're young, ambitious and eager to develop their skills.
  • Women show promise in bug hunting: Cybersecurity continues to be a male-dominated field. Yet 72 percent of women hackers have used their bug hunting experience to get a job in security – helping make a small dent in the security industry's gender imbalance.
  • Full-time bug hunters on the rise: More than 22 percent of hackers consider bug hunting their full-time profession, with 32 percent aspiring to be full-time bug hunters. Bug hunting as a career is an increasingly viable option for top-notch hackers, with the average total payouts for top 50 Bugcrowd researchers coming in at USD 145,000 and the average submission payout USD 783.