Bug bounty programs have evolved into a critical element of modern cybersecurity, allowing organizations to tap into a diverse pool of talent to identify software vulnerabilities. Given the growing need for cybersecurity experts, bug bounty programs should not only ask themselves how they can attract existing bug hunters to their programs, but also how newcomers, such as students interested in cybersecurity, can find their way into the world of bug hunting. As we at Compass Security have recently launched our own managed bug bounty service and I was looking for a topic for my master thesis, this question seems particularly interesting for further research.
Narrowing Down
To avoid losing focus, I wanted to concentrate my research on students (current or who have recently graduated) from Swiss universities. With the help of a survey, I tried to get their thoughts regarding bug bounty directly from them. The survey covered topics such as level of awareness, main motivation or barrier to entering the field of bug bounty, and how their educational background could be an advantage in learning the necessary skills.
The survey was launched in December 2023 and I was able to attract 96 participants from more than ten different universities, most of whom were enrolled at ETH Zurich. This is likely due to my connection with the university, as my network is primarily based there. After cleaning up the results, I analyzed the results from various angles and now want to share the most interesting findings in this blog post.
Friends, Colleagues, and the forgotten Power of YouTube
Most participants responded with YouTube and social media when asked, “On which platforms do you regularly consume cybersecurity content?,” as shown in the following figure:
Surprisingly, the answers to the question, “From where did you first learn about bug bounty programs?” point in another direction, as the following figure illustrates:
As we saw, most participants consume their content on YouTube and other social media platforms but heard about bug bounty for the first time through interactions with friends, colleagues, or university channels. So, this contradicts in a way and could potentially indicate that the marketing strategies of bug bounty programs are non-existent or misaligned.
Time vs. Treasure
In my thesis, one key finding from the survey was the identification of major barriers that prevent students from entering in the field of bug bounty. As shown in the following illustration, the two main perceived barriers are “Lack of Skills or Knowledge” and “Time Constraints”:
This, coupled with the responses to the question, “How do you view the balance between the effort required and potential financial rewards in bug bounty programs? (1 – not worth it, 5 – highly worth it),” clearly indicates that the financial aspect alone is not sufficient to attract Swiss students to spend time in bug bounty programs, as the average score was only 2.4.
This trend is also reflected in the answers of the following question, in which the majority of respondents stated that gaining practical experience would be the main reason for participating in a bug bounty program, closely followed by earning money:
Beyond Financial Rewards
As we found out, financial incentives alone are not enough to motivate a large number of Swiss students to go bug hunting. The search for alternative forms of reward revealed interesting results. Notably, participants with bug bounty experience placed a higher value on recognition and non-financial rewards than participants without such experience. When asked about the importance of recognition (e.g. obtaining certificates) in bug bounty programs, participants with experience rated this an average of 4.2 out of 5, compared to the overall average of 3. One participant even stated, “Any token of appreciation, e.g. I got exclusive company merch for a vulnerability I reported” is the main motivating factor for hunting bugs.
Therefore, we can conclude that in addition to financial compensation, other rewards can significantly enhance the attractiveness of bug bounty programs to new hunters. Alternative forms of reward might include various recognition forms, such as bug discovery certificates or customized swag and merchandise. Moreover, rewards could also offer hands-on experience, such as tickets to security conferences or access to specialized security trainings. This would also be in line with our findings from the previous chapter, according to which most hunters are primarily interested in gaining practical experience.
Conclusion
After completing the questionnaire, the participants were asked whether they would like to try out a bug bounty program. A remarkable 82% of participants said they would, indicating significant untapped potential. It is crucial for bug bounty platforms to focus not only on how they can attract existing hunters, but also on how they can introduce new participants, such as students, to the world of bug hunting. Students represent a promising group of potential talent that could benefit greatly from these programs.
As we have seen, Swiss students typically do not encounter ads about bug bounty in the same online environments where they consume their regular cybersecurity content. This presents an opportunity for platform operators to place targeted advertising where these young enthusiasts spend their time. Furthermore, perceived barriers such as lack of time and unsatisfactory financial rewards suggest that repositioning bug hunting as a pathway for learning and practical experience might be more appealing. If students perceive bug hunting not just as a job to earn money but as an educational journey, many more might be inclined to participate. Even if they don’t find bugs, they would still value the experience gained.
To further incentivize participation, platforms could offer more than just monetary compensation; they could issue certificates for bugs found or reward exceptional hunters with exclusive security training courses. Additionally, integrating gamification, as suggested by other research in this field, could enhance engagement and make the learning process more enjoyable and rewarding.
If you liked this blog and want to know more about it, you can find the published master’s thesis here.
Leave a Reply