Cybersecurity professionals are increasingly taking a closer look at bug bounty hunting as a career -- with 66% considering it as a full-time line of work, a new study of 1,700 ethical hackers found.
It’s potentially a lucrative career path, minus much of the stresses and strains that some experience as a security operations analyst, so much so that nearly all in the survey would like to dedicate more time to bug bounty hunting in the future, Intigriti said in its second annual Ethical Hacker Insights Report.
With its growing popularity among cybersecurity pros, should MSSPs set up for-profit bug bounty hunter teams? Can individuals make a living from bug bounty hunting? If the trend line holds it could be a forward looking plan for MSSPs. Here’s why, Intigriti said:
The money: The biggest appeal of full-time bug bounty hunting to respondents is the money, with 48% declaring this as their top interest point, Intigriti said. Being their own boss and setting their work hours closely follow, with 45% of respondents listing both points as appealing aspects.
Education benefits: The survey results indicate that this generation of tech talent isn’t getting what they need from employers to keep their skills and knowledge up to date, despite rising cybersecurity threats. For information security, for example, 50% of respondents say they turn to bug bounty hunting to learn the most relevant and useful knowledge, compared to just 11% who gave their job as their first choice.
Opportunity: Around two-thirds (65%) of respondents already have hands-on penetration testing experience and nearly nine in 10 (88%) agreed or strongly agreed that “a penetration test cannot provide continuous assurance that an organization is secure year-round.”
“The work-from-home culture has made employees desire more independence and has further encouraged digital nomads to pursue a remote working career,” said Inti De Ceukelaire, Head of Hackers at Intigriti. ”As attackers shift tactics, cyber defenses must too. The only way to test their effectiveness is to apply continuous pressure against them. Considering that an organization’s security posture will change with each new feature release or update, it’s not only a logical step to implement more security testing, but also critical.”