HackerOne has put $100 million up for grabs in Bug Bounty rewards for “ethical hackers” over the next two years, the bug bounty platform said in a press release announcing the results of its 2018 Hacker Report. Many other programs are also available, making ethical hacking a lucrative business for some.

Ethical hacking, formally described as “penetration testing” (or pen test), is the practice of waging authorized simulated attacks on a computer system to evaluate the system for weaknesses that bad actors could exploit.

The 2018 Hacker Report examines the geography, demographics, experience and tools used, as well as the motivations of nearly 2,000 bug bounty hackers across 100 countries. The results are based on the largest survey ever of the ethical hacker community.

Hacking more profitable than traditional engineering for some

The major takeaway from the report is that ethical hacking has become more lucrative than software engineering – at least for some. In other words, some researchers have found they no longer need a day job.

Platforms like HackerOne are undoubtedly a strong influence behind this trend. The company has announced a generous budget for the next couple of years in terms of rewards (emphasis ours):

“This new data comes on the heels of HackerOne’s fastest-growing year, with 1,000 customer programs and more than $23M in bounties awarded to the hacker community. The company plans to pay over $100 million in rewards to hackers by 2020,” reads the press release.

Apparently top-earning ethical hackers make up to 2.7 times the salary of a software engineer. In India, hackers are making as much as 16 times the median salary of their engineering counterparts.

At the same time, the data indicates that some hackers are becoming less motivated by monetary gain, with as many as 24 percent donating their bounty money to organizations like the Electronic Frontier Foundation (EFF), Red Cross, Doctors Without Borders, Save the Children and animal shelters.

Other findings include:

• A quarter of hackers rely on bounties for at least 50 percent of their annual income
• 14 percent say their bug bounty hunting generates 90-100 percent of their annual income
• 12 percent make $20,000 or more annually from bug bounties
• 3 percent make more than $100,000 per year and
• 1 percent make over $350,000 annually
• Over 90 percent of all successful bug bounty hackers are under the age of 35
• 45 percent are between 18 and 24 years of age
• 37 percent hack as a hobby in their spare time

No shortage of bug bounty platforms to choose from

Vulnerability coordination platforms leverage the findings of ethical hackers – essentially white hat hackers – to help make the Internet a safer place.

Search giant Google has been running such a program – the Vulnerability Reward Program (VRP) for Google-owned web properties – since November 2010.

Google also maintains a program dedicated to making Google Play Store a safer place. In October 2017, the company announced that the Google Play Security Reward Program will reward researchers who find and report security problems in Android apps sold on its app store.

Like HackerOne, Google is not stingy with its rewards – sometimes offerings tens of thousands of dollars per vulnerability found (depending on the severity of the flaw). For example, finding a single vulnerability that gives direct access to Google servers can pay anywhere from $100 to more than $30,000.

Other notable bug bounty programs include: “The Internet Bug Bounty,” a joint effort between Facebook and Microsoft; “Hack the Pentagon,” the U.S. federal government’s first bug bounty program; and “Open Bug Bounty,” a crowd-sourced program that discloses website security vulnerabilities and relies on the good will of the affected website operators to obtain rewards.