The Who and Why of Hacking
Written by Sue Gee   
Friday, 26 January 2018

The 2018 Hacker Report from HackerOne gives a rounded view of today's hackers revealing who they are and what motivates them. It also shows how hacking makes the money go around.


Started in 2012 by hackers and security leaders driven by a passion to make the internet safer, HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with cybersecurity researchers. Having seen a 10-fold increase in users in the past two years it now is a community of over 166K registered hackers, defined in the report as:


HackerOne surveyed over 1,700 hackers who had successfully reported one or more valid security vulnerabilities on its platform and its report is based on 1698 respondents plus proprietary data based on over 900 collective bug bounty and vulnerability disclosure programs. 

Noting that its community of hackers includes representatives from practically every country and territory on the planet, India (23%), the United States (20%) Russia (6%), Pakistan (4%) and the United Kingdom (4%) are those HackerOne lists as the top five countries.

With regard to age, over 90% of bug bounty hackers on HackerOne are under the age of 35, with over 50% under 25 and just under 8% under the age of 18: 


Given the preponderance of younger hackers its not surprising that over 70% have only been hacking for 5 years or less. 


From the HackerRank survey of over 39,000 software developers that we reported earlier this week we discovered that almost three quarters of developers consider themselves self taught. This drops to 58% among hackers.

One recent development fostered by HackerOne is that hacking is now being taught for college credit in top tier universities like UC Berkeley, Tufts, and Carnegie Mellon. So whereas among the wider developer community only 70% had school or university education learning to code, among this elite group the proportion who had taken formal classes rose to over 90% with 20% having studied computer science and or programming at graduate level.


Looking at the hours per week spent hacking:


in conjunction with respondents' professional titles:hackeroneprof

reveals that the majority of hackers are insiders in the developer world but bug hunters in their spare time.

The report comments:

Hackers by night, students and tech employees by day. Almost half, 46.7%, of hackers work fulltime in the areas of information technology (IT), software or hardware development. Over 44% of those working in an IT profession specifically focus on security or security research, and 33% on software development. Just over 25% of hackers on HackerOne are students and 13% say they hack full time or 40+ hours per week. 


So what motivates hacking? This the survey finding:hackeronewhy


Commenting on this the report states:

Money remains a top reason for why bug bounty hackers hack, but it’s fallen from first place to fourth place compared to 2016. Above all, hackers are motivated by the opportunity to learn tips and techniques, with “to be challenged” and “to have fun” tied for second. Other top reasons for hacking include career advancement, the opportunity to protect and defend and to do good in the world. Overall, they want to improve and build upon their skill sets, have fun and contribute to a safer internet in the process.

Bug bounties do act as an important factor in deciding the targets that hackers chose to devote their effort, with 23% of hackers choosing companies to hack based on the bounties they offer. This is hardly surprising in view of another key finding of the report:

The top hackers based in India earn16x the median salary of a software engineer. And on average, top earning researchers make 2.7 times the median salary of a software engineer in their home country.

The report quotes Troy Hunt, an Australian web security expert who makes the point:  

Most bug bounties (usually) have no geographical boundaries which means the ROI for the bug hunter can be enormously attractive... Consider what the "return" component of the ROI is for someone living in a market where the average income is a fraction of that in the countries many of these services are based in; this makes bounties enormously attractive and gets precisely the eyes you want looking at your security things. Bounties are a great leveller in terms of providing opportunity to all.

This graphic from the report represents the collective outflow and inflow of bug bounty cash on the HackerOne platform over all time, amounting to more than $23.5 and shows an interesting distribution: hackeroneflow



More Information

The 2018 Hacker Report

Related Articles

Bug Bounty Bonanza

Wanted - Hacker Expertise

Developer Work and Pay

Developer Pay Satisfaction According To Stack Overflow

Never Too Early To Code According to HackerRank

HackerRank Reveals Which Universities Have Best Coders

HackerRank Reveals Where To Find Programming Talent 

HackerRank - Advance Your Coding Through Problem Solving


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

raspberry pi books



or email your comment to:

Last Updated ( Friday, 26 January 2018 )