SlideShare a Scribd company logo
THE 2018 HACKER REPORTInsights on the hacker mindset, who they are, and the types
of vulnerabilities they find.
166,000+
Hackers
72,000+
Valid Vulnerabilities
Submitted
$23,500,000+
Bounties Paid
THE HACKERONE PLATFORM
* as of December2017
HackersAreHeroes…
and1,698ofthemresponded
toquestionsforthisreport.
THE HACKERS’ RESULTS
Money ranks fourth for why bug bounty
hackers hack.
Top hackers earn 2.7x the median salary of
a software engineer in their home country.
12% of hackers make $20,000 or more
annually from bug bounties.
25% of hackers rely on bounties for at least 50%
of their annual income.
India and the United States are the top two
countries represented.
53% of hackers are self-taught.
GEOGRAPHY
WHERE HACKERS RESIDE
India, the United States, Russia, Pakistan and the United
Kingdom round out the top five countries represented,
with 43% based in India and the United States combined.
FIGURE 1: GEOGRAPHIC REPRESENTATION OF WHERE HACKERS ARE LOCATED IN THE WORLD
≥ 2 0 %≤5%
6.3%
19.9%
23.3%
Geographic Representation of Where Hackers are Located in the World
Visualization of the Bounties by
Geography showing on the left
where the companies paying
bounties are located and on the
right where hackers receiving
bounties are located.
CASH
HOW BOUNTY
MONEY FLOWS
FROM ORGANIZATIONS
TO HACKERS USA: $15,970,630
CANADA: $1,201,485
GERMANY: $458,882
RUSSIA: $308,346
SINGAPORE: $256,280
UK: $252,960
UAE: $143,375
FINLAND: $142,149
MALAYSIA: $138,215
SWITZERLAND: $118,393
$4,641,693
ALL OTHER
USA: $4,150,672
ARGENTINA: $673,403
RUSSIA: $1,296,018
PAKISTAN: $647,339
INDIA: $3,098,250
AUSTRALIA: $1,296,411
UK: $916,035
HONG KONG: $749,770
SWEDEN: $746,326
BOUNTIES PAID BY COMPANIES VS. BOUNTIES PAID TO HACKERS
$9,375,656
GERMANY: $682,528
ALL OTHER
Geographic Money Flow
ECONOMICS
BOUNTIES AS AN INCOME SOURCE
Median annual wage of a “software engineer” was derived
from PayScale for each region. The multiplier was found by
dividing the upper range of bounty earners on HackerOne
for the region by the median annual wage of a software
engineer for the related region.
India
Argentina
Egypt
Hong Kong
Philippines
Latvia
Pakistan
Morocco
China
Belgium
Australia
Poland
Canada
USA
MULTIPLIER
Bug Bounties vs. Salary
$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$
$$$$$$$$
$$$$$$$
$$$$$
$$$$$
$$$$
$$$
$$$
$$
$$
$$
$$
$$
SANDEEP
Advice to beginners...
Since bug bounty is booming nowadays, competition between
hackers is increasing. So, have some patience when you are first
starting, and keep improving your recon skills. You have Internet,
you have all the resources—keep reading from others' blogs and
disclosed practical reports on HackerOne. Patience and better
reporting is the KEY.
Over 66% of hackers spend 20 hours or less per week hacking.
AGE, APPROXIMATELY HOW MANY HOURS PER WEEK
PEND HACKING? HACKERONE HOURS NOT INCLUDED
1-10 HOURS: 44.2%
10-20 HOURS: 22.4%
20-30 HOURS: 13%
30-40 HOURS: 13%
40+ HOURS: 13.1%
On Average, Approximagely How Many Hours Per
Week Do You Spend Hacking?
IT/SOFTWARE/HARDWARE: 46.7%
STUDENT : 25.2%
CONSULTING : 12.3%
EDUCATION : 7.2%
UNEMPLOYED : 1.9%
FINANCE : 1.5%
GOVERNMENT : 1.1%
TELECOMMUNICATIONS : 0.3%
CONSTRUCTION : 0.7%
STAY AT HOME PARENT : 0.7%
HEALTHCARE : 0.5%
LEGAL : 0.4%
MANUFACTURING : 0.4%
INSURANCE : 0.3%
WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION?
What Best Describes Your
Professional Title?
DEMOGRAPHICS
HACKERS BY NIGHT, STUDENTS AND TECH EMPLOYEES BY DAY
AGE, APPROXIMATELY HOW MANY HOURS PER WEEK
END HACKING? HACKERONE HOURS NOT INCLUDED
1-10 HOURS: 44.2%
10-20 HOURS: 22.4%
20-30 HOURS: 13%
30-40 HOURS: 13%
40+ HOURS: 13.1%
IT/SOFTWARE/HARDWARE: 46.7%
STUDENT : 25.2%
CONSULTING : 12.3%
EDUCATION : 7.2%
UNEMPLOYED : 1.9%
FINANCE : 1.5%
GOVERNMENT : 1.1%
TELECOMMUNICATIONS : 0.3%
CONSTRUCTION : 0.7%
STAY AT HOME PARENT : 0.7%
HEALTHCARE : 0.5%
LEGAL : 0.4%
MANUFACTURING : 0.4%
INSURANCE : 0.3%
WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION?
While many hackers are young, nearly 29% have been hacking for 6 years or more.
What's Your Age?
AGE
YOUTHFUL, CURIOUS, GIFTED PROFESSIONALS
WHAT'S YOUR AGE?
18-24 YEARS: 45.3%
25-34 YEARS: 37.3%
35-49 YEARS: 9.2%
13-17 YEARS: 1%
50-64 YEARS: 0.5%
UNDER 13 YEARS: 0.4%
Approximately How Many Years Have You Been Hacking?
APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING?
1-5 YEARS: 71.2%
6-10 YEARS: 18.1%
11-15 YEARS: 6.4%
16-20 YEARS: 2.2%
20+ YEARS: 2.1%
APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING?
1-5 YEARS: 71.2%
6-10 YEARS: 18.1%
11-15 YEARS: 6.4%
16-20 YEARS: 2.2%
20+ YEARS: 2.1%
WHAT'S YOUR AGE?
18-24 YEARS: 45.3%
25-34 YEARS: 37.3%
35-49 YEARS: 9.2%
13-17 YEARS: 1%
50-64 YEARS: 0.5%
UNDER 13 YEARS: 0.4%
NICOLE
I’ve always had somewhat of a mindset for security, even
before I knew anything about computer science. Growing up,
my brain was constantly racing to figure out systems in order
to find loopholes and workarounds that I could slip through.
WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK?
WEBSITES: 70.8%
IOS MOBILE APPS: 1.4%
ANDROID MOBILE APPS: 4.2%
DOWNLOADABLE SOFTWARE: 2.5%
WINDOWS MOBILE APPS: 0.1%
COMPUTER HARDWARE: 0.5%
FIRMWARE: 1.3%
OPERATING SYSTEMS: 3.1%
INTERNET OF THINGS: 2.6%
APIs : 7.5%
WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PROD
WEBSITES: 70.8%
IOS MOBILE APPS: 1.4%
ANDROID MOBILE APPS:
DOWNLOADABLE SOFTW
WINDOWS MOBILE APPS
COMPUTER HARDWARE:
FIRMWARE: 1.3%
OPERATING SYSTEMS: 3
INTERNET OF THINGS: 2
APIs : 7.5%
SUPPLY CHAIN PARTNER
EVALUATING TECHNOLO
TECHNOLOGY THAT I U
What is Your Favorite Kind of Platform or Product to Hack?
ATTACK SURFFACE
HACKERS LOVE WEBAPPS
WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK?
WEBSITES: 70.8%
IOS MOBILE APPS: 1.4%
ANDROID MOBILE APPS: 4.2%
DOWNLOADABLE SOFTWARE: 2.5%
WINDOWS MOBILE APPS: 0.1%
COMPUTER HARDWARE: 0.5%
FIRMWARE: 1.3%
OPERATING SYSTEMS: 3.1%
INTERNET OF THINGS: 2.6%
APIs : 7.5%
SUPPLY CHAIN PARTNER: 0.3%
EVALUATING TECHNOLOGY: 0.7%
TECHNOLOGY THAT I USE: 5.0%
WHY DO YOU HACK?
TO MAKE MONEY13.1%
TO BE CHALLENGED14.0%
TO LEARN TIPS AND TECHNIQUES14.7%
TO HAVE FUN14.0%
TO SHOW OFF3.0%
TO ADVANCE MY CAREER12.2%
TO HELP OTHERS8.5%
TO DO GOOD IN THE WORLD10.0%
TO PROTECT AND DEFEND10.4%
Why Do You Hack?
MOTIVATION
IT AIN’T ALL ABOUT THE MONEY
FRANS
Personally I hack because I really love to
build stuff and I also love to break stuff...
the best way to know how to build stuff
is to know how you can break it.
IBRAHM
How are hackers spending their bounties?
REWARDS
A HOUSE FOR MOM AND A DONATION FOR GOOD
DAVID FRANS
Helping my parents buy a house when
I first came to the U.S.
Donated the bounty…to the EFF. A lot of my money actually goes into
hiring people.
ofhackershavedonatedbounty
moneytocharityorganizations,and
companieslikeQualcomm,Google,
andFacebookmatchbountiesthat
hackersdonate.
OVER24%
REWARDS
A HOUSE FOR MOM AND A DONATION FOR GOOD
SAM
The most meaningful purchase I made with bounty money
is actually a car. For a really long time it was just one car in
our house of three, and I really don’t come from a wealthy
background. It was really an issue trying to find a way to get
around for everyone’s jobs, so when I got into bug bounty
I said, I’m going to get a car that everyone can use and I
think it really helped.
NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’
ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS?
THEY ARE FAR MORE OPEN: 33.8%
THEY ARE SOMEWHAT MORE OPEN: 38.4%
THEY ARE NEITHER MORE NOR LESS OPEN: 16.5%
THEY ARE SOMEWHAT LESS OPEN: 4.7%
THEY ARE FAR LESS OPEN: 4.7%
HackerOne has paid out over $23 million in bounties in five years with
a goal of $100 million by the end of 2020.
In Your Opinion, Over the Last Year, What Best Describes Companies'
Reactions to Receiving Vulnerability Reports From Security Researchers?
THE FUTURE
MORE COMPANIES PAYING MORE BOUNTIES
NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’
ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS?
THEY ARE FAR MORE OPEN: 33.8%
THEY ARE SOMEWHAT MORE OPEN: 38.4%
THEY ARE NEITHER MORE NOR LESS OPEN: 16.5%
THEY ARE SOMEWHAT LESS OPEN: 4.7%
THEY ARE FAR LESS OPEN: 4.7%
BRETT
At the end of the day, we’re all in this together. We’re
trying to find stuff and fix issues. We’re trying to help
protect the world. That’s what it comes down to.
And I like to be a part of that.
THE HACKERS
#TOGETHERWEHITHARDER

More Related Content

What's hot

You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
CrowdStrike
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
2016 Cyber Threats
2016 Cyber Threats2016 Cyber Threats
2016 Cyber Threats
Wendy Cheshire
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar
Kaspersky
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
Cybersecurity: Glimpses from the 2017
Cybersecurity: Glimpses from the 2017Cybersecurity: Glimpses from the 2017
Cybersecurity: Glimpses from the 2017
Rahul Neel Mani
 
Cybercrime and Corporate Reputation
Cybercrime and Corporate ReputationCybercrime and Corporate Reputation
Cybercrime and Corporate Reputation
Ipsos UK
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
Sylvain Martinez
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
CrowdStrike
 
Crypto trap for social media 9.4.2016
Crypto trap for social media 9.4.2016Crypto trap for social media 9.4.2016
Crypto trap for social media 9.4.2016
Michael Zuckerman
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
How to Monetize IP Reputation
How to Monetize IP ReputationHow to Monetize IP Reputation
How to Monetize IP Reputation
APNIC
 
1530 track1 ulinski
1530 track1 ulinski1530 track1 ulinski
1530 track1 ulinski
Rising Media, Inc.
 
CeBIT 2015 Presentation
CeBIT 2015 PresentationCeBIT 2015 Presentation
CeBIT 2015 Presentation
Cyren, Inc
 

What's hot (20)

You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
 
2016 Cyber Threats
2016 Cyber Threats2016 Cyber Threats
2016 Cyber Threats
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
 
Cybersecurity: Glimpses from the 2017
Cybersecurity: Glimpses from the 2017Cybersecurity: Glimpses from the 2017
Cybersecurity: Glimpses from the 2017
 
Cybercrime and Corporate Reputation
Cybercrime and Corporate ReputationCybercrime and Corporate Reputation
Cybercrime and Corporate Reputation
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
Crypto trap for social media 9.4.2016
Crypto trap for social media 9.4.2016Crypto trap for social media 9.4.2016
Crypto trap for social media 9.4.2016
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
 
How to Monetize IP Reputation
How to Monetize IP ReputationHow to Monetize IP Reputation
How to Monetize IP Reputation
 
1530 track1 ulinski
1530 track1 ulinski1530 track1 ulinski
1530 track1 ulinski
 
CeBIT 2015 Presentation
CeBIT 2015 PresentationCeBIT 2015 Presentation
CeBIT 2015 Presentation
 

Similar to The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find

Awareness about cybercrime among youth
Awareness about cybercrime among youthAwareness about cybercrime among youth
Awareness about cybercrime among youth
nirmal00776
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Debayon Saha
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
Netpluz Asia Pte Ltd
 
Hacking And Virus.pptx
Hacking And Virus.pptxHacking And Virus.pptx
Hacking And Virus.pptx
sahilshah476001
 
Internet Safety: Social, Mobile, Messy
Internet Safety: Social, Mobile, MessyInternet Safety: Social, Mobile, Messy
Internet Safety: Social, Mobile, Messy
Marian Merritt
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
The Dangers of Lapto
The Dangers of LaptoThe Dangers of Lapto
The Dangers of Lapto
Infosec Europe
 
Socialpreso craighannabus
Socialpreso craighannabusSocialpreso craighannabus
Socialpreso craighannabus
Donaldphejane
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
IronCore Labs
 
87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime
homeworkping4
 
Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016
DWP Information Architects Inc.
 
How Consumers Engage with Mobile Apps
How Consumers Engage with Mobile AppsHow Consumers Engage with Mobile Apps
How Consumers Engage with Mobile Apps
SIXTY
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
Nathan Winters
 
HighBlood deck
HighBlood deckHighBlood deck
HighBlood deck
Herbert Eng
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
Steve Poole
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
centralohioissa
 
Are You a Hacker's Target?
Are You a Hacker's Target?Are You a Hacker's Target?
Are You a Hacker's Target?
Blue Coat
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
Greg Wartes, MCP
 

Similar to The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find (20)

Awareness about cybercrime among youth
Awareness about cybercrime among youthAwareness about cybercrime among youth
Awareness about cybercrime among youth
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
 
Hacking And Virus.pptx
Hacking And Virus.pptxHacking And Virus.pptx
Hacking And Virus.pptx
 
Internet Safety: Social, Mobile, Messy
Internet Safety: Social, Mobile, MessyInternet Safety: Social, Mobile, Messy
Internet Safety: Social, Mobile, Messy
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
The Dangers of Lapto
The Dangers of LaptoThe Dangers of Lapto
The Dangers of Lapto
 
Socialpreso craighannabus
Socialpreso craighannabusSocialpreso craighannabus
Socialpreso craighannabus
 
Estado del ransomware en 2020
Estado del ransomware en 2020Estado del ransomware en 2020
Estado del ransomware en 2020
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
 
87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime
 
Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016Must Know Cyber Security Stats of 2016
Must Know Cyber Security Stats of 2016
 
How Consumers Engage with Mobile Apps
How Consumers Engage with Mobile AppsHow Consumers Engage with Mobile Apps
How Consumers Engage with Mobile Apps
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
 
HighBlood deck
HighBlood deckHighBlood deck
HighBlood deck
 
Progscon cybercrime and the developer
Progscon cybercrime and the developerProgscon cybercrime and the developer
Progscon cybercrime and the developer
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Are You a Hacker's Target?
Are You a Hacker's Target?Are You a Hacker's Target?
Are You a Hacker's Target?
 
Security Minded - Ransomware Awareness
Security Minded - Ransomware AwarenessSecurity Minded - Ransomware Awareness
Security Minded - Ransomware Awareness
 

More from HackerOne

Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
HackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
HackerOne
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
HackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
HackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
HackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
HackerOne
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
HackerOne
 

More from HackerOne (15)

Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
 

Recently uploaded

Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
Bangladesh Network Operators Group
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
Bangladesh Network Operators Group
 
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
yilin01100
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
Thierry TROUIN ☁
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
diogolsew
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
elbertablack
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
APNIC
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
Bangladesh Network Operators Group
 
Best Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdfBest Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdf
Million-$-Knowledge {Million Dollar Knowledge}
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Edward Blurock
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
APNIC
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
Edward Blurock
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
Bangladesh Network Operators Group
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 
How God led me to DTS? Through many different signs and connections that I c...
How God led me to DTS? Through many different signs and connections that  I c...How God led me to DTS? Through many different signs and connections that  I c...
How God led me to DTS? Through many different signs and connections that I c...
AshishMohan57
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
paridubey2024#G05
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
exgf28
 

Recently uploaded (20)

Team Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public servicesTeam Cymru Community Services,Overview of all public services
Team Cymru Community Services,Overview of all public services
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
 
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
202254.com香蕉影视,沙丘2在线播放,沙丘2线上看,最新电影沙丘2在线,热门电影推荐,2024最新科幻片推荐。
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1upgrade to zabbix-7 0 como atualiza lts1
upgrade to zabbix-7 0 como atualiza lts1
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
 
Best Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdfBest Skills to Learn for Freelancing.pdf
Best Skills to Learn for Freelancing.pdf
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
 
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECTUse of Ontologies in Chemical Kinetic Database CHEMCONNECT
Use of Ontologies in Chemical Kinetic Database CHEMCONNECT
 
Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...Career Development Advice for Network Engineers across the Pacific, presented...
Career Development Advice for Network Engineers across the Pacific, presented...
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
 
Open Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using GraylogOpen Source TCP or Netflow Log Server Using Graylog
Open Source TCP or Netflow Log Server Using Graylog
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 
How God led me to DTS? Through many different signs and connections that I c...
How God led me to DTS? Through many different signs and connections that  I c...How God led me to DTS? Through many different signs and connections that  I c...
How God led me to DTS? Through many different signs and connections that I c...
 
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
Kolkata @Girls @Call WhatsApp Numbers 🫦0000XX0000🫦 List For Friendship Girls ...
 
My President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodieMy President is bulletproof t shirts hoodie
My President is bulletproof t shirts hoodie
 

The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the vulnerabilities they find

  • 1. THE 2018 HACKER REPORTInsights on the hacker mindset, who they are, and the types of vulnerabilities they find.
  • 2. 166,000+ Hackers 72,000+ Valid Vulnerabilities Submitted $23,500,000+ Bounties Paid THE HACKERONE PLATFORM * as of December2017 HackersAreHeroes… and1,698ofthemresponded toquestionsforthisreport.
  • 3. THE HACKERS’ RESULTS Money ranks fourth for why bug bounty hackers hack. Top hackers earn 2.7x the median salary of a software engineer in their home country. 12% of hackers make $20,000 or more annually from bug bounties. 25% of hackers rely on bounties for at least 50% of their annual income. India and the United States are the top two countries represented. 53% of hackers are self-taught.
  • 4. GEOGRAPHY WHERE HACKERS RESIDE India, the United States, Russia, Pakistan and the United Kingdom round out the top five countries represented, with 43% based in India and the United States combined. FIGURE 1: GEOGRAPHIC REPRESENTATION OF WHERE HACKERS ARE LOCATED IN THE WORLD ≥ 2 0 %≤5% 6.3% 19.9% 23.3% Geographic Representation of Where Hackers are Located in the World
  • 5. Visualization of the Bounties by Geography showing on the left where the companies paying bounties are located and on the right where hackers receiving bounties are located. CASH HOW BOUNTY MONEY FLOWS FROM ORGANIZATIONS TO HACKERS USA: $15,970,630 CANADA: $1,201,485 GERMANY: $458,882 RUSSIA: $308,346 SINGAPORE: $256,280 UK: $252,960 UAE: $143,375 FINLAND: $142,149 MALAYSIA: $138,215 SWITZERLAND: $118,393 $4,641,693 ALL OTHER USA: $4,150,672 ARGENTINA: $673,403 RUSSIA: $1,296,018 PAKISTAN: $647,339 INDIA: $3,098,250 AUSTRALIA: $1,296,411 UK: $916,035 HONG KONG: $749,770 SWEDEN: $746,326 BOUNTIES PAID BY COMPANIES VS. BOUNTIES PAID TO HACKERS $9,375,656 GERMANY: $682,528 ALL OTHER Geographic Money Flow
  • 6. ECONOMICS BOUNTIES AS AN INCOME SOURCE Median annual wage of a “software engineer” was derived from PayScale for each region. The multiplier was found by dividing the upper range of bounty earners on HackerOne for the region by the median annual wage of a software engineer for the related region. India Argentina Egypt Hong Kong Philippines Latvia Pakistan Morocco China Belgium Australia Poland Canada USA MULTIPLIER Bug Bounties vs. Salary $$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$ $$$$$$$$ $$$$$$$ $$$$$ $$$$$ $$$$ $$$ $$$ $$ $$ $$ $$ $$ SANDEEP Advice to beginners... Since bug bounty is booming nowadays, competition between hackers is increasing. So, have some patience when you are first starting, and keep improving your recon skills. You have Internet, you have all the resources—keep reading from others' blogs and disclosed practical reports on HackerOne. Patience and better reporting is the KEY.
  • 7. Over 66% of hackers spend 20 hours or less per week hacking. AGE, APPROXIMATELY HOW MANY HOURS PER WEEK PEND HACKING? HACKERONE HOURS NOT INCLUDED 1-10 HOURS: 44.2% 10-20 HOURS: 22.4% 20-30 HOURS: 13% 30-40 HOURS: 13% 40+ HOURS: 13.1% On Average, Approximagely How Many Hours Per Week Do You Spend Hacking? IT/SOFTWARE/HARDWARE: 46.7% STUDENT : 25.2% CONSULTING : 12.3% EDUCATION : 7.2% UNEMPLOYED : 1.9% FINANCE : 1.5% GOVERNMENT : 1.1% TELECOMMUNICATIONS : 0.3% CONSTRUCTION : 0.7% STAY AT HOME PARENT : 0.7% HEALTHCARE : 0.5% LEGAL : 0.4% MANUFACTURING : 0.4% INSURANCE : 0.3% WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION? What Best Describes Your Professional Title? DEMOGRAPHICS HACKERS BY NIGHT, STUDENTS AND TECH EMPLOYEES BY DAY AGE, APPROXIMATELY HOW MANY HOURS PER WEEK END HACKING? HACKERONE HOURS NOT INCLUDED 1-10 HOURS: 44.2% 10-20 HOURS: 22.4% 20-30 HOURS: 13% 30-40 HOURS: 13% 40+ HOURS: 13.1% IT/SOFTWARE/HARDWARE: 46.7% STUDENT : 25.2% CONSULTING : 12.3% EDUCATION : 7.2% UNEMPLOYED : 1.9% FINANCE : 1.5% GOVERNMENT : 1.1% TELECOMMUNICATIONS : 0.3% CONSTRUCTION : 0.7% STAY AT HOME PARENT : 0.7% HEALTHCARE : 0.5% LEGAL : 0.4% MANUFACTURING : 0.4% INSURANCE : 0.3% WHAT BEST DESCRIBES YOUR DAY-TO-DAY OCCUPATION?
  • 8. While many hackers are young, nearly 29% have been hacking for 6 years or more. What's Your Age? AGE YOUTHFUL, CURIOUS, GIFTED PROFESSIONALS WHAT'S YOUR AGE? 18-24 YEARS: 45.3% 25-34 YEARS: 37.3% 35-49 YEARS: 9.2% 13-17 YEARS: 1% 50-64 YEARS: 0.5% UNDER 13 YEARS: 0.4% Approximately How Many Years Have You Been Hacking? APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING? 1-5 YEARS: 71.2% 6-10 YEARS: 18.1% 11-15 YEARS: 6.4% 16-20 YEARS: 2.2% 20+ YEARS: 2.1% APPROXIMATELY HOW MANY YEARS HAVE YOU BEEN HACKING? 1-5 YEARS: 71.2% 6-10 YEARS: 18.1% 11-15 YEARS: 6.4% 16-20 YEARS: 2.2% 20+ YEARS: 2.1% WHAT'S YOUR AGE? 18-24 YEARS: 45.3% 25-34 YEARS: 37.3% 35-49 YEARS: 9.2% 13-17 YEARS: 1% 50-64 YEARS: 0.5% UNDER 13 YEARS: 0.4%
  • 9. NICOLE I’ve always had somewhat of a mindset for security, even before I knew anything about computer science. Growing up, my brain was constantly racing to figure out systems in order to find loopholes and workarounds that I could slip through. WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK? WEBSITES: 70.8% IOS MOBILE APPS: 1.4% ANDROID MOBILE APPS: 4.2% DOWNLOADABLE SOFTWARE: 2.5% WINDOWS MOBILE APPS: 0.1% COMPUTER HARDWARE: 0.5% FIRMWARE: 1.3% OPERATING SYSTEMS: 3.1% INTERNET OF THINGS: 2.6% APIs : 7.5% WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PROD WEBSITES: 70.8% IOS MOBILE APPS: 1.4% ANDROID MOBILE APPS: DOWNLOADABLE SOFTW WINDOWS MOBILE APPS COMPUTER HARDWARE: FIRMWARE: 1.3% OPERATING SYSTEMS: 3 INTERNET OF THINGS: 2 APIs : 7.5% SUPPLY CHAIN PARTNER EVALUATING TECHNOLO TECHNOLOGY THAT I U What is Your Favorite Kind of Platform or Product to Hack? ATTACK SURFFACE HACKERS LOVE WEBAPPS WHAT IS YOUR FAVORITE KIND OF PLATFORM OR PRODUCT TO HACK? WEBSITES: 70.8% IOS MOBILE APPS: 1.4% ANDROID MOBILE APPS: 4.2% DOWNLOADABLE SOFTWARE: 2.5% WINDOWS MOBILE APPS: 0.1% COMPUTER HARDWARE: 0.5% FIRMWARE: 1.3% OPERATING SYSTEMS: 3.1% INTERNET OF THINGS: 2.6% APIs : 7.5% SUPPLY CHAIN PARTNER: 0.3% EVALUATING TECHNOLOGY: 0.7% TECHNOLOGY THAT I USE: 5.0%
  • 10. WHY DO YOU HACK? TO MAKE MONEY13.1% TO BE CHALLENGED14.0% TO LEARN TIPS AND TECHNIQUES14.7% TO HAVE FUN14.0% TO SHOW OFF3.0% TO ADVANCE MY CAREER12.2% TO HELP OTHERS8.5% TO DO GOOD IN THE WORLD10.0% TO PROTECT AND DEFEND10.4% Why Do You Hack? MOTIVATION IT AIN’T ALL ABOUT THE MONEY FRANS Personally I hack because I really love to build stuff and I also love to break stuff... the best way to know how to build stuff is to know how you can break it.
  • 11. IBRAHM How are hackers spending their bounties? REWARDS A HOUSE FOR MOM AND A DONATION FOR GOOD DAVID FRANS Helping my parents buy a house when I first came to the U.S. Donated the bounty…to the EFF. A lot of my money actually goes into hiring people.
  • 12. ofhackershavedonatedbounty moneytocharityorganizations,and companieslikeQualcomm,Google, andFacebookmatchbountiesthat hackersdonate. OVER24% REWARDS A HOUSE FOR MOM AND A DONATION FOR GOOD SAM The most meaningful purchase I made with bounty money is actually a car. For a really long time it was just one car in our house of three, and I really don’t come from a wealthy background. It was really an issue trying to find a way to get around for everyone’s jobs, so when I got into bug bounty I said, I’m going to get a car that everyone can use and I think it really helped.
  • 13. NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’ ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS? THEY ARE FAR MORE OPEN: 33.8% THEY ARE SOMEWHAT MORE OPEN: 38.4% THEY ARE NEITHER MORE NOR LESS OPEN: 16.5% THEY ARE SOMEWHAT LESS OPEN: 4.7% THEY ARE FAR LESS OPEN: 4.7% HackerOne has paid out over $23 million in bounties in five years with a goal of $100 million by the end of 2020. In Your Opinion, Over the Last Year, What Best Describes Companies' Reactions to Receiving Vulnerability Reports From Security Researchers? THE FUTURE MORE COMPANIES PAYING MORE BOUNTIES NION, OVER THE LAST YEAR, WHAT BEST DESCRIBES COMPANIES’ ECEIVING VULNERABILITY REPORTS FROM SECURITY RESEARCHERS? THEY ARE FAR MORE OPEN: 33.8% THEY ARE SOMEWHAT MORE OPEN: 38.4% THEY ARE NEITHER MORE NOR LESS OPEN: 16.5% THEY ARE SOMEWHAT LESS OPEN: 4.7% THEY ARE FAR LESS OPEN: 4.7%
  • 14. BRETT At the end of the day, we’re all in this together. We’re trying to find stuff and fix issues. We’re trying to help protect the world. That’s what it comes down to. And I like to be a part of that. THE HACKERS #TOGETHERWEHITHARDER