The best white hackers earn 2.7 times more than average programmers

The HackerOne community, which has more than 160,000 hackers registered and which has already paid $ 23.5 million for the found vulnerabilities, has published a report The 2018 Hacker Report . This is the largest ethical hacker survey in history, which was attended by 1,698 respondents. Along with the results there is an interesting statistic.

Key results:

• Awards for found bugs provide a decent life for top hackers. On average, in all countries of the world, the difference in the "salary" of a top hacker and the median average salary of a programmer is 2.7 times, but the situation is different in different countries. For example, in India the difference reaches 16x, in Argentina - 15.6x, in Latvia - 5.2x, in the USA - 2.7x, there is no salary statistics for Russia.
• Money is not the most important motivation of ethical hackers, this is only the fourth most popular (13.1%) reason for the work of hackers. For more hackers, more important is the opportunity to learn technologies and tricks of work (14.7%), the ability to solve interesting problems (14%) and to have fun (14%). Although back in 2016, money was the number 1 cause.
• India (23.3%) and the USA (19.9%) are two world leaders in the number of registered hackers. They are followed by Russia (6.3%), Pakistan (4%) and the United Kingdom (4%).

• Almost every fourth hacker did not inform the company about the found vulnerability, because the company did not provide an opportunity (communication channel) how to report vulnerabilities.
• Almost 58% of all hacking specialists are self-taught. Although 50% studied computer science / programming at the university, and 26.4% studied at school, only 5% said that these classes gave them at least some knowledge useful for hacking. Until now, information security remains a rather rare specialty in universities, but on the Web you can find enough free information for self-education, including full-fledged textbooks on hacking sites (the HackerOne Web Hacking 101 tutorial is distributed free of charge). A great way to self-education is to study reports on real hacks.
• Approximately 37% of survey participants engage in hacking as a hobby in their spare time, but 12% receive at least $ 20k per year from reward programs, and more than 3% earn from $ 100k per year, which is enough for a normal life in any country in the world. 1.1% earn more than $ 350k per year - and such a salary is almost impossible to get on a normal programmer’s job. A quarter of hackers said that remuneration amounts to at least 50% of their income, while 13.7% have a 90-100% annual income.

It is interesting to look at the distribution of cash flows by country. On the left of the chart - companies from which countries paid remuneration. And on the right - the people from which countries received it
')


As we see, Russians are among the leaders and for the year earned $ 1,296,018.

A typical hacker is a young, talented IT professional under 35 years old. Almost half of all hackers have not yet reached 25 years. In 75.1% of the hacking experience is only 1-5 years.

46.7% of hackers work professionally in their field (IS specialists or programmers), and 25.3% are students. About 13% said that they are engaged in hacking full time, that is, more than 40 hours a week.

Interesting statistics on tools that hackers use. Mostly now everyone specializes in a web platform, that is, hacking websites and web applications. So, the most popular tools:

• Burp Suite, an integrated platform for performing tests for web application security, which is included in the Kali Linux hacker OS suite - 29.3%
• Self-developed tools - 15.3%
• Web proxy / scanners - 12.6%
• Network vulnerability scanners - 11.8%
• Fuzzers - 9.9%
• Debuggers - 9.7%
• WebInspect - 5.4%
• Fiddler - 5.3%
• ChipWhisperer - 0.8%

After websites (70.8%), APIs (7.5%) and technologies, where the data of the hacker itself or where it is the user (5%), are followed by a hacking interest. Operating systems are no longer as popular as a hacking target (3.1%), even behind Android applications (4.2%).

Favorite attack vectors are XSS (28.8%), SQL injections (23.1%), fuzzing (5.5%) and brute force (4.5%).

Most prefer to work alone, although many publish the results in their blog to get feedback from colleagues, and read their blogs.