HACK'ER
/’ha–ker/ noun
One who enjoys the intellectual challenge of creatively overcoming limitations.
THE 2019 HACKER REPORT 2 Executive Summary
Welcome to the age of the hacker. Hackers are heroes, they are in it for the good and there is more opportunity than ever before. We share some of their stories and celebrate their impact in this, the third annual Hacker Report.
The Hacker Report details the more than 300,000 As hacking grows in popularity, training continues to be individuals that represent our hacker community today. a focus. With more than 600 hackers registering to join It highlights where hackers live, what motivates them, the ranks any given day, in depth training modules such as what their favorite hacking targets & tools are, where Hacker101 capture the flag challenges are in-demand. they learn, why they collaborate and much more. This past year we saw incredible individual performances In 2018 alone, Hackers earned over $19 million in such as hackers earning $100K for one vulnerability and bounties, almost the entire amount awarded in the the first hacker passing the $1 million milestone. We years prior combined. And while the most successful also saw unmatched collaboration, like hackers acting as find it very lucrative, it’s about so much more than teams to report over 250 valid customer vulnerabilities. money. Many are finding career building opportunities through bug bounties, with companies hiring from Hackers represent a global force for good, coming within the hacker community at a faster clip than ever together to help address the growing security needs of before. Companies are utilizing bug bounty reports and our increasingly interconnected society. The community hacker engagement as an enhanced resume of proven welcomes all who enjoy the intellectual challenge to skills that will impact company goals and security efforts creatively overcome limitations. Their reasons for from day one. hacking may vary, but the results are consistently impressing the growing ranks of organizations embracing The generosity and camaraderie of hackers continues hackers through hacker-powered security—leaving us all to impress with more emphasis than ever before on a lot safer than before. education, collaboration, and giving back. 300K+ 100K+ $42M+ TOTAL REGISTERED HACKERS TOTAL VALID VULNERABILITIES TOTAL BOUNTIES PAID SUBMITTED *As of December 2018
THE 2019 HACKER REPORT 3 Table of Contents Hacker Definition...... 2
Executive Summary...... 3
Key Findings ...... 6
Geography...... 8
The International Flow of Bug Bounty Cash ...... 10
The Economics of Bug Hunters...... 12
Hacker Spotlight: Jesse | @randomdeduction...... 14
Demographics ...... 15
Age...... 16
Trends in Hacker Education...... 18
Introducing Hackboxes and the Hacker101 Capture the Flag...... 19
Profession ...... 20
Hours Per Week Spent Hacking...... 21
Blockchain Hacker Trends...... 22
Hacker Spotlight: Ron | @ngalog ...... 23
Experience ...... 24
Hacker Spotlight: Tanner | @cache-money...... 26
Vulnerability Spotlight 1: XSS in Stream React Chat Client...... 27
Targets & Tools...... 28
Favorite Tools...... 29
THE 2019 HACKER REPORT 4 Hackers Love Researching Websites, APIs and Technology That Holds Their Own Data...... 30
Hacker Spotlight: Andre | @0xacb...... 31
Vulnerability Spotlight 2: SSRF in Exchange Leads to ROOT Acess in all Instances...... 32
Motivation...... 33
Curiosity Means More Than Money...... 34
Governments Lead the Way in Hacker-Powered Security ...... 35
Hackers Value Good Communication, a Challenge, and Recognition When Choosing a Bug Bounty Program to Focus On ...... 36
More and More Hackers Name XSS Their Favorite Attack Vector ...... 38
Hacker Spotlight: Joel | @teknogeek ...... 40
Bringing the Community Together for Global Live Hacking Events...... 41
Working Together & Giving Back as a Community...... 42
Hackers Frequently Work Alone, but Like Learning From Others ...... 43
Do You Actively Participate in Any Hacker Oriented Community-Based Organizations?...... 44
Hacker Spotlight: Santiago | @try_to_hack...... 45
Embracing Hacker-Powered Security: Organizations Across Sectors Increasingly See Value of Hacker Efforts...... 46
Vulnerability Spotlight 3: Bypass 2FA Requirement and Reporter Blacklist through Embedded Submission Form on HackerOne...... 48
Hacker Spotlight: Mathias | @avlidienbrunn ...... 49
Conclusion ...... 50
Methodology...... 52
About HackerOne...... 52
THE 2019 HACKER REPORT 5 Key Findings
$19 million in customer bounties earned in 2018 represent nearly the bounty totals for all preceding years combined. At the end of 2018, hackers had earned more than $42 million for valid results.
Hacker globalization provides a literal meaning to “hack the planet.” India and U.S. remains the top hacker locations, and more than 6 African countries had first-time hacker participation in 2018.
The interest and attraction of joining the hacker ranks continues to skyrocket, as the community surpassed 300,000 registered, with monthly signups growing each month of 2018.
THE 2019 HACKER REPORT 6 Key Findings
Hacker-powered security is creating opportunities across the entire globe. Top earners can make up to 40x the median annual wage of a software engineer in their home country respectively.
Hacker training continues to take place outside of the traditional classroom, as 81% say they learned their craft mostly through blogs and self-directed educational materials like Hacker101 and publicly disclosed reports. While just 6% have completed a formal class or certification on hacking.
Hacking for good is growing in popularity as nearly two thirds of Americans (64%) today recognize that not all hackers act maliciously according to recent Harris Poll data.
THE 2019 HACKER REPORT 7 GEOGRAPHY Hackers participate from every corner of the globe.
Countries like Iceland, Ghana, Slovakia, Aruba, and Ecuador have hackers with as much determination, skill and success as those from India, the United States, Russia, Pakistan, and the United Kingdom. The latter, however, represent the top five countries contributing to hacker-powered security, with their participants comprising just over 51% of all hackers in the HackerOne community. Hackers from India and the U.S. alone account for 30% of the total, but that is a shift from 2018, when those two countries claimed 43% of the hacker community. We’ve seen great gains in community members and it is exciting to see the growth and hacking talent coming from outside the historically top regions.
Hacker globalization provides a literal meaning to “hack the planet”. With the online nature of hacker-powered security programs, it’s easy for hackers to find new and potentially lucrative opportunities from anywhere—all they need is an internet connection. On the other side of the relationship, companies and governments anywhere in the world can seamlessly work directly with leading hackers in Bangladesh and Namibia to find their most critical vulnerabilities fast. Every minute of every day, hackers and companies across the globe come together to make the internet safer for everyone.
THE 2019 HACKER REPORT 8 WHERE HACKERS ARE LOCATED IN THE WORLD
5%
11% 27%
Figure 1: Geographic representation of where hackers are located in the world. Remaining countries are each ≤5% of the HackerOne population.
KENYA ALGERIA INDIA AFRICA Hackers based in Kenya The number of hackers India remains the top More than 6 African participated for the first participating from Algeria hacker location for the countries had first-time time ever. more than doubled this second year. hacker participation this year over last. year.
THE 2019 HACKER REPORT 9 THE INTERNATIONAL FLOW OF BUG BOUNTY CASH
While today hackers are located in more than 150 countries, the most prolific paying organizations and highest earning hackers hail from just a few countries.
Of the $42+ million awarded to hackers through 2018 on HackerOne, organizations in just 8 countries served as the primary source for more than half that amount. The U.S. and Canada based organizations comprise the lion share of bounties, followed by the U.K., Germany, Russia, and Singapore, all contributing significant bounty awards.
The chart below shows the collective outflow and inflow of bug bounty cash from organizations to hackers on the HackerOne platform. From when we published this graph a year ago, there has been some shuffling of the top 10 positions. Hackers from the U.S., India, and Russia continued to dominate in earnings again this year, collectively pulling in 36% of the total value of awarded bounties. Canadian hackers earned 3.3% of all bounties awarded, moving them into the top 10 this year with just under $1.4 million earned. The Netherlands entered the top 10 as well, with Dutch hackers earning more than 3% of the total bounties awarded. Pakistan, Argentina, and Hong Kong fell out of the top 10, but hackers in each of those countries still earned at least 40% more in 2018 compared with 2017.
THE 2019 HACKER REPORT 1 0 GEOGRAPHIC MONEY FLOW
USA: $7,556,968
INDIA: $4,982,260
RUSSIA:$ 2,433,758 USA: $33,658,784
UNKNOWN: $1,454,926
GERMANY: $1,431,807
CANADA: $1,384,692
UNITED KINGDOM: $1,370,873
SWEDEN: $1,350,601 ALL OTHER CANADA: $1,740,560 NETHERLANDS: $1,298,602 $17,428,940 UNKNOWN: $1,294,757 CHINA: $1,218,200 UNITED KINGDOM: $909,489 GERMANY: $641,992 ALL OTHER $1,775,280 CAYMAN ISLANDS: $528,000 SINGAPORE: $458,555 RUSSIAN FEDERATION: $420,010 RUSSIA: $271,009 SWITZERLAND: $221,391
Figure 2: Visualization of the Bounties by Geography showing on the right where the organizations paying bounties are located and on the left where hackers receiving bounties are located.
THE 2019 HACKER REPORT 1 1 THE ECONOMICS OF BUG HUNTERS
Hacker-powered security is creating opportunities across the entire globe. Whether you’re a trained professional looking for a side hustle, in search of an intellectual challenge, or pursuing hacking as a full time endeavor, there is no shortage of opportunity to earn and learn. Dozens of companies in the past year have hired from within the community, utilizing submitted bug reports, personal interactions and public HackerOne profile activity as a bellwether for hiring decisions—a practice encouraged and championed within HackerOne.
The unemployment rate for trained cybersecurity personnel is infamously 0%. This fact makes the decision to work with hackers through methodical crowdsourced security efforts logical for both the individual hacker as well as the organization. Hackers get the opportunity to get well-rewarded for their efforts, and organizations can expand their security talent almost instantaneously in a results-driven compensation model.
THE 2019 HACKER REPORT 1 2 BUG BOUNTIES VS. SALARY
MULTIPLIER OF MEDIAN ANNUAL WAGE
6.4x UNITED STATES OF AMERICA SWEDEN 40.6x 6.3x ARGENTINA 6.2x CHINA
6.2x ALGERIA
4.8x CANADA
24.5x 3.9x PAKISTAN THAILAND 3.8x MOROCCO
3.5x LATVIA BELGIUM 24.2x 3.1x PHILIPPINES EGYPT 3.0x
3.0x AUSTRALIA
2.9x NEW ZEALAND GERMANY 17.6x 2.9x INDIA 2.9x PORTUGAL
2.7x HUNGARY
2.5x ROMANIA 6.7x CHILE 2.5x HONG KONG 2.5x ETHIOPIA
2.4x INDONESIA
2.2x NETHERLANDS
Figure 3: Median annual wage of a software engineer was derived from PayScale for each region. The multiplier is the top bounty salary divided by the median annual wage of a software engineer.
THE 2019 HACKER REPORT 1 3 HACKER SPOTLIGHT JESSE @randomdeduction
“I started doing bug bounties because I could do that on the side to really perfect my skills, and then I had a chance to legally hack against all these random third-party companies that encouraged it.”
THE 2019 HACKER REPORT 1 4 DEMOGRAPHICS Youthful, hungry for knowledge, and creative.
That’s the profile of the average hacker in the HackerOne community. Nine out of 10 hackers are under 35, eight out of 10 are self-taught, and more are coming from diverse industries outside of technology, which brings creative thinking to bug finding. They’re also hacking more than 2018, with more than 40% spending 20-plus hours per week searching for vulnerabilities and making the internet safer for everyone.
THE 2019 HACKER REPORT 1 5 AGE
Figure 4: What’s your age?
Most of the hackers on HackerOne are under the age of 35, which includes a slight increase in the 18-24 subgroup. Those younger adults now account for more than 47% of the HackerOne community, and were the only age group showing a year over year increase. Don’t count the older folks out quite yet, however. The 35-49 year olds maintained their share at just over 9% again this year. And the percentage of 50-64 year olds nearly doubled this year, albeit they represent just a fraction of the overall community.
THE 2019 HACKER REPORT 1 6 HACKER PERCEPTIONS IN AMERICA
In January 2019, HackerOne commissioned a survey, conducted online by The Harris Poll among over 2,000 U.S. adults to gauge their perception of hackers, whether positively or negatively. The results, a portion of which are included below, should be seen as encouraging but also sobering as we consider the road ahead to retrain our collective psyche to see hackers as heroes, not criminals. It’s part of an ongoing mission to redefine the term hacker in the likes of the Cambridge Dictionary, removing the unnecessary and incorrect association of criminality with hackers.
82% of Americans believe hackers can help expose system weaknesses to improve security in future versions
Millennials (ages 18-34) are most likely to believe that hacking is a legitimate profession (57% vs. 31% of those aged 35+)
Nearly two thirds of Americans (64%) think not all hackers act maliciously
More than 4 in 5 Americans (83%) believe hacking is an illegal activity
THE 2019 HACKER REPORT 1 7 TRENDS IN HACKER EDUCATION