Almost a quarter of hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it, according to a survey of the ethical hacking community.
With 1,698 respondents, the 2018 Hacker Report, conducted by the cybersecurity platform HackerOne, is the largest documented survey ever conducted of the ethical hacking community.
In the survey, HackerOne reports that nearly 1 in 4 hackers have not reported a vulnerability because the company in question lacks a vulnerability disclosure policy (VDP) or a formal method for receiving vulnerability submissions from the outside world.
Without a VDP, ethical, white-hat hackers are forced to go through other channels like social media or emailing personnel in the company, but, as the survey states, they are “frequently ignored or misunderstood”.
The largest survey ever conducted of the ethical hacking community. See statistics and growth metrics, insights into hacker motivations and mindset, and hacker stories. #2018HackerReport https://t.co/Cd3QNcaqFq pic.twitter.com/ZIdLIKdolZ
— HackerOne (@Hacker0x01) January 17, 2018
Despite some companies lacking a VDP, the hackers surveyed in the report did say that companies are becoming more open to receiving information about vulnerabilities than they were in the past.
Of the 1,698 respondents, 72% noted that companies have become more open to receiving vulnerability reports in the past year,
That figure includes 34% of hackers who believe companies have become far more open.
Unlike a bug bounty program, a VDP does not offer hackers financial incentives for their findings, but they are still incredibly effective.
Organisations like the US Department of Defence have received and resolved nearly 3,000 security vulnerabilities in the last 18 months from their VDP alone.
Great to see my friends at @Hacker0x01 publishing their 2018 Hacker Report. It covers growth (e.g. 72k valid vulns), local trends (e.g. India), hacker demographics, bounty financial recommendations, and more. Very useful: https://t.co/Vj0UvsbkhN pic.twitter.com/IMLMWSjkdG
— Jono Bacon (@jonobacon) January 17, 2018
India (23%) and the United States (20%) are the top two countries represented by the HackerOne hacker community, followed by Russia (6%), Pakistan (4%) and the United Kingdom (4%).
The report revealed that because bug bounties usually have no geographical boundaries the payments involved can be life changing for some hackers.
The top hackers based in India earn 16 times the median salary of a software engineer. And on average, top earning hackers make 2.7 times the median salary of a software engineer in their home country.
In terms of which demographics are attracted to a life of ethical hacking, the report found that over 90% of hackers are under the age of 35, and unsurprisingly the vast majority of hackers on the HackerOne platform are male.