Bug Hunting Paves Path to Infosec Careers

Ethical hackers use bug bounty programs to build the skills they need to become security professionals.

Current and future cybersecurity professionals are using bug bounty programs to gain skills they can use to become security analysts, CISOs, or, in some cases, full-time vulnerability hunters.
As part of its 2018 Inside the Mind of a Hacker report, researchers at Bugcrowd polled 65,000 hackers from around the world to better understand who they are, what motivates them, and the sustainability of a hacker career. Most (81%) respondents credit bug hunting with helping them land a job in the security field, and many continue to use it to supplement full-time roles.
Five to 10 years ago, there werent enough bug bounty programs to turn the practice into a full-time position, says Jason Haddix, vice president of researcher growth at Bugcrowd. Now there is more opportunity: The top 50 hackers average yearly payout is $145,000, with over 600 valid submissions. The average payout per bug across the platform is $783.
Still, more people prefer to bug hunt on the side while working other jobs or attending university. Students spend 10 to 20 hours per week on ethical hacking, Haddix explains, and 66% of all Bugcrowd respondents spend up to 10 hours per week bug hunting. The practice is giving them valuable skills they can use to help fill the growing security talent gap.
One of the things that was cool about this report was the amount the hunters are using this experience – finding vulnerabilities and bug bounties – to find jobs in security, Haddix says. Its an interesting educational path in a field where traditional college programs struggle to keep up.
Nearly 41% of bug hunters teach themselves and 43% use blogs and online resources to learn the skills they need. Its a highly motivated group: Nearly 32% want to be full-time bug hunters, 15% aspire to be security engineers at major tech companies, and 6% are training to be CISOs.
The Best Education Is Experience
You dont need a lot of experience to get into ethical hacking, Haddix points out. While 41.5% of hackers polled have three or more years of professional security experience, close to 30% only have one to two years, and 14.3% have no security experience at all. Bugcrowds hackers are relatively young, with nearly all (94%) between the ages of 18 to 44 and 71.5% between the ages of 18 and 29.
Higher education is still popular; 80% of respondents have attended college. But the percentage of those with a masters degree (18%) matches the percentage of those who have a high school education or less. Formal education is becoming the road less traveled,
Bugcrowd reports
. Bug hunters have both the skills and experience companies look for in security job candidates.
Its powerful to say, Instead of taking a certification or class, I found a critical vulnerability on a Fortune 500 company, Haddix explains. Whats more, they can offer proof of their expertise with a bug disclosure or status on a leaderboard. It goes leaps farther than a certification, he says.
The most prominent skill bug hunters learn is Web application hacking, which Haddix says makes up the biggest portion of todays bug bounties. For those getting started, learning Web application testing is a good gateway into ethical hacking – and where the most opportunity is. Most university courses dont dig into Web hacking, he adds, and online resources provide wannabe hackers with fake vulnerable applications they can dig into for practice.
Practical experience is the one thing you seem to lack in todays security researchers, Haddix adds. We need people with experience. New people are having a hard time getting into security.
Related Content:
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
49% of Cloud Databases Left Unencrypted
Attackers Using New Exploit Kit to Hijack Home & Small Office Routers
How Well Is Your Organization Investing Its Cybersecurity Dollars?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Bug Hunting Paves Path to Infosec Careers