THE 2018 HACKER REPORThack'er /'haker/ noun one who enjoys the intellectual challenge of creatively overcoming limitationsAt HackerOne, we agree with Keren Elazari: hackers are the immune system of the internet. Just like we need the Elon Musks to create technology, we need the Kerens and the Mudges to research and report where these technological innovations are flawed. The internet gets safer every time a vulnerability is found and fixed. The HackerOne community of security researchers are doing their part day in and day out to do just that: hunt the issues and responsibly report the risks to organizations so they can be remediated safely before being exploited by criminals. The community is strong and it is growing: weve seen a 10-fold increase in registered users in just 2 years. With 1,698 respondents, The 2018 Hacker Report is the largest documented survey ever conducted of the ethical hacking community. As you read through the report, you will see the curious, tenacious, communal and charitable nature of the hacker community. One in four hackers have donated bounty money to charity, many hackers share knowledge freely with other hackers and security researchers, and they have helped the U.S. Department of Defense resolve almost 3,000 vulnerabilities - without receiving a cash bounty. Executive Summary They report security vulnerabilities because its the right thing to do. Hacking is being taught for college credit in top tier universities like UC Berkeley, Tufts, and Carnegie Mellon. Hackers around the world are earning more money through bug hunting than ever before. Bounties are a great equalizer with opportunity for all. Some hackers are earning over 16x what they would make as a full time software engineer in their home country. While we have achieved much, there is much work to still be done. Most companies (94% of the Forbes Global 2000 to be exact) do not have a published vulnerability disclosure policy. As a result, nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didnt have a channel to disclose it. Read the “Companies are Becoming More Open to Receiving Vulnerabilities” section for more on this challenge and the progress thats been made to date. Consider this report a dossier on the vital members of our modern digital society, hackers. Gain insights on the hacker mindset, see statistics and growth metrics of where they are from, what vulnerabilities they find and even get to know some of the individuals involved in the incredible bug bounty community. We are in the age of the hacker . Hackers are lauded as heroes, discussed daily in the media, villainized at times, and portrayed by Hollywood - anything but ignored. 166K+ TOTAL REGISTERED HACKERS *As of December 2017 72K+ TOTAL VALID VULNERABILITIES SUBMITTED $23.5M+ TOTAL BOUNTIES PAIDKey Findings Bug bounties can be life changing for some hackers. The top hackers based in India earn 16x the median salary of a software engineer. And on average, top earning researchers make 2.7 times the median salary of a software engineer in their home country. Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didnt have a channel to disclose it. Money remains a top reason for why bug bounty hackers hack, but its fallen from first to fourth place compared to 2016. Above all, hackers are motivated by the opportunity to learn tips and techniques, with “to be challenged” and “to have fun” tied for second. India (23%) and the United States (20%) are the top two countries represented by the HackerOne hacker community, followed by Russia (6%), Pakistan (4%) and United Kingdom (4%). Nearly 58% of them are self-taught hackers. Despite 50% of hackers having studied computer science at an undergraduate or graduate level, and 26.4% studied computer science in high school or before, less than 5% have learned hacking skills in a classroom. While 37% of hackers say they hack as a hobby in their spare time, about 12% of hackers on HackerOne make $20,000 or more annually from bug bounties, over 3% of which are making more than $100,000 per year, 1.1% are making over $350,000 annually. A quarter of hackers rely on bounties for at least 50% of their annual income, and 13.7% say their bounties earned represents 90- 100% of their annual income.5 THE 2018 HACKER REPORT Table of Contents Hacker Definition. 2 Executive Summary . 3 Key Findings . 4 Table of Contents . 5 Geography . 7 The International Flow of Bug Bounty Cash . 8 The Economics of Bug Hunters . 9 Hacker Spotlight: Sandeep . 11 Demographics . 12 Age . 12 Education .13 Profession .13 Hours Per Week Spent Hacking . 14 Trends in Hacker Education . 15 Hacker Spotlight: Nicole . 17 Experience this makes bounties enormously attractive and gets precisely the eyes you want looking at your security things. Bounties are a great leveller in terms of providing opportunity to all. TROY HUNT Security Expert and creator of “Have I been pwned”10 THE 2018 HACKER REPORT Figure 3: Median annual wage of a “software engineer” was derived from PayScale for each region. The multiplier was found by dividing the upper range of bounty earners on HackerOne for the region by the median annual wage of a software engineer for the related region. India 16 Argentina 15.6 Egypt 8.1 Hong Kong 7.6 Philippines 5.4 Latvia 5.2 Pakistan 4.3 Morocco 3.7 China 3.7 Belgium 2.7 Australia 2.7 Poland 2.6 Canada 2.5 United States of America 2.4 Sweden 2.2 Bangladesh 1.8 Germany 1.8 Italy 1.7 Netherlands 1.7 Israel 1.6 Croatia 1.5 Czech Republic 1.5 Spain 1.5 Romania 1.2 Saudi Arabia 1.2 MUL TIPLIER BUG BOUNTIES VS. SALARY11 THE 2018 HACKER REPORT SANDEEP Since bug bounty is booming nowadays, competition between hackers is increasing. So, have some patience when you are first starting, and keep improving your recon skills. Y ou have Internet, you have all the resources- keep reading from others' blogs and disclosed practical reports on HackerOne. Patience and better reporting is the KEY . HACKER SPOTLIGHT Advice to beginners.12 THE 2018 HACKER REPORT Demographics Youthful, curious, gifted professionals. Over 90% of hackers are under the age of 35, 58% are self-taught and 44% are IT professionals. Education remains a major emphasis of the community and efforts at HackerOne. Students can learn hacking for college credit at UC Berkeley, hackers regularly share their knowledge and help others. Hacking is a continuous learning endeavor and theres a strong appetite for knowledge. Over 90% of bug bounty hackers on HackerOne are under the age of 35, with over 50% under 25 and just under 8% under the age of 18. The majority (45.3%) of hackers are between 18 and 24 years old, closely followed by 37.3% of hackers who are between 25 and 35 years old. Figure 4 WHAT'S YOUR AGE? What's Your Age?13 THE 2018 HACKER REPORT STUDIED IN UNDERGRADUATE LEVEL STUDIED IN HIGH SCHOOL STUDIED AT GRADUATE LEVEL TOOK CONTINUING EDUCATION OR CERTIFICATION CLASSES NONE OF THE ABOVE 8 .9% 26.4% 31.2% 13.3% 20.2% Figure 5 The vast majority of hackers, 58%, are self-taught and 67% learned tips and tricks through online resources, blogs and books or through their community (other hackers, friends, colleagues, etc.). Figure 6 9 V 0 0 00 0 0 0 9 V 0 0 00 0 0 0What Best Describes Your Education Specifically Related to Computer Science and/or Programming? What Best Describes Your Professional Title?