programmer (nullplus/

What drives white-hat hackers?

Security researchers who participate in bug bounty programs are highly coveted recruits for both industry and government agencies. To find out more about them, Bugcrowd, a provider of a crowdsourced security platform for bug bounty, vulnerability disclosure and pen testing programs, conducted a survey of nearly 3,500 security researchers worldwide who use its service.

The survey revealed that more than half live in urban environments and three out of four speak multiple languages. Surprisingly, they don’t hunt bugs for the money, which could be good news for agencies on tight budgets looking to hire more cybersecurity staff.

More than 60% reported pulling down a median annual income of just $25,000 or less, though many also said they only chase bug bounties on a part-time basis. Flexible hours and improved skills were also cited as motivations, as was the chance to solve difficult problems.

According to the survey, higher education is an important feature for many security researchers and their families. They're most likely to have obtained a college degree (49%), have parents who have done the same (36%) and are three times less likely to drop out than their parents. The survey data "suggests most security researchers are degree-qualified because they come from educated families that value the acquisition of worldly knowledge, skills, values, beliefs and habits."

The report predicts that over the next six months, cybercriminals will exploit the widespread shift to remote telework in the wake of the COVID-19 pandemic, increasingly targeting vulnerable infrastructure through expanded reconnaissance activities and asset discovery. That in turn will lead to organizations boosting their reliance on artificial intelligence, although 78% of survey respondents said AI-powered cybersecurity solutions alone aren’t enough to outmaneuver cyberattacks over the next decade

"This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their human expertise in securing their assets via crowdsourcing, the most efficient and practical approach to finding available talent," the company said.

A longer version of this article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.