Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer (bleepingcomputer.com)

Posted by msmash on from the closer-look dept.

An anonymous reader shares a report: A survey of 1,700 bug bounty hunters registered on the HackerOne platform reveals that top white-hat hackers make on average 2.7 times more money than the average salary of a software engineer in the same country. The reported numbers are different for each country and may depend on a bug bunter's ability to find bugs, but the survey's results highlight the rising popularity of bug hunting as a sustainable profession, especially in less developed countries, where it can help talented programmers live a financially care-free life. According to HackerOne's report, it pays to be a vulnerability researcher in India, where top bug hunters can make 16 times more compared to the average salary of a software engineer. Other countries where bug hunting can assure someone a comfortable living are Argentina (x15.6), Egypt (x8.1), Hong Kong (x7.6), the Philippines (x5.4), and Latvia (x5.2).

67 comments

  1. Top Bug Hunter Vs. Average Software Engineer by Anonymous Coward · · Score: 5, Insightful

    Ok, but how much does an average bug hunter make vs a top software engineer? Or an average bug hunter vs an average software engineer?

    1. Re:Top Bug Hunter Vs. Average Software Engineer by number6x · · Score: 1

      In related news:

      • "Top chefs make more money than an average chef does."

      • "Above average is above the average"

    2. Re:Top Bug Hunter Vs. Average Software Engineer by Anonymous Coward · · Score: 0

      Or a good additional question: how many of the "not top" make NOTHING?

      Answer: 95% of the bug hunters make nothing or less than $1,000 per year.

      So are we talking about Indian salaries here or US salaries?

    3. Re:Top Bug Hunter Vs. Average Software Engineer by PhrostyMcByte · · Score: 1

      This just in: top software engineers also make more than the average software engineer. More updates coming as we learn more!

    4. Re: Top Bug Hunter Vs. Average Software Engineer by Anonymous Coward · · Score: 0

      I suppose digging crapy code for bugs as a full time job should be a terrible interesting activity as main source of income /sarc. I prefer the creative part of it and I take care of writing 0 errors code so I guess I'm not sensible to giving other people opportunity to scrap a living from my work - selfish me, I don't support the outsourcing cartel.

    5. Re:Top Bug Hunter Vs. Average Software Engineer by Anonymous Coward · · Score: 1

      But any employed software engineer is being paid at least something. Not all bug hunters actually make money.

    6. Re: Top Bug Hunter Vs. Average Software Engineer by Anonymous Coward · · Score: 0

      You've had bugs, you're just ignorant of that fact. Sadly, that makes it worse.

    7. Re:Top Bug Hunter Vs. Average Software Engineer by Anonymous Coward · · Score: 0

      And standardize it to a per hour rate.

  2. How much do the Top Engineers make? by jellomizer · · Score: 5, Insightful

    I mean this is an Apples vs Oranges comparison there.
    You can take the top of nearly any (professional) profession and compare it to the average of others and you see that the best of the best makes more then the average guy does.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re: How much do the Top Engineers make? by Anonymous Coward · · Score: 0

      Pointless metric is pointless?

    2. Re:How much do the Top Engineers make? by Anonymous Coward · · Score: 0

      People Paid for Providing Professional Programming Proofreading! News at 11!

    3. Re:How much do the Top Engineers make? by gravewax · · Score: 1

      I came to payout on exactly the same idiotic point. Seems everyone already beat me too it. I can only imagine the writers of the article were either complete and utter morons or they were simply trying to concoct a story where one doesn't exist as they had nothing better to post.

    4. Re:How much do the Top Engineers make? by Anonymous Coward · · Score: 0

      Slashdot. News for Tards

  3. Really ? Great article. Great source. by RedK · · Score: 0

    A crappy blog is a great source to get things like "top of something better than average of another". Awesome comparison.

    --
    "Not to mention all the idiots who use words like boxen."
    Anonymous Coward on Monday August 04, @06:49PM
  4. All this time by Anonymous Coward · · Score: 0

    I thought the Bug Bunters found hugs...

  5. Re:Latvia (x5.2) by Anonymous Coward · · Score: 0

    LOL, way to fact check. Latvia is Dr Doom's fictional country.

    uh, you are thinking of Latveria actually, http://marvel.wikia.com/wiki/Latveria

  6. Re:Latvia (x5.2) by CohibaVancouver · · Score: 2

    Uh... Latvia's a real country, Anonymous Coward. Look it up.

  7. What a fucking joke by OrangeTide · · Score: 1

    where it can help talented programmers live a financially care-free life.

    Security bug hunting and pen test is extremely competitive. Your 2.7x earnings means you're playing with a bunch of workaholics in an all-or-nothing system where partial credit is not an option. You can put 40 hours into a project, only to have victory snatched away by the guy who finished it in 35 hours.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:What a fucking joke by Anonymous Coward · · Score: 1

      It's not just workaholics. Even if you yourself are a workaholic you could still end up with nothing. My experience is I usually make $0.00 because only the most esoteric bugs are left by the time it gets on the bug bounty websites. Sometimes I make a couple hundred bucks once a month. The average or better than average person makes nothing consistently.

  8. Another stupid comparison article by ilsaloving · · Score: 3, Insightful

    So the top bug hunters make more than the average software engineer? Well slap my ass and call me a cantaloupe!

    What about top software engineers compared to average software engineers? What about A-list celebrities vs stuntmen?

    I know! How about we compare the top strawmen vs average strawmen?

  9. Way to fact check indeed by Anonymous Coward · · Score: 0

    Dr Doom is from Latveria.

    CAPTCHA: contrite

  10. Re:Really ? Great article. Great source. by harperska · · Score: 1

    Do the top crappy bloggers make more than the average slashdot poster?

  11. Top _anything_ generally make more by Sarusa · · Score: 1

    Top software engineers make much more than 2.7x average software engineers.

    1. Re: Top _anything_ generally make more by loufoque · · Score: 1

      Indeed, it's at least 5 times the average amount.

  12. To everyone complaining about the comparison... by king+neckbeard · · Score: 4, Informative

    To everyone complaining about the comparison between the top of bug hunters and the average software engineer, you are clearly missing the point. They aren't trying to present a meaningful comparison of two fields, they are trying to paint a statistically inaccurate picture of luxury in order to flood the market and drive average wages down. C'mon, is this everybody's first day on /. or something?

    --
    This is my signature. There are many like it, but this one is mine.
  13. Comparing at its best. by 140Mandak262Jamuna · · Score: 1
    Luxury SUVs cost 5 times more than average sedan.

    First class airline ticket costs 20 times the average bus fare

    Let me wait for the comparison of the average pay of the top 1700 bounty hunters with the average pay of top 1700 software engineers.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Comparing at its best. by TechyImmigrant · · Score: 1

      >First class airline ticket costs 20 times the average bus fare

      Show me where I can get one of these $50 first class airline tickets.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Comparing at its best. by angel'o'sphere · · Score: 1

      Show me a place where the average bus fare is $2.5.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  14. POZ MY NEG ASS by Anonymous Coward · · Score: 0

    Iâ(TM)m a big hunter

  15. Some stats. by 140Mandak262Jamuna · · Score: 3, Interesting
    58% of bug bounty hackers are self-taught.

    37% of white-hat hackers say they hack as a hobby in their spare time (not their primary job).

    About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties.

    Over 3% o bug hunters are making more than $100,000 per year.

    1.1% are making over $350,000 annually.

    13.7% say bounties earned represent 90-100% of their annual income.

    India (23%) and the United States (20%) are the top two countries represented on the HackerOne platform, followed by Russia (6%), Pakistan (4%), and the United Kingdom (4%).

    Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.

    US companies have paid over $15 million to bug hunters via HackerOne in 2017.

    US bug hunters racked over $4.1 million in bug rewards, while Indian white-hat hackers earned over $3 million.

    "Websites" was the overwhelming winner to the question of "What is Your Favorite Kind of Platform or Product to Hack?" with a 70.8% score.

    "Money" was not the primary motivation for getting into bug hunting. It ranked only fourth.

    XSS was the favorite vulnerability white-hat hackers liked to search for.

    (Clipped out some slashvertisement pitching something called burp suite. )

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Some stats. by 140Mandak262Jamuna · · Score: 1
      What is the salary of the top 1.1% of the software engineers?

      Is it more or less than 350K? If you include stock options, healthcare, 401K match and other benefits too.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Some stats. by psycho12345 · · Score: 1

      Wayyyy above that. The salary will be less (150 - 250k range), but then you add in equity, and it goes over 400k, and bonuses will push that even higher. Equity is the big one, top engineers at like Google and such will rack up 300-400k with equity alone. Plus all the other company perks, and there is no real comparison.

      Once you factor in taxes, it REALLY makes it in favor of top software engineers, because 350k will be almost entirely taxed at ordinary income rates. The typical RSU's given to software engineers are also taxed at income rates, but you get to reap the gains at capital rates, which for many of the top tech companies has done VERY well over the last 5 years (Amazon stands out as one where one could have vested over the last 5 years and made HUGE gains).

    3. Re:Some stats. by Anonymous Coward · · Score: 0

      US companies have paid over $15 million to bug hunters via HackerOne in 2017.

      There are more than a million bug hunters. That's $15 each.

      But it's less than $15 each because some small percentage makes $20,000 or more. So the majority make ZERO.

    4. Re:Some stats. by im_thatoneguy · · Score: 2

      Thanks that's useful. So headline should read:

      3% of bug hunters make what an average software developer makes.

    5. Re: Some stats. by Anonymous Coward · · Score: 0

      And now you know how averages don't reflect reality at all.
      Lets all strive for real accuracy and keeping track of every value. Making a graph is easy enough. No need to cop out and spit out one number that's supposed to tell it all but fails horribly.

    6. Re:Some stats. by Anonymous Coward · · Score: 0

      Only Whitehats?

      Blackhats and Goldhats actually license their 0-days and make lots. Often they are also whitehats, milking out a theme, now that they have disassembled/reverse engineered blobs of code.

      Engineers? Show me the engineers who KNOW when the programs or debuggers they use are crippled, and know how to un-cripple them. There is enough leaked source code out there, to exploit bad compiles/builds.

      IMHO only OPENBSD has a readable security policy that ticks most boxes.

  16. my career plan was to be an average developer by j2.718ff · · Score: 3, Insightful

    I was planning to be an average developer, but I guess I'll become one of the best bug hunters instead. Because as an average software engineer, I assume that I'd be way better than average at finding bugs than someone who's already made that their career.

    1. Re:my career plan was to be an average developer by JaredOfEuropa · · Score: 2

      Wouldn't you rather be the guy who makes the bugs?

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:my career plan was to be an average developer by Anonymous Coward · · Score: 0

      Why not both? Make the bugs, then 'discover' them later and either anonymously or through a 3rd party collect your bug bounty.

    3. Re:my career plan was to be an average developer by Anonymous Coward · · Score: 0

      I am off to code me a minivan.

    4. Re:my career plan was to be an average developer by Anonymous Coward · · Score: 0

      Average developer only codes in Java, bug hunters have amazing assembler skills.

  17. Sure, but... by bmimatt · · Score: 1

    Top software developers make probably 4 times what the 'average' ones make. Apples and oranges, msmash, apples and oranges.

  18. Top bug hunters vs the other 95% by Anonymous Coward · · Score: 0

    Just as with anything, some perspective.

    Top actors make millions, they are the minority, most make almost nothing
    Top singers/bands make millions, they are the minority most are below poverty level
    Top bug hunters, sure they make a ton, but the majority of them probably barely make a living
    Top house flippers make a good deal of money, most barely get by, one bad transaction could send them to bankrupcty
    Top engineers (software, mechanical, etc) can make a decent income, most don't make even 6 figures
    Top lotto winners "made" a lot of money, most don't
    Top gamblers can make a lot of money, most don't
    Top athletes can make a ton of money, most do not

    If you want to shoot for the stars based what the top people in that field earn, go for it, but be prepared to learn you very likely won't be the 1-5% who are in the top of the field earning that top income.

  19. Just how is software engineer defined ? by Crashmarik · · Score: 1

    Last time I checked maintenance was still the largest part of software engineering by a wide margin.

  20. 100% more clickbait by lucm · · Score: 1

    Making 2.7 times the salary of someone doesn't mean you make 2.7 times more (unless the other person makes $0). You have to take into account the fact that the other person is getting paid. So that's either "1.7 times more" or "2.7 times the salary".

    --
    lucm, indeed.
  21. 1 standard deviations out versus arithmetic mean by optikos · · Score: 1

    I am pretty sure that 1 standard deviation rightward on the x axis on any profession makes about 2.7 times what the arithmetic mean of another profession makes, especially for nearly any non-blue-collar or service-industry “profession”. Top bug hunters might even be 2 standard deviations out from the average bug hunter.

  22. Median vs Average by neo00 · · Score: 1
    This is a perfect example why a median should be used vs the average. Few extreme outliers significantly skew the average when most people make really small amount of money.

    From the article:

    * About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties.
    * Over 3% o bug hunters are making more than $100,000 per year.
    * 1.1% are making over $350,000 annually.

    1. Re: Median vs Average by Anonymous Coward · · Score: 0

      There's a reason it's called the "mean."
      It's a crappy way to keep track of performance and only serves to make individuals look bad forever for one bad day. Once you have one under 100% day you can never prove that you did 100% before or after.

    2. Re:Median vs Average by angel'o'sphere · · Score: 1

      The median would be even more meaningless, unless uour country has a different definition what a median is versus e.g. Europe.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    3. Re: Median vs Average by loufoque · · Score: 1

      the median tells you what the average person is earning.

    4. Re: Median vs Average by angel'o'sphere · · Score: 1

      No, it does not.

      A: 1, 6, 6
      B: 4, 6, 12
      C: 4, 6, 6, 6

      The median of all sequences is the same ...

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  23. Why by AHuxley · · Score: 1

    1. Have lawyers and contractors create a product for mil/gov and win the bid.
    2. Code the product in a nation with low wages. Have lawyers and a person with clearance needed present the code as compliant.
    3. Rent the service and support to the mil/gov.
    4. Support problems by making more profit locally again in overtime costs.
    5. Outsource upgrades.
    6. Get the billable hours up for local 24/7 support.

    Low wage nations with average IQ workers win bids and keeps costs down for the entire project.
    Billable hours for locked in support needed later makes the profit.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Why by TimMD909 · · Score: 1

      You are evil. This is part of the reason we have so much shitty software in the world.

    2. Re:Why by Actually,+I+do+RTFA · · Score: 2

      I'm not sure why you think that mil/gov contracts can be outsourced outside the country. Normally, there is a restriction that the work be done in country. Which is fine, because they'll pay the extra to have the work done in country.

      --
      Your ad here. Ask me how!
    3. Re:Why by AHuxley · · Score: 1

      It can get better and more profitable once real support gets paid over decades of gov/mil tech projects.
      Present winning bids at low costs to more local, state and federal govs/mil.
      Win more contracts on the low cost of past winning bids.
      Win in the USA? Present to NATO/EU nations gov/mil as part of free trade. Starting in any EU/NATO nation? Demand equal access to the US mil/gov martlet as free trade.
      Not in the USA, EU, NATO? Find some nations lawyers and a few people with a security clearance and use them as a small front company thats fully compliant.
      Find staff who can push the "small" new company front story. Structure the created front company to virtue signal and take full advantage of any nations political correctness support for the bids given who is on staff. Create a brand to win bid using the type of staff needed to get special consideration in every bid presented.
      Keep using the low IQ, low cost wage nations to write the code. Keep ensuring the support costs are done by skilled locals as rent.

      Sooner or later some gov will consider doing the code with their own gov/mil experts at a low cost domestically. The needed experts already work for the nation/mil, why is the service and support been paid for in the private sector a years of billable hours?
      Thats a good question that can be stopped.

      Use the lawyers to ensure a grassroots party political protest group gets the message out that big bad gov is blocking a small growing company that has very special staff members.
      Staff that are under represented in that area of tech. Now big evil gov, the big evil mil is not using the best local, innovative, private sector staff who worked so hard to win a bid that was open to all. Use the local staff to virtue signal until the bids are in place again.
      The right optics from that front company and the coordinated "protests" will ensure the bids keep flowing. So will the needed overtime.
      Another big project? Pass all the real work back to the low IQ, low wage nation.

      Remember to lobby and always keep up the campaign contributions to all political parties. Keep the front company staff with the good optics in the national press too with branding for charity and political events.
      Political leaders have a charity they are a part of? Support that.
      Political protection will ensure no questions get asked about low code quality and the growing cost of supporting a project.

      Want to get really creative?
      Use a nations security to block further investigations of the code quality.
      Lobby to fly your low cost, low IQ workers from the poor nations into the advanced nation under but keep their own low wages for a short time contracts. Just for that very secret project. Its for security and the low wage workers will return to their own nation quickly. Rotate low cost workers to keep a new low wage work force in that advanced nation.
      Can the local full wage national competition can under bid that constant rotation of very low wage staff that can now do mil/gov work with fully approved security clearances?

      Win, win, win. Use politics, use a few front company staff to present as small, loyal, innovative domestic company.
      Use the low wage nations for the projects. Rent support back to the mil, gov locally after a winning bid and enjoy the profits.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Why by AHuxley · · Score: 1

      Why not? The legal documentation is covered by a lawyer and one person with a security clearance.
      Thats the very legal front end of a small company that won the mil/gov bid.
      The code can be done in another low wage nation.
      Sign off on it and present it as domestic code that has had full overnight by people approved by that nation.
      The code is on time and works to some gov/mil standard when tested.
      If the gov/mil wants changes later then local experts with security clearances can go back over the low wage code and add new features using that nations billable hours.
      Outsourcing can win every contract if they present in just the right way in any nation that demands security clearances.
      Use "restriction that the work be done in country" as a way to up sell later support contracts. Present the code as already approved parts in other approved projects? Anything to get the low cost code in nation.
      If "restriction that the work be done in country" then every US gov and mil project would be US only? What about a France? Italy? Germany? No parts? Services? Support? No bids from any of them? Buy into a trusted US brand and try that way in....

      --
      Domestic spying is now "Benign Information Gathering"
  24. Re:Latvia (x5.2) by Anonymous Coward · · Score: 0

    The Latvia/Latveria mixup was a bug in the AC's AI.
    Unfortunately there is no where to report it and claim a bounty.

  25. Slashdot how you have fallen by Anonymous Coward · · Score: 0

    Worthless post comparing unrelated things. I can't believe I've even wasted the time to reply. Sure as hell not going to bother with the article. Has slashdot become slashmoron?

  26. Top clickbait writers make more on average by Anonymous Coward · · Score: 0

    Top clickbait writers make more on average

  27. Bug Hunters by fahrbot-bot · · Score: 1

    Makes me think of that line in Aliens: (discussed here)

    PFC Hudson: Is this going to be a stand-up fight, sir, or another bug hunt?

    Maybe these guys get better pay but, personally, I'd take less if I could simply nuke things from orbit - you know, to be sure.

    --
    It must have been something you assimilated. . . .
  28. i couldn't do that job by shadowrat · · Score: 1

    I'm a software engineer. I'm no good at finding bugs. It always works on my machine.

    who am i to begrudge someone doing such a valuable job?

  29. Bug Hunters by Anonymous Coward · · Score: 0

    Didn't we call those testers at one point, before we fired them all?

  30. Obligatory Dilbert by mrprogrammerman · · Score: 1

    http://dilbert.com/strip/1995-...

  31. 2.7*0=0 by Anonymous Coward · · Score: 0

    So jack squat?

  32. Re:Latvia (x5.2) by angel'o'sphere · · Score: 1

    There was a young lady of Riga,
    Who smiled when she rode on a tiger.
    They came back from the ride
    With the lady inside,
    And the smile on the face of the tiger.

    What Riga has to do with Latvia, is up to figure by the reader :)

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  33. Re:Latvia (x5.2) by jrumney · · Score: 1

    Russian trolls are everywhere these days. It wouldn't surprise me if his officially state sanctioned atlas was missing the Baltic states entirely.