programmer (nullplus/

What drives white-hat hackers?

Security researchers who participate in bug bounty programs are highly coveted recruits for both industry and government agencies. To find out more about them, Bugcrowd, a provider of a crowdsourced security platform for bug bounty, vulnerability disclosure and pen testing programs, conducted a survey of nearly 3,500 security researchers worldwide who use its service.

The survey revealed that more than half live in urban environments and three out of four speak multiple languages. Surprisingly, they don’t hunt bugs for the money, which could be good news for agencies on tight budgets looking to hire more cybersecurity staff.

More than 60% reported pulling down a median annual income of just $25,000 or less, though many also said they only chase bug bounties on a part-time basis. Flexible hours and improved skills were also cited as motivations, as was the chance to solve difficult problems.

According to the survey, higher education is an important feature for many security researchers and their families. They're most likely to have obtained a college degree (49%), have parents who have done the same (36%) and are three times less likely to drop out than their parents. The survey data "suggests most security researchers are degree-qualified because they come from educated families that value the acquisition of worldly knowledge, skills, values, beliefs and habits."

The report predicts that over the next six months, cybercriminals will exploit the widespread shift to remote telework in the wake of the COVID-19 pandemic, increasingly targeting vulnerable infrastructure through expanded reconnaissance activities and asset discovery. That in turn will lead to organizations boosting their reliance on artificial intelligence, although 78% of survey respondents said AI-powered cybersecurity solutions alone aren’t enough to outmaneuver cyberattacks over the next decade

"This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their human expertise in securing their assets via crowdsourcing, the most efficient and practical approach to finding available talent," the company said.

A longer version of this article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected