Bugcrowd Blog

How Understanding Researcher Motivations Can Help You Run a Successful Bug Bounty Program

Posted by David Baker on Nov 21, 2017 11:45:00 AM

Last week, we released our second annual Inside the Mind of a Hacker 2.0 report. We dove into different hacker profiles, their motivations for hacking, and the impact building a relationship makes on a successful bug bounty program. We found lots of interesting stats on our bug hunting community, both expected and surprising.

Sam gave a great overview of the full report in his blog post last week. Today I will dig a little bit deeper into overall trends we found from the report. Also, I will examine how knowing the Bugcrowd Hacker community better will help you run a successful bug bounty program.

Our Crowd’s breadth and depth continues to grow

Since last year’s report, our Crowd of security researchers has grown by 71% to more than 65,000 members, all coming from more than 100 different countries around the world. They have expertise in a wide array of technologies, including web application testing, web API assessment, networking pen testing, social engineering and source code analysis, and more.

Overall, we found that bug hunters are young (71% are between the ages of 18 and 29 years-old), determined, and always looking to develop their knowledge and build on their skill set. When asked why they participate in bug hunting, the large majority ranked “the challenge” as their top motivation. And 62% reinvest earnings from bug hunting back into their craft, spending it on security tools and training. Most researchers aren’t “full-time” bug hunters either—they hold regular 9-5 jobs, though 27% aspire to become full-time bug hunters.

Applying that knowledge to your bug bounty program

Bug bounty programs have come a long way from the old public, “open-to-everyone” contests that they once were. Over time, a number of variables have surfaced, adding more complexity to the bounty ecosystem. The four main variables that our customers adjust to build their programs are scope, program type (i.e. public, private or on-demand), reward ranges, and public disclosure policy. These variables work both independently, and in tandem with one another. Modifying the variables, even during the program, can motivate specific behavior and attract different types of researchers.

As a bug bounty program matures, the goal is to tap into the skillsets and experience you want, as each researcher brings his or her own perspective to a program. That is crowdsourced security testing at its best. It is also easier said than done.

How Bugcrowd can help

Bugcrowd’s Researcher Success team ensures you get the right researchers for your programs – the ones who understand your technology stack and can quickly identify new attack surfaces for vulnerabilities. Our team prides itself on building impactful relationships with our bug hunters, through incentive programs, gamification, and constant communication to retain and motivate the highest quality researchers. The Researcher Success team also provides the tools and education needed to enable new bug hunters to get started on our programs. The team handles any incidents and manages direct communication, facilitating healthy relationships.

Here is one last idea with which to leave you; it seems intuitive that a large crowd will translate to a bigger pool of talent with varying backgrounds, skill sets, and perspectives. It is in fact not the case. Access to hackers who have an extensive breadth of skills and expertise and who remain engaged in bounty programs actually requires special care and attention to the community and even some one-on-one relationship building. The focus of our Researcher Success team has always been to ensure the Bugcrowd has the largest and ever-growing number of active, engaged, high-quality, and most importantly, HAPPY hacker community.

To learn more about our Crowd, download our Inside the Mind of the Hacker 2.0 Report.

 

Interesting, Research and Reports
David Baker

Written by David Baker

CSO