Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Bug Hunters Confident They Will Continue to Outperform AI: Study

Cyber security is described as a form of asymmetric warfare. One side, the defenders, have limited numbers — just the security team. The other side includes every blackhat hacker in the world — that is, many, many thousands. The blackhats only need to succeed once; the defenders need to succeed many times every day. Bugcrowd seeks to reverse this impossible mathematics.

Cyber security is described as a form of asymmetric warfare. One side, the defenders, have limited numbers — just the security team. The other side includes every blackhat hacker in the world — that is, many, many thousands. The blackhats only need to succeed once; the defenders need to succeed many times every day. Bugcrowd seeks to reverse this impossible mathematics.

Silicon Valley-based Bugcrowd was founded in 2012 by Casey Ellis (chairman and CTO), Chris Raethke, and Sergei Belokamen. It crowdsources bug hunting to thousands of ethical hackers around the globe, running both public and private competition programs to locate bugs in named applications, using big data and machine learning to match expertise with problems.

In doing this, it reverses some of the mathematics in attack versus defense, making cybersecurity closer to symmetric warfare. It also gives the firm access to the collective mind of the hacker. Each year it taps into this resource to produce an annual analysis, Inside the Mind of a Hacker (viewer). The 2020 version of this analysis uses 3,493 survey responses, ethical hacking activity on the platform from May 2019 to April 2020, together with more than 1,500 successful programs and 7.7 million platform interactions.

The Bugcrowd ethical hackers are international and diverse. The greatest number are located in India (up 83% from last year), followed by the U.S. and then Pakistan. The UK ranks sixth in this list, with Germany at tenth. Most hackers are multi-lingual, with 73% speaking 2 to 3 languages, and a further 16% speaking more than 3 languages. One-third have more than one nationality, but most live in the country of their birth. Interestingly, putting hard figures on a long-held suspicion, 13% describe themselves as neurodiverse, with nearly half of those living with attention-deficit/hyperactivity disorder (AD/HD), with associated strengths in creativity and pattern recognition — and possible difficulty in holding down a full-time, permanent position within a company.

Motivation for Bugcrowd hackers is not primarily financial, with the biggest single consideration being a desire to help organizations defend against cybercrime. This seems to be an exact opposite to what motivates blackhats, where financial return is paramount, and the concerns of the victims ignored — as we have seen time and again throughout the COVID-19 pandemic.

The ethical hacker motivation is confirmed by actual earnings. While 79% of the hackers find their actual earnings good or better than expected, around one-quarter are seeking to earn between $50,000 and $100,000 per annum — which is roughly comparable to their professional counterparts. The more usual earning is around $25,000, which is less than half of what is considered a median salary in the U.S. Having said that, it is possible, and has happened, that a few elite hackers have earned more than $1 million — although the report notes that “these security researchers represent less than 1% of the global community.”

Other motivations include learning and job-seeking — and it does happen that corporations raid the bug crowd for new hirings. CTO Casey Ellis told SecurityWeek that he has no qualms about — indeed welcomes — the practice since it adds to the vitality of the marketplace.

The motivations of the customer are also worth considering. The process is beneficial in that it can find bugs in new applications faster and cheaper than doing it in-house. This benefits everyone. The danger comes where a developer decides to ‘outsource’ the entire security responsibility to Bugcrowd, because the ‘secure by design’ principle can easily be lost. Furthermore, by transferring the Sec element of DevSecOps to Bugcrowd, the developer will lose a lot of agility in future development. Bugcrowd is best used as an additional rather than replacement resource.

One interesting, and perhaps concerning, revelation from the study is that 78% of hackers believe they will outperform AI for the next 10 years. AI is often touted as the great hope for cybersecurity, but if ethical hackers believe they are better, then so will blackhat hackers. (Even more, at 87%, do not believe that vulnerability scanners can find as many critical or unknown assets as they can.)

Jasmin Landry, a top-ranked Bugcrowd hacker, explains the AI reasoning: “Hackers will always be one step ahead of AI when it comes to cybersecurity because humans are not confined by the logical limitations of machine intelligence,” she said. “For example, hackers can adapt four to five low-impact bugs to exploit a single high-impact attack vector that AI would likely miss without the creative flexibility of human decision-making. Experience allows hackers to recognize vulnerable misconfigurations that represent a true risk to organizations without all of the false positives that typically come with AI-powered solutions.”

The bottom line, however, is does the Bugcrowd platform work; does it succeed in its purpose? The ethical hacking membership seems well-pleased; but what about the reward-paying vendors? “In 2019,” says the report, “Bugcrowd prevented $8.9B in cybercrime, and security researchers earned 38% more in bounty payments.”

The $8.9 billion figure comes from multiplying the number of P1 vulnerabilities found by Bugcrowd with the average cost of a breach in 2019 as described by IBM. ‘P1’ designates the most severe and critical vulnerabilities in Bugcrowd’s taxonomy. The implication is that if Bugcrowd hadn’t found the vulnerabilities and the customer hadn’t fixed them, blackhats would have found and exploited them. The figure of $8.9 billion savings to industry is therefore an implied rather than gospel figure — but it nevertheless demonstrates the value of delegating bug hunting to a worldwide ethical hacking community.

Bugcrowd raised $30 million in a Series D funding round in April 2020, bringing the total raised to date to around $80 million.

Related: Hackers Receive $500,000 in One Week via Bugcrowd 

Related: Unnamed Firm Offers $250,000 for VM Hacks 

Related: Western Union Launches Public Bug Bounty Program 

Related: Samsung Adopts Bugcrowd to Manage Mobile Security Rewards Program 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.