By Stuart Corner
The Indian subcontinent appears to be the epicenter of ethical hacking, a profession whereby hackers are hired by organizations to hunt for vulnerabilities in their IT systems.
The Ethical Hacking Pioneer: Bugcrowd
US-based company, Bugcrowd, operates an online platform through which it matches ethical hackers with clients seeking to have their systems probed. The company claims to have around 650,000 hackers on the platform.
Bugcrowd was founded in Australia in 2012 but moved its headquarters to the US, San Francisco, and is now supported by several venture capitalists. Core to the company’s operations is its Security Knowledge Platform which matches hackers with customers. When a client matches with a hacker through Bugcrowd, they agree to a fee structure for each vulnerability discovered, based on its severity.
Recently, Bugcrowd conducted a survey of its hacker community and released a report titled "Inside the Mind of a Hacker." According to the report, the top five countries represented in its hacker community, in order, are India, Bangladesh, the United States, Pakistan, and Nepal. Most of its hackers are young with 57 percent between the ages of 18 and 24, with only two percent being over 45.
The company's CEO, Dave Gerry, conveyed during a press conference in Melbourne, which was held to coincide with the Australian Cyber Conference, that hackers in the Bugcrowd community have a wide spectrum of involvement. He said, "Some are doing it on nights and weekends and earning a few thousand dollars a year, all the way up to folks that are pulling in close to a million or over a million dollars a year."
The Value of Crowdsourced Ethical Hacking
Dave Fairman, Chief Information Officer (CIO) for APAC at the cybersecurity company Netskope and an advisor to the Bugcrowd board, whose company is also a Bugcrowd customer, addressed the press conference. He highlighted the value of crowdsourced ethical hacking as "the ability to be able to build out a capability that has literally thousands of analysts or hackers actively probing your systems to identify vulnerabilities."
He added: “In a technology company, in a financial institution that's undergoing an extensive digital transformation, it's very, very hard to keep pace and identify every vulnerability. To build an internal capability, a traditional pen testing team, a thorough vulnerability management function is really, really tough. And you have limited budget, you have limited resources. A platform like Bugcrowd allows you to scale at pace extremely cost efficiently.”
Do Financial Incentives Serve as a Motivation for Bugcrowd Hackers?
One client, Everest VPN, made headlines when it offered a 100,000 USD reward to any hacker who could find vulnerabilities in its VPN server that would result in leaking the real IP addresses of clients or the ability to monitor user traffic. At the time, in August 2022, it was the highest reward offered through Bugcrowd.
However, of the hackers responding to Bugcrowd’s survey, 75 percent identified non-financial factors as their main motivation to hack. Four percent said their income was much better than expected and 23 percent, slightly better.
Bugcrowd Ethical Hacker Demographics
The Bugcrowd hacker community is almost entirely male with only four percent identifying as female. This figure has decreased since 2020 when a similar survey found the figure to be six percent.
Only five percent of hackers are under 18 but this number has doubled in a year and Bugcrowd expects the figure to keep rising, partly as a result of increased accessibility to hacking resources, with a report stating that, “Using internet resources to learn how to hack has never been easier.”
Bugcrowd itself is a provider of such resources and says they are an avenue through which many hackers join the Bugcrowd community. It operates the Bugcrowd University, which offers free online training in ethical hacking techniques.