While some people may be eager to return to the office, Aidan Preston, a 22-year-old working at a cyber security consultancy in Edinburgh, is anything but. Since he started working from home because of the pandemic, he has become the UK’s top-earning “friendly hacker” – a coder that helps firms identify bugs in their new software, in exchange for money.
“It’s bad to say, but Covid helped me,” he says. “Working from home definitely kicked everything off for me big time – I can’t imagine going back to an office now. It sounds too alien.”
Without the need to commute into the office and with constant access to his own personalised set-up, Preston has effectively turned his side hustle into a second full-time job. Hacking into the early hours of the morning after working a standard nine-to-five, Preston admits that he sometimes does 90-hour weeks to hunt down vulnerabilities in companies’ software.
In the elusive world of “bug bounty hunting” this practice is not uncommon. The past decade has seen the rise of a booming new market for platforms matching hackers with companies looking to crowdsource vulnerability testing for their software. Traditionally, companies rely on costly external consultants to run penetration – or “pen” – testing for bugs. But these tests are often run only once or twice a year, and the rapid pace of software development necessitates a more dynamic approach, says Marten Mickos, CEO of leading US bug bounty platform HackerOne. As more and more of the world shifts online, there is a dawning realisation that digital society in its current state is “nowhere near as solid and resilient as it needs to be”, he says.
“Today, everything of value is running on software and we must rush to make sure that all that software is being constantly tested, followed up, checked by external, unbiased people,” says Mickos. “Covid accelerated the digital transformation for everybody and laid bare the risks and vulnerabilities we inherently have in software.”
The data reveals snowballing interest in bug bounty: HackerOne reports a 63 per cent year-on-year increase in the number of hackers submitting vulnerabilities in 2020, while Parisbased platform YesWeHack says that the number of active hackers and registered programmes more than doubled over the same period.
The pandemic has also shifted the demographics of the industry. More full-time professional pen testers, like Preston, have joined the community, partly because it is an increasingly lucrative side hustle but also because bug bounty is the “ultimate test of the currency of your skill”, says Mickos.
A number of hackers have already earned over $1m through their work on HackerOne – the first to make it past the milestone being 19-year-old Santiago Lopez. Ballooning bounties are the result of increased demand and rising complexity, meaning that the industry will only become more lucrative over time, says Mickos, although he adds that, as with sports leagues and Hollywood, it is only top-tier hackers that earn the big bucks.
Growing bounties are tempting an increasing number of cyber security professionals to become full-time bug bounty hunters: the number of members on HackerOne using the platform as their main source of income more than doubled in 2020. But, for now, Preston intends to continue as a professional pen tester.
“Most people don’t go straight in fulltime – it’s way too risky; they do it part-time and build up savings and a steady income,” he says. “I’ve thought about it a lot, but I still value professional experience over money, and I think I need to build up my career in an actual consultancy.”
The pandemic has also been a watershed for corporate attitudes towards bug bounty hunting. Now, what was only a few years ago seen as “very experimental, if not risky” is on the verge of becoming best practice, says Rodolphe Harand, managing director at YesWeHack.
A driving force for this has been the rapid pace of digital transformation, turbocharged by the pandemic. Industries that have been hard-hit by the economic fallout from Covid-19 – retail, luxury, logistics – are increasingly running programmes on YesWeHack, says Harand.
While tech companies, unsurprisingly, still constitute a large share of the programmes, there is also growing interest from less tech-savvy organisations, such as national governments: the French government used a bug bounty programme to test the resiliency of its contact-tracing apps last year.
As governments ramp up their digital offerings, relying more on these programmes will help them to win the trust of citizens, says Harand: “Bug bounties are a great way for governments to provide some guarantees in terms of transparency – it’s a way of saying ‘I have nothing to hide’.”
YesWeHack has already run public sector bug bounty programmes outside of a Covid-19 context, but Harand predicts that the number of government-run projects will surge in the coming months, expanding to cover all core public services. “It is going to be healthcare, it is going to be tax services, it is going to be social security,” he says.
Government buy-in is a clear signal that bug bounties are becoming mainstream, but HackerOne’s Mickos hopes it is a harbinger of policymakers starting to take the issue of digital security more seriously. Perhaps surprisingly for someone invested in the swashbuckling world of hacking, Mickos thinks tighter regulation and purposemade legislation are a key part of making a frantically digitising world more secure. “The physical world is in good shape, but the digital world is not, and we are all moving into the digital world,” he says. “Society should know that if our lives are governed by software, we must govern software by law.”
This article originally appeared in the Spotlight supplement on cyber security. You can download the full edition here.