Stories

"White hat" hackers fill companies' cybersecurity demand

Hackers congress in Hamburg. Photo: Patrick Lux/Getty

Amid a gaping shortage of skilled cybersecurity hands, a cottage industry has sprung up to fill the demand, with some of the biggest U.S. companies and agencies paying freelance bounties for detecting website vulnerabilities.

What's going on: There are currently some 301,000 cyber industry openings in the U.S., according to Cyber Seek, a firm seeking to close the shortage, forcing unorthodox solutions on the most strategically important employers.

Their target is not college graduates, but simply to lure reliable hackers, or "white hats," out of dark chatrooms and into respectable employ.

  • Websites like Bugcrowd and HackerOne are the Indeeds of this world, reports MIT Tech Review's Martin Giles.
  • Both sites feature "bug bounties" — cash rewards for finding website vulnerabilities.
  • Among those paying bounties: Airbnb, the Pentagon, GM, Lufthansa, and Starbucks, says HackerOne.

Despite the shortage, the pay appears to be generally mediocre or low, the same malady afflicting job categories across the U.S. and European economies.

  • Finding bugs pays in glory more often than in cash, like swag and tours of the U.S. Capitol, writes Tech Review's Erin Winick.
  • In a case study at HackerOne, Shopify said that as of March 15, it had used bounties to resolve 759 bug reports, "thanked" more than 300 hackers, and paid out more than $850,000 in bounties. If all were paid, that comes to about $1,100 per bug report, although in one case, Shopify said, it paid a hacker named @cache-money $15,250 for exposing a critical bug.
  • A Philippine bug hunter profiled by Tech Review earns well under $1,000 a month. At HackerOne, 3% of registered users earn more than $100,000 a year, while 12% earn $20,000 or more.

Go deeper: In February, No Starch Press will publish a how-to book called Real-World Bug Hunting, by Peter Yaworski, subtitled "A Field Guide to Web Hacking."

More stories loading.