An Examination of the Bug Bounty Marketplace
Here’s a fascinating report: “Bounty Everything: Hackers and the Making of the Global Bug Marketplace.” From a summary:
…researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs—programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.
Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms—the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework—they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next.
Ted • January 17, 2022 8:54 AM
Yeah, it’s interesting that many of these bug bounty hackers are young. The reports says that 70% of the hackers at Bugcrowd are under 30. At HackerOne close to 50% of hackers are under 24.
HackerOne also says that the majority of their hackers, 89%, are based outside the US. In 2019, India accounted for 12% of registered hackers, while 11% were based in the US.
One researcher reported he believed companies were at least if not more worried about bugs that affected their business positions rather than just user privacy.
I wonder what these hackers, or security researchers, do as they get older? In the meantime, I hope this research keeps them out of the cryptocurrency markets.