Want to get rich from bug bounties? You're better off exterminating roaches for a living
Security researchers looking to earn a living as bug bounty hunters would to do better to pursue actual insects.
Using data from bug bounty biz HackerOne, security shop Trail of Bits observes that the top one per cent of bug hunters found on average 0.87 bugs per month, resulting in bounty earnings equivalent to an average yearly salary of $34,255 (£26,500). That's a bit less than the median wage for a pest control worker in, say, Mississippi, according to the US Bureau of Labor Statistics. It's also lower than the average UK salary of £27,000. And these are the top cyber exterminators. who bring in the big bucks. Newbies make considerably less.
Citing MIT Press' New Solutions for Cybersecurity, Trail of Bits argues that bug bounty programs appeal mainly to developers in labor markets where wages are significantly lower than in the US, or students learning cybersecurity. Suprisingly enough the biz suggests that other options, like hiring security consultants and penetration testers (which, suprise surprise is Trail of Bits' own business,) may make more sense for companies than a bug bounty program.