Virtuous hackers have earned a combined £28 million for finding and reporting software bugs during the pandemic last year, according to a leading flaw reporting service.
HackerOne, which rewards ‘white hat’ hackers that infiltrate faulty computer systems as a public service, announced nine hackers made more than a million dollars each after finding software bugs.
One hacker from Romania only began searching for the software flaws a couple of years ago, but has already made more than $2 million, while Britain’s top hacker earnt $370,000.
Many hackers have found more time during the pandemic to find computer bugs, with a HackerOne survey finding 38% of participants spent more time hacking since March last year.
‘The COVID-19 pandemic has forced organizations, from businesses to schools, to pivot their operations to digital and online channels,’ said Prash Somaiya, head of Hacker Operations at HackerOne.
‘Traditional security methods can’t keep up with the growth in attack surfaces that come from this rapid digitisation and development.
‘Engaging the diverse and creative hacker community to provide continuous monitoring and testing of online systems is the best way to stay ahead of cyber criminals.’
Most white hat hackers do so in their spare time and are spread across the globe, from Africa to Asia, earning sums anywhere from a few hundred dollars to many thousands.
One hacker from the UK, Katie Paxton-Fear, earned £12,000 in a year while looking for bugs in her spare time.
‘I remember finding my first bug and literally shaking and realising: “Wow I just saved people from a pretty big flaw,”‘ Paxton-Fear told the BBC.
‘I’m not just using my time to win a prize, I’m actively helping secure applications I use, so for me it’s a challenge mixed with doing something good.’
Finding crucial bugs in computer systems is a race against time, as vulnerabilities leave open the possibility of dire consequences.
In February, a hacker gained access to a Florida city’s pool systems, and tried to elevate the levels of chlorine to dangerous levels. On a grander scale, the recent SolarWinds hack of the US put hundreds of critical government agencies at risk of attack.
Some experts think that incentivising bug hunts can lead to problems, like having narrow remits for what bugs are accepted and making it difficult for hackers to stay independent.
But bug hunting is certainly on the rise: similar platforms to HackerOne, like BugCrowd and France-based YesWeHack, have also seen upticks in bug submissions, with BugCrowd seeing a 50% increase in submissions in the past year.