Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Almighty Buck

Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer (bleepingcomputer.com) 67

An anonymous reader shares a report: A survey of 1,700 bug bounty hunters registered on the HackerOne platform reveals that top white-hat hackers make on average 2.7 times more money than the average salary of a software engineer in the same country. The reported numbers are different for each country and may depend on a bug bunter's ability to find bugs, but the survey's results highlight the rising popularity of bug hunting as a sustainable profession, especially in less developed countries, where it can help talented programmers live a financially care-free life. According to HackerOne's report, it pays to be a vulnerability researcher in India, where top bug hunters can make 16 times more compared to the average salary of a software engineer. Other countries where bug hunting can assure someone a comfortable living are Argentina (x15.6), Egypt (x8.1), Hong Kong (x7.6), the Philippines (x5.4), and Latvia (x5.2).
This discussion has been archived. No new comments can be posted.

Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer

Comments Filter:
  • by Anonymous Coward on Friday January 19, 2018 @04:35PM (#55963075)

    Ok, but how much does an average bug hunter make vs a top software engineer? Or an average bug hunter vs an average software engineer?

    • In related news:

      • "Top chefs make more money than an average chef does."

      • "Above average is above the average"

    • This just in: top software engineers also make more than the average software engineer. More updates coming as we learn more!
      • by Anonymous Coward

        But any employed software engineer is being paid at least something. Not all bug hunters actually make money.

  • by jellomizer ( 103300 ) on Friday January 19, 2018 @04:36PM (#55963087)

    I mean this is an Apples vs Oranges comparison there.
    You can take the top of nearly any (professional) profession and compare it to the average of others and you see that the best of the best makes more then the average guy does.

    • I came to payout on exactly the same idiotic point. Seems everyone already beat me too it. I can only imagine the writers of the article were either complete and utter morons or they were simply trying to concoct a story where one doesn't exist as they had nothing better to post.
  • A crappy blog is a great source to get things like "top of something better than average of another". Awesome comparison.

  • where it can help talented programmers live a financially care-free life.

    Security bug hunting and pen test is extremely competitive. Your 2.7x earnings means you're playing with a bunch of workaholics in an all-or-nothing system where partial credit is not an option. You can put 40 hours into a project, only to have victory snatched away by the guy who finished it in 35 hours.

    • by Anonymous Coward

      It's not just workaholics. Even if you yourself are a workaholic you could still end up with nothing. My experience is I usually make $0.00 because only the most esoteric bugs are left by the time it gets on the bug bounty websites. Sometimes I make a couple hundred bucks once a month. The average or better than average person makes nothing consistently.

  • by ilsaloving ( 1534307 ) on Friday January 19, 2018 @04:43PM (#55963155)

    So the top bug hunters make more than the average software engineer? Well slap my ass and call me a cantaloupe!

    What about top software engineers compared to average software engineers? What about A-list celebrities vs stuntmen?

    I know! How about we compare the top strawmen vs average strawmen?

    • This is a perfect example why a median should be used vs the average. Few extreme outliers significantly skew the average when most people make really small amount of money.

      From the article:

      * About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties.
      * Over 3% o bug hunters are making more than $100,000 per year.
      * 1.1% are making over $350,000 annually.

  • Top software engineers make much more than 2.7x average software engineers.

  • by king neckbeard ( 1801738 ) on Friday January 19, 2018 @04:47PM (#55963201)
    To everyone complaining about the comparison between the top of bug hunters and the average software engineer, you are clearly missing the point. They aren't trying to present a meaningful comparison of two fields, they are trying to paint a statistically inaccurate picture of luxury in order to flood the market and drive average wages down. C'mon, is this everybody's first day on /. or something?
  • Luxury SUVs cost 5 times more than average sedan.

    First class airline ticket costs 20 times the average bus fare

    Let me wait for the comparison of the average pay of the top 1700 bounty hunters with the average pay of top 1700 software engineers.

  • Some stats. (Score:4, Interesting)

    by 140Mandak262Jamuna ( 970587 ) on Friday January 19, 2018 @04:53PM (#55963251) Journal
    58% of bug bounty hackers are self-taught.

    37% of white-hat hackers say they hack as a hobby in their spare time (not their primary job).

    About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties.

    Over 3% o bug hunters are making more than $100,000 per year.

    1.1% are making over $350,000 annually.

    13.7% say bounties earned represent 90-100% of their annual income.

    India (23%) and the United States (20%) are the top two countries represented on the HackerOne platform, followed by Russia (6%), Pakistan (4%), and the United Kingdom (4%).

    Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.

    US companies have paid over $15 million to bug hunters via HackerOne in 2017.

    US bug hunters racked over $4.1 million in bug rewards, while Indian white-hat hackers earned over $3 million.

    "Websites" was the overwhelming winner to the question of "What is Your Favorite Kind of Platform or Product to Hack?" with a 70.8% score.

    "Money" was not the primary motivation for getting into bug hunting. It ranked only fourth.

    XSS was the favorite vulnerability white-hat hackers liked to search for.

    (Clipped out some slashvertisement pitching something called burp suite. )

    • What is the salary of the top 1.1% of the software engineers?

      Is it more or less than 350K? If you include stock options, healthcare, 401K match and other benefits too.

      • Wayyyy above that. The salary will be less (150 - 250k range), but then you add in equity, and it goes over 400k, and bonuses will push that even higher. Equity is the big one, top engineers at like Google and such will rack up 300-400k with equity alone. Plus all the other company perks, and there is no real comparison.

        Once you factor in taxes, it REALLY makes it in favor of top software engineers, because 350k will be almost entirely taxed at ordinary income rates. The typical RSU's given to software engi

    • Thanks that's useful. So headline should read:

      3% of bug hunters make what an average software developer makes.

  • by j2.718ff ( 2441884 ) on Friday January 19, 2018 @04:59PM (#55963291)

    I was planning to be an average developer, but I guess I'll become one of the best bug hunters instead. Because as an average software engineer, I assume that I'd be way better than average at finding bugs than someone who's already made that their career.

  • Top software developers make probably 4 times what the 'average' ones make. Apples and oranges, msmash, apples and oranges.
  • Last time I checked maintenance was still the largest part of software engineering by a wide margin.

  • Making 2.7 times the salary of someone doesn't mean you make 2.7 times more (unless the other person makes $0). You have to take into account the fact that the other person is getting paid. So that's either "1.7 times more" or "2.7 times the salary".

  • I am pretty sure that 1 standard deviation rightward on the x axis on any profession makes about 2.7 times what the arithmetic mean of another profession makes, especially for nearly any non-blue-collar or service-industry “profession”. Top bug hunters might even be 2 standard deviations out from the average bug hunter.
  • by AHuxley ( 892839 )
    1. Have lawyers and contractors create a product for mil/gov and win the bid.
    2. Code the product in a nation with low wages. Have lawyers and a person with clearance needed present the code as compliant.
    3. Rent the service and support to the mil/gov.
    4. Support problems by making more profit locally again in overtime costs.
    5. Outsource upgrades.
    6. Get the billable hours up for local 24/7 support.

    Low wage nations with average IQ workers win bids and keeps costs down for the entire project.
    • You are evil. This is part of the reason we have so much shitty software in the world.
      • by AHuxley ( 892839 )
        It can get better and more profitable once real support gets paid over decades of gov/mil tech projects.
        Present winning bids at low costs to more local, state and federal govs/mil.
        Win more contracts on the low cost of past winning bids.
        Win in the USA? Present to NATO/EU nations gov/mil as part of free trade. Starting in any EU/NATO nation? Demand equal access to the US mil/gov martlet as free trade.
        Not in the USA, EU, NATO? Find some nations lawyers and a few people with a security clearance and use
    • I'm not sure why you think that mil/gov contracts can be outsourced outside the country. Normally, there is a restriction that the work be done in country. Which is fine, because they'll pay the extra to have the work done in country.

      • by AHuxley ( 892839 )
        Why not? The legal documentation is covered by a lawyer and one person with a security clearance.
        Thats the very legal front end of a small company that won the mil/gov bid.
        The code can be done in another low wage nation.
        Sign off on it and present it as domestic code that has had full overnight by people approved by that nation.
        The code is on time and works to some gov/mil standard when tested.
        If the gov/mil wants changes later then local experts with security clearances can go back over the low w
  • Makes me think of that line in Aliens: (discussed here [arstechnica.com])

    PFC Hudson: Is this going to be a stand-up fight, sir, or another bug hunt?

    Maybe these guys get better pay but, personally, I'd take less if I could simply nuke things from orbit - you know, to be sure.

  • I'm a software engineer. I'm no good at finding bugs. It always works on my machine.

    who am i to begrudge someone doing such a valuable job?

Bell Labs Unix -- Reach out and grep someone.