Bug bounty programs have evolved from the public, open-to-anyone contests that they started as in 1995. Since then, a number of variables have surfaced, adding more complexity to the bug bounty ecosystem. The four main variables that our customers most commonly adjust to craft their programs are scope, program type (i.e. public or private), rewards and public disclosure policy. These variables work both independently, and in tandem with one another, to motivate specific behavior, and in some cases, attract different types of researchers.

As a bug bounty program matures, the goal is to tap into each and every one of the above personas, as each researcher brings his or her own perspective to a program. That is the true benefit of crowdsourced security testing, but we know that can’t always be immediately achieved. Below we have outlined some considerations to weigh when looking into setting up your program or taking your program to the next level.

HOW CAN UNDERSTANDING RESEARCHER MOTIVATIONS HELP YOU RUN A SUCCESSFUL BUG BOUNTY PROGRAM?

WHO ARE THEY?Through our recent survey, we gained insight into several groups of researchers that share some common traits. Below we’ve highlighted the characteristics of five distinct types of bug hunters that we’ve seen so far in the Bugcrowd community based on what their primary and secondary motivators are. As this community continues to expand, we expect these personas to evolve, and for new ones to emerge.

KNOWLEDGE-SEEKERS Although they only bug hunt part-time, The Knowledge-Seekers are excited about getting more involved with bug hunting. Most of these hunters are new to the bug bounty scene and have been at it for less than a year. While they’ve improved their skills and submitted some quality reports in the past year, 69% said they plan to submit more bugs in the next year. These researchers may not bug hunt full-time right now, but a good portion (38%) responded that they want to become a full-time bug hunter in the future.

MOTIVATORS: Education, challenge, funAGE: 55% are 18-29, making them one of the younger groupsLOCATION: 30% from US, 18% from India, 4% from Sweden, 4% from UKEDUCATION: Nearly 60% have a either a bachelor’s or advanced degree, with 18% of these researchers still identifying as studentsCAREER ASPIRATIONS: They are interested in security, as 38% aspire to be a full-time bug hunter in the future, followed by 28% who want to be a top security engineer at a highly esteemed companyYEARS OF EXPERIENCE: This group is largely new to bug bounty hunting, with nearly 90% having less than two years experience and 67% with less than a year

FULL-TIMERS The Full-Timers use bug bounties as their main gig, with 55% of this group saying they do bug bounties as their main source of income, and 65% of respondents plan to do even more bug hunting in the next 12 months. With the money they make bug hunting, they spend it paying their bills and living expenses. Likely due to the geographic concentration of this group in India, more than 55% say they need to earn less than $50K to be able to do bug bounty research full-time. We expect to see this group’s country origin diversify over the next year, as total bounty earnings continue to rise across all researchers, and already know of multiple researchers in North America and Europe that bounty hunt full time.

MOTIVATORS: Primary source of incomeLOCATION: Geography varies, but majority from non-Western regionsCAREER ASPIRATIONS: 55% aspire to be a full-time bug hunterYEARS IN BUG HUNTING: 72% have been bug hunting for less than two yearsTIME SPENT HUNTING: This group participates in bug bounties more than other groups, typically 10 - 30 hoursBOUNTY SELECTION CRITERIA: Broad scope, addressed in following section

PROTECTORSThe Protectors are a bit more altruistic than others in the community–their major motivation is making the Internet and the products they use safer. This group of researchers ranges in security industry experience, with 40% having less than a year of security industry experience, and 50% having 3+ years of industry experience. While money isn’t a primary motivator for this hacker, 58% say that it’s fairly important that a program offers rewards, with another 13% saying they only hack on programs with rewards. These researchers are interested in both private and public programs (34%), although 24% say they prefer private programs but will do both.

MOTIVATORS: To make the internet safer, challenge, educationPROFESSION: This group is also made up of professionals with 26% working as software engineers or developers and 18% as security engineersCAREER ASPIRATIONS: 34% aspire to become a security consultant, 32% want to become a full-time bug hunterYEARS IN SECURITY: 32% have 5+ years in the security industryTIME SPENT HUNTING: 47% bug hunt for five hours or fewer per week, 26% spend 6-10 hoursBOUNTY SELECTION CRITERIA: High potential to find a vulnerability, broad scope, untouched program

HOBBYISTS

For the Hobbyists, bug hunting is about the money and the fun of the hunt. Most of these hunters have day jobs in software security and use bug bounties as a side gig to inject variety into their penetration testing and earn some extra income, which they mostly spend on leisure and bills. Most of these researchers quite enjoy this hobby, as nearly 60% of these researchers plan to do more bug hunting in the next year.

MOTIVATORS: Expendable income, funEDUCATION: This is the most educated group, with over 80% having at least some college. 38% are college grads and 15% completed grad schoolPROFESSION: These bug hunters are employed outside of bug hunting. 22% are software engineers or developers, 19% are penetration testers, 18% are security engineers, and 16% are studentsYEARS OF EXPERIENCE: This group has the most experience bug hunting, with 30% having 5+ years of experience under their belts, 19% with 3-4 years, and 22% with 1-2 yearsTIME SPENT HUNTING: 62% spend less than 5 hours a week hunting, which is less than the other personasBOUNTY SELECTION CRITERIA: High potential to find valid vulnerabilities, challenging target, untouched program

VIRTUOSOS The Virtuosos tend to have the most security industry experience. They have worked in the industry longer than any other group, as 33% of this group have been at it for at least five years. For these bug hunters, what drives them to do bug bounty research is primarily the thrill of the challenge. Most of these researchers have full time jobs, as nearly 60% of them only bug hunt part-time and do not aspire to hunt full-time.

MOTIVATORS: Challenge, education, money, skill retention EDUCATION: This group is also very educated, with 71% having graduated from college and another 31% having received a graduate degreePROFESSION: These bug hunters mostly have full time jobs. 31% are security engineers or penetration testers, with another 31% working as a software engineer or developerYEARS IN SECURITY: 33% have been in the security industry for at least five years, making them the most experienced in the security industry.TIME SPENT HUNTING: Similar to the Hobbyists, they spend limited time bug hunting–63% spent five hours or fewer per week and 65% submitted five bug reports or fewer in the past yearBOUNTY SELECTION CRITERIA: Challenging target, broad scope and potential to find a valid bug

“PRIVATE PROGRAMS WITH ONLY A HANDFUL OF DEDICATED RESEARCHERS IS WHERE I’VE HAD THE MOST SUCCESS

AS A BUG BOUNTY HUNTER. THESE PROGRAMS ARE GREAT BECAUSE

YOU CAN REALLY BEGIN TO BUILD A RELATIONSHIP WITH THE COMPANY

OVER THE LIFETIME OF THE PROGRAM, IMPROVING THE COMPANY’S SECURITY AND YOUR BUG HUNTING EXPERIENCE

AT THE SAME TIME.”

LUKE YOUNG, UNITED STATESLEARN MORE ABOUT BOREDENGINEER

“SECURITY IS WHAT I LOVE AND BUG BOUNTIES OPEN THE POSSIBILITY OF DOING SECURITY WORK, IN MY CASE

INTO WEB APPLICATIONS, WITHOUT THE POSSIBILITY OF GETTING JAILED AND

ALSO MAKING THE WEB MORE SECURE. ONE BUG MIGHT TAKE HOURS TO FIND,

BUT EVERY SINGLE BUG IS THRILLING TO LOOK FOR. IN ADDITION, BUG BOUNTY

EQUALS PROFIT, CONSIDERING THE EXCHANGE RATE FROM BOUNTIES PAID

IN USD TO PHILIPPINE PESO.”

CLIFFORD TRIGO, PHILIPPINESLEARN MORE ABOUT CLIFFORDTRIGO

I SPENT A LOT OF TIME AS A TEENAGER PROGRAMMING WEBSITES AND

LEARNING APPLICATION SECURITY, SO I ALREADY HAD A LOT OF PASSION FOR BUG BOUNTY HUNTING BEFORE IT WAS EVEN A THING. I THINK THAT

PASSION, WITH THE ADDED INCENTIVE OF MONEY IS WHAT DRIVES ME TO KEEP

HUNTING FOR BOUNTIES IN THE FEW HOURS I HAVE A NIGHT. IT ALSO HELPS

ME STAY RELEVANT AND UP-TO-DATE ON THE LATEST APPLICATION SECURITY

TECHNIQUES TO BRING BACK TO MY COMPANY.

BRETT BUERHAUS, UNITED STATESLEARN MORE ABOUT BBUERHAUS

“SECURITY IS EVERYWHERE. YOU CAN’T IGNORE IT, THAT’S A FACT. WHEN I TALK ABOUT SECURITY, PEOPLE IMMEDIATELY UNDERSTAND AND RESPECT WHAT I’M

DOING. PEOPLE HAVE A HUGE AMOUNT OF RESPECT FOR MAKING THE WORLD A BETTER PLACE, AND THAT’S WHAT WE’RE DOING. WE’RE DOING IT ONE COMPANY

AT A TIME.”

FRANS ROSEN, SWEDENLEARN MORE ABOUT FRANSROSEN

“I THINK BUG BOUNTIES ARE GETTING MORE AND MORE POPULAR AND

COMPANIES WILL BE MORE LIKELY TO USE THEM IN THE FUTURE TO REDUCE

HOLES IN THEIR INFRASTRUCTURE. IT’S A WIN-WIN SITUATION AS IT ALSO GIVES THE OPPORTUNITIES TO YOUNG SECURITY PASSIONATES TO IMPROVE THEIR EXPERIENCE ON REAL SYSTEMS

AND EXPAND THEIR KNOWLEDGE.”

NICOLAS DEVILLERS, FRANCELEARN MORE ABOUT NIKAIW

BUGCROWD INC. WWW.BUGCROWD.COM HELLO@BUGCROWD.COM +1 (888) 361-9734

An organization’s applications, business goals and priorities will determine the scope for a program. To learn more about what to consider when setting up a scope, read our resource on scoping 101. The breadth of scope appeals to different kinds of people with different skills and there are pros and cons to each.

SCOPE

View Constant Contact’s program across multiple targets

Learn about Instructure’s private program on their LMS, Canvas

WIDE SCOPE: To most researchers, a wide open scope (think *.company.com) signifies that an organization takes their application security seriously, as they generally believe ‘bad guys don’t adhere to scope, so why should a bug bounty?’ Oftentimes, bug hunters like the Virtuosos, Full-Timers and the Protectors, only take part in these kinds of programs. Having a wide scope, however, can be hard to manage straight out of the gate, and can make it difficult to bring focus to more complex applications.

NARROW SCOPE: Having a narrow scope can be successful for more specialized or complex targets that your organization wants to draw attention to, appealing to a specific technical skill a bug hunter might have. On the flip side, more focused programs may attract folks that are just starting out like the Knowledge Seekers. Additionally, they are often run as private programs, discussed further in the next section.

There are multiple uses and reasons for opting to run either a public or private bounty program, which you can read in our guide to private vs. public. While 86% of survey respondents stated that they participate in both private and public programs, with varying degrees of preference, both types can attract specific types of researchers.

PRIVATE PROGRAMS: Invite-only programs optimize for a smaller group of researchers who have been invited based on four measures; activity, accuracy, impact and trust. For participants in these programs, this means there will be less competition, which to many researchers translates into greater efficiency and lower duplicate rates. These people are, generally speaking, more experienced or skilled, such as Virtuosos and Full-Timers.

PUBLIC PROGRAMS: These open-to-anyone programs naturally attract a larger pool of people, regardless of motivator, as they are accessible to any researcher. Many companies start with a private program prior to going public so they can learn the ropes operationally with a smaller group of invited researchers, typically from the Virtuosos or Full-Timers for the reasons mentioned above. Once the program goes public, they attract additional researchers from the Knowledge Seekers, Hobbyists and Protectors.

Learn more about the best uses for public and private bug bounty programs.

PROGRAM TYPE

Read more about Aruba’s private bug bounty program

Learn why Western Union took their program from private to public

PUBLIC DISCLOSURE POLICY Disclosure policies vary from program to program, as each organization defines its own unique policy for vulnerabilities reported through their bounty program. Read more about Bugcrowd’s disclosure policies and benefits, as well as how trust impacts the disclosure process between researchers and vendors.

Learn more about Tesla’s unique disclosure policy & public program

Overall, 73% of survey respondents stated that it was either ‘fairly important’ or a non-issue if a program had a coordinated disclosure policy, and yet offering one may affect what kinds of researchers will work on a program. For bug hunters like the Full-Timers and Virtuosos, public disclosure can be a form of prestige– expressing the skill or knowledge it took to find something noteworthy. For bug hunters such as the Protectors, it can also be an educational tool–teaching peers about vulnerabilities found in the wild, or consumers about their risk. Being able to disclose vulnerabilities can also provide career opportunities and community klout for individuals just getting started like the Knowledge Seeker.

Topics of discussion around bug bounty rewards include types of rewards, monetary or nonmonetary, as well as what appropriate minimum and maximum monetary rewards should be. Read our Defensive Vulnerability Pricing Model to learn more about how organizational security maturity, target complexity and criticality can determine appropriate reward range for your program.

REWARDS

In 2016, Jet.com increased their reward ranges–read why

Learn more about FitBit’s commitment to security research

As we mentioned before, not everyone is motivated by money, but the presence of monetary incentivisation can activate specific types of people, namely those who spend more time bug hunting, such as Full-Timers, and those who are typically more experienced. That being said, 56% of all survey respondents stated that it was ‘fairly important’ to them that a program offered monetary rewards, followed 20% of respondents who only participate in programs that offer rewards.

Furthermore, rewards aren’t just about the money. With the adoption of a marketplace model, rewards are the chosen metric to represent value–whether that’s time, skill or expertise. To bug hunters such as the Knowledge Seekers and Virtuosos, earning a bounty is less about getting money in their pockets, but the value of their work.

In many cases, programs may start out as strictly responsible disclosure, in order to gain attention from those not primarily motivated by money such as Protectors, Virtuosos or Knowledge Seekers, and eventually add and even increase rewards.

THANK YOU

The bug bounty community is a truly global group of people, coming from all walks of life, with diverse backgrounds, technical skills and expertise. This diversity is what fuels the power of the crowdsourced cybersecurity economy, connecting a community of skilled, creative individuals with organizations that need their help.

As this market grows and evolves from the small group of hackers it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely. This summer we set out to gain more insight on the makeup of the bug bounty community to shed light on some of those motivations. From our data, we created this report which...

• Provides a glimpse into the Bugcrowd community as a whole • Identifies five distinct types of bug hunters and what they’re motivated by• Explores program variables that can motivate and encourage different kinds of bug hunters and the community as a

whole

We encourage bug hunters to read on to learn more about your fellow peers, and bounty program owners and managers to use this as an opportunity to learn how to improve your programs and encourage engagement with this skilled and vibrant community.

INSIDE THE MIND OF AHACKER

TIP #1: “FOR THOSE WHO HAVE NOT YET

STARTED ON BUG BOUNTIES: DIVE IN, YOU WILL FIND BUGS AND IT WILL BE WORTH YOUR TIME. I OFTEN TALK TO PEOPLE THAT THINK PUBLIC BUG

BOUNTIES ARE NOT WORTH THEIR TIME BECAUSE “ALL THE BUGS HAVE ALREADY

BEEN FOUND”. I ASSURE YOU, THAT IS DEFINITELY NOT THE CASE!”

MONGO, PORTUGAL

TIP #4: “LINKEDIN PROFILES, COMPANY

‘CAREERS’ PAGES AND PUBLIC MAILING LISTS ARE YOUR FRIEND! IF YOU WANT

TO KNOW WHAT YOU’RE LIKELY TO ENCOUNTER IN A GIVEN STACK, SEE

WHAT SORT OF DEVELOPERS, Q.A. AND OPERATIONS SKILL-SETS A COMPANY IS

EMPLOYING.” DARKARNIUM, CANADA

TIP #7: “NEVER IGNORE THAT ‘WAIT THIS

DOESN’T LOOK RIGHT’ FEELING. KEEP POKING AT IT! WHEN YOU FIND A

VULNERABILITY, SPEND SOME TIME PLAYING WITH IT AND LEARN FROM WHAT YOU FIND. THERE IS ALWAYS

SOMETHING UNIQUE ABOUT A SPECIFIC VULNERABILITY THAT COULD BE USEFUL

TO KNOW IN THE FUTURE.”FUZZYBEAR, UNITED STATES

ADVICE FOR HACKERS, FROM HACKERSTIP #3:

“I WOULD SUGGEST THE NEW RESEARCHERS TO TEST ON KUDOS ONLY

PROGRAMS IN THEIR INITIAL STAGES SO THAT THEY GET EXPERIENCE WITH REAL WEBSITES AND INCREASE THEIR

RANKS IN THE RESPECTIVE PLATFORMS LEADING TO PRIVATE INVITES.”

VISHNU_VARDHAN_REDDY, INDIA

TIP #6: “READ VULNERABILITY WRITE-UP’S

FROM OTHER RESEARCHERS AND TRY TO LEARN FROM THEM...USE TWITTER

TO CONNECT TO OTHER RESEARCHERS AND FOLLOW THEM. IT’S USUALLY A

GREAT RESOURCE TO FIND OUT ABOUT VULNERABILITIES. AND FINALLY, SHARE YOUR KNOWLEDGE WHEN YOU COME

ACROSS FUN BUGS!” MICO, UNITED KINGDOM

TIP #9: “ONCE YOU’VE FLESHED THE BUG OUT,

WRITE A GREAT REPORT - DON’T LET YOUR AWESOME BUG BE LET DOWN BY A TWO-MINUTE “IT’LL DO” SUBMISSION. MAKE IT SHINE. A GOOD BUG REPORTED POORLY IS A POOR SUBMISSION. PUNCH OUT A REPORT THAT’LL BE SHOWN TO MANAGEMENT AS JUSTIFICATION FOR

THE PROGRAM’S EXPENDITURE.” JUSTINSTEVEN, AUSTRALIA

TIP #2:“PATIENCE. IT CAN TAKE TIME TO

REALLY LEARN THE APPLICATION AND THE BETTER YOU UNDERSTAND HOW

THE APPLICATION WORKS, AND HOW A NORMAL USER IS INTENDED TO USE THE APPLICATION, YOU START TO GET A FEEL

FOR WHERE THE MORE INTERESTING THINGS ARE.”

CDUNHAM, UNITED STATES

TIP #5: “ASK QUESTIONS. THERE ARE COOL

PEOPLE OUT THERE THAT COULD HELP YOU. ASK AND YOU SHALL RECEIVE.” 

NIJAGAW, ENGLAND

TIP #8: “DO NOT RELY ON AUTOMATED

SCANNERS: MOSTLY IN BUG BOUNTY PROGRAMS, VENDORS WOULD HAVE

USED DOZENS OF AUTOMATED VULNERABILITY SCANNERS, AND

PATCHED THE FINDINGS... I DON’T MEAN THAT AUTOMATED VULNERABILITY

SCANNERS ARE NOT HELPFUL, BUT IN THE BUG BOUNTY WORLD, IT’S RARE TO

FIND A VALID BUG USING VULNERABILITY SCANNERS.”

MAZEN160, UNITED ARAB EMIRATES

EXPLORE MORE RESEARCHER SPOTLIGHTS AND INTERVIEWS >

1,000+

500 to 999

100 to 499

10 to 99

Less than 10

SNAPSHOT OF THE BUGCROWD COMMUNITY

38K+TOTAL RESEARCHER SIGN UPS AS OF SEPTEMBER ‘16

132%AVERAGE YEAR OVER YEAR

GROWTH AS OF SEPTEMBER ‘16

112COUNTRIES REPRESENTED

AS OF SEPTEMBER ‘16

Since 2013 we’ve enjoyed watching and helping our community grow into the vibrant, self-educating group of talented and passionate security researchers that it is today in 2016. The true value of the community, however, is its’ diversity and quality. Born from varying geographic locations, backgrounds and experiences, this community comes from all walks of life.

GEOGRAPHYBugcrowd researchers come from all over the world, and as of September 1, 2016, the United States (29%) and India (28%) have the most sign-ups, followed by the United Kingdom (6%), Australia (3%), and Germany (2%). Researcher sign-ups by region is represented below.

The countries with the most submissions vary slightly, as do countries with the most bounty payouts. Read more about researcher activity and quality by geography in our 2016 State of Bug Bounty Report.

LEARN MORE ABOUT BUGCROWD’S COMMUNITY >

AGE, EDUCATION + PROFESSIONBased on our survey responses, we found that on the whole, this community is relatively young. Nearly 60% were between 18 and 29 years old, followed by 34% who were between 30 to 44. Additionally, bug bounty hunters are no strangers to the classroom according to survey data. Those with a college degree made up the largest group among participants (37%), followed by those with graduate degrees (21%). Of all survey participants, 84% had attended college for some period of time.

While most respondents are employed outside of bug hunting or identify as students, 15% of respondents identified as full time bug hunters and we see this number growing. Furthermore, their professions varied–the most common professions reported were software developer/engineer (23%) followed by penetration tester (17%) and security engineer (15%).

SKILL SETS AND EXPERTISEWhen asked which technologies they had intermediate to advanced skill in, 95% of respondents of our aforementioned survey felt they had intermediate or advanced knowledge of web application testing, 48% in Android, 28% in iOS and 15% in IoT. While the Bugcrowd community is made up of security researchers with expertise across numerous technologies, accessibility, complexity and opportunity contribute largely to these responses.

0% 25% 50% 75% 100%

SCADA

Mobile OS/Baseband

Mobile App - other

IoT/hardware

Malware Analysis

Network Appliance

Reverse Engineering

Mobile App - iOS

Desktop/Server software

Linux

Network Infrastructure

Mobile App - Android

Code Review

APIs/Web Services

Web App

In just a few short years, the bug bounty space has evolved from a small-scale culture-driven novelty into a thriving industry with some ‘zeros’ behind it and real earning potential. With that evolution, we’ve seen both sides of the marketplace mature, and expect this trend to continue for years to come.

The growth of the security community has coincided with an increase in bug bounties with more complex attack surfaces that require researchers with more skill sets and a wealth of experience. As the bug bounty market has become more efficient in its ability to connect talent with the need for security testing, the community needs to continue to self-educate and increase the breadth and depth of our skills.

At Bugcrowd, we see it as part of our responsibility to understand and support the community of researchers, and it is our hope that by exposing the broader audience to the nuance and diversity present in this community, we can help grow the overall market opportunity for researchers all over the world. While we don’t see this as an all-inclusive report on the bug hunter community, we do believe this an exciting first look at bug bounty hunters, some of their motivations, and the factors in play when they choose the bug bounty programs they work on.

Thanks to everyone who has supported Bugcrowd in the past several years. We also want to extend our appreciation for the individuals who have consistently given us feedback, helping improve Bugcrowd so that it continues to better support the needs and desires of this diverse community. Finally, to those who helped contribute to this report, in small and big ways–thank you.

-Sam Houston, Sr. Community Manager