Last week, David Baker (Bugcrowd’s Chief Security Officer) released a blog post discussing why it's important to understand researcher motivations in order to run a successful bug bounty program. Furthermore - to enable current and future customers to get a better handle on what drives security researchers at Bugcrowd - we released the Inside the Mind of a Hacker (version 2.0) report covering a broad range of metrics around who the Crowd is comprised of; including data on age, level of education, geographic location, and most importantly - what motivates us (and I use the term “us”, because I myself am a security researcher on Bugcrowd).
Who are these “security researchers” you speak of?
Regardless of age, nationality, or level of education - we have found that our Crowd of over 65,000 researchers is made up of individuals who represent - in varying degrees - five distinct personality types: “knowledge-seekers”, “hobbyists”, “full-timers”, “virtuosos”, and “protectors”. Simply put, the most successful bug bounty programs have something to attract each one of these personalities - and to that end, it’s worth exploring what draws each type of security researcher to hunt for bugs on your program.
If you’ve ever read the Hacker Manifesto, you are probably familiar with the phrase: “I am a criminal. My crime is that of curiosity” - and to that end, Knowledge-Seekers embody what is historically considered the true essence of a “hacker”. More than anything else these individuals Hack-to-Learn, and most often reinvest their bounty money into new tools and learning materials to further their tradecraft.
So what differentiates these modern-day hackers from their earlier, anarchist ancestors? Two things: modern laws (you can’t learn to hack from a jail cell), and the plummeting cost of disk space (more on that in a future blog post). Bug bounties offer a unique opportunity for Knowledge-Seekers to lawfully continue developing their skills, with a fringe benefit of adding money to their bank account. What’s more, Knowledge-Seekers won’t stop at the first signs of a hardened target - these are the security researchers who will go-the-distance to hunt down those bugs that others will have long-since given up on.
So how do you draw them to your program? Give them a broad scope with some challenging targets, and provide them with good feedback. Regular communication and quick response times will keep Knowledge-Seekers on the hunt far longer than any of the other personality types.
“Hacking for Fun and Profit” has become a well-worn meme within the information security community - but that doesn’t make it any less true as it applies to Hobbyists. There is an indescribable thrill that comes from the process of performing recon on a target - and that thrill continues all the way through exploiting those deeply-hidden vulnerabilities in an application. Where these individuals might have once satisfied their sense of adventure by manipulating video games, they now find satisfaction in leveraging their creative talents through finding bugs.
Of course this kind of thrill-seeking behavior begs the question - why don’t they choose the path of the Black Hat? The answer is simple, really - it’s because they don’t have to. The advent of bug bounty programs has given Hobbyists a lawful means of exerting their mental energy on challenges that are both fun, and profitable. I mean, really - would you want to live a life of looking over your shoulder worrying about the Feds, when you can just as easily hack for fun and profit on programs with Bugcrowd? I’ll take Bugcrowd for $500, Alex.
So how do you tempt the Hobbyist with the thrill-of-the-hunt? They’re in it for both fun AND profit, so draw them into your program with higher rewards and a broad program scope. Also, as with Knowledge-Seekers, Hobbyists want to see a quick turnaround for their efforts - so communicating with them early (and often) will keep their attention on your program.
Until next time
With that, check back next week for Part 2 of this series, where I’ll discuss how to entice the Full-Timers into researching on your program, and how to draw the attention of the extremely-talented Virtuosos. Until next time - happy hunting!