hack'er
/'ha–ker/
noun
one who enjoys the intellectual challenge of
creatively overcoming limitations
At HackerOne, we agree with Keren Elazari: hackers
are the immune system of the internet. Just like we
need the Elon Musks to create technology, we need the
Kerens and the Mudges to research and report where
these technological innovations are flawed.
The internet gets safer every time a vulnerability is
found and fixed. The HackerOne community of security
researchers are doing their part day in and day out to
do just that: hunt the issues and responsibly report the
risks to organizations so they can be remediated safely
before being exploited by criminals. The community is
strong and it is growing: we’ve seen a 10-fold increase
in registered users in just 2 years.
With 1,698 respondents, The 2018 Hacker Report is
the largest documented survey ever conducted of the
ethical hacking community.
As you read through the report, you will see the curious,
tenacious, communal and charitable nature of the
hacker community.
One in four hackers have donated bounty money to
charity, many hackers share knowledge freely with
other hackers and security researchers, and they have
helped the U.S. Department of Defense resolve almost
3,000 vulnerabilities - without receiving a cash bounty.
Executive Summary
They report security vulnerabilities because it’s the right
thing to do.
Hacking is being taught for college credit in top tier
universities like UC Berkeley, Tufts, and Carnegie Mellon.
Hackers around the world are earning more money
through bug hunting than ever before. Bounties are a
great equalizer with opportunity for all. Some hackers
are earning over 16x what they would make as a full time
software engineer in their home country.
While we have achieved much, there is much work to still
be done. Most companies (94% of the Forbes Global
2000 to be exact) do not have a published vulnerability
disclosure policy. As a result, nearly 1 in 4 hackers have
not reported a vulnerability that they found because
the company didn’t have a channel to disclose it. Read
the “Companies are Becoming More Open to Receiving
Vulnerabilities” section for more on this challenge and
the progress that’s been made to date.
Consider this report a dossier on the vital members of
our modern digital society, hackers. Gain insights on the
hacker mindset, see statistics and growth metrics of
where they are from, what vulnerabilities they find and
even get to know some of the individuals involved in the
incredible bug bounty community.
We are in the age of the hacker. Hackers are lauded as heroes,
discussed daily in the media, villainized at times, and portrayed
by Hollywood - anything but ignored.
166K+
TOTAL REGISTERED
HACKERS
*As of December 2017
72K+
TOTAL VALID
VULNERABILITIES
SUBMITTED
$23.5M+
TOTAL BOUNTIES PAID
Key Findings
Bug bounties can be life changing for some hackers. The top hackers based
in India earn 16x the median salary of a software engineer. And on average, top
earning researchers make 2.7 times the median salary of a software engineer in
their home country.
Nearly 1 in 4 hackers have not reported a vulnerability that they found
because the company didn’t have a channel to disclose it.
Money remains a top reason for why bug bounty hackers hack, but it’s fallen
from frst to fourth place compared to 2016. Above all, hackers are motivated
by the opportunity to learn tips and techniques, with “to be challenged” and “to
have fun” tied for second.
India (23%) and the United States (20%) are the top two countries
represented by the HackerOne hacker community, followed by Russia (6%),
Pakistan (4%) and United Kingdom (4%).
Nearly 58% of them are self-taught hackers. Despite 50% of hackers having
studied computer science at an undergraduate or graduate level, and 26.4%
studied computer science in high school or before, less than 5% have learned
hacking skills in a classroom.
While 37% of hackers say they hack as a hobby in their spare time, about 12%
of hackers on HackerOne make $20,000 or more annually from bug bounties,
over 3% of which are making more than $100,000 per year, 1.1% are making
over $350,000 annually. A quarter of hackers rely on bounties for at least 50%
of their annual income, and 13.7% say their bounties earned represents 90-
100% of their annual income.。