Let's pretend you have offensive security skills and you want to use them for gainful employment. You attend a job interview and you listen to the benefits of what this company has to offer. First of all, most of the time you'll be working for free — unless you find a vulnerability, and then they might pay you a few weeks later. You'll also receive no paid sick days, paid holidays, or days off of any kind because, well, you're working for free remember?
The tools you'll need for this job — laptops, mobile devices, and any other widgets — you'll have to provide yourself. As for a pension… of course not. No subsidized gym memberships, health insurance, discount vouchers, free breakfasts, or free food of any kind.
This is the reality for thousands of individuals who work on bug bounty programs for various crowdsourced security companies. And it's hard to find a comparison with other companies in the current gig economy (such as Uber, Airbnb, and Deliveroo), where employees work their own hours and forgo traditional employee benefits (holidays, pensions, etc.) as a trade-off. The one crucial difference: Gig economy workers are actually paid for their labor and can predict their income if they choose to invest two hours or two days a week.
Let me elaborate. You'll only be paid on bug bounties if you find vulnerabilities. To find vulnerabilities, you have to invest your time. Sometimes, you might be lucky and find critical, high-paying vulnerabilities in minutes; I was once lucky enough to find $6,000 of vulnerabilities in 30 minutes — not a bad hourly rate. But these findings are the exception, not the norm. Most of the time, you don't find any vulnerabilities at all. That's hard to reconcile if you spent six or seven hours trawling through an application and came up empty handed — you get nothing for your time. Worse, you might actually find a vulnerability but it's classed as a "duplicate," meaning someone else before you had already found it, and you still get nothing.
You see, pen testers (or anyone with an offensive security skill set) are hard to find on the job market because, yes, there's a shortage and, yes, it's getting worse. Once you recruit them, you have to pay them top dollar so they stay, and you also have to keep them happy by sending them to conferences and allow them time to do their own research and attend certification courses (for which you'll also pay). On top of that, you have to pay them traditional benefits such as a pension, a regular salary, etc. And since you're sending them to various customer sites, you obviously need to pay for transportation expenses. While you employ them, you also have to make the best use of them, billing them out at $1,000 a day (or more!) so you can make some money off them. Not having them working on client engagements is very expensive because they're sitting around doing nothing.
Crowdsourced companies have leapfrogged these complications in a spectacular fashion by just removing that from the equation entirely. Your "employees" can be anywhere in the world, and as long as they are given an incentive to participate in bounties, even if they aren't paid unless they find something, then you've just made your business leaner. You don't need to pay for their certifications, tools, upkeep, pensions, or any of the costs that are associated with full-time employees. You pay them per vulnerability, so it's irrelevant how many there are. You don't need office space to contend with nor worry about even reviewing their performance because it's a self-fulfilling cycle — those that perform better get paid more, so are invited to more bounties, then get paid even more and so the cycle continues.
A Nice Job if You Can Get It
But who would actually sign up for this? Thousands, in fact. First of all, there aren't that many people working in this fashion. Forget the marketing statistics you hear — crowdsourced companies may claim anywhere from 150,000 to 300,000 people on their platform, but all they're doing is counting the number of sign-ups. When you drill down into the statistics, only a tiny percentage of those people have ever logged a vulnerability.
Most people on these platforms (such as myself), according to Bugcrowd's "2019 Inside the Mind of a Hacker" report, don't do it full time, especially if they live in Europe or the US. Salaries in the cybersecurity sector are high enough that most people don't have to moonlight for extra money, which is why, without exception, all the researchers I speak to do it for fun, the challenge, or just the safety net of being able to hunt for bugs in applications without the threat of legal action.
To be fair, crowdsourced companies are acutely aware of this criticism and are slowly trying to address this issue. Synack launched Missions a year ago, which are short, focused tests for a single vulnerability, whereby if you find the vulnerability or not, you'll get paid. Bugcrowd also has launched its Next Gen Pen Test, which follows a similar vein: If you flow through a testing methodology but don't find anything, you'll get a lump sum; if you find vulnerabilities, then you get paid for those, too.
Work Still Needed
Arguably, companies in the industry still have a lot of work to do. While they have teams internally dedicated to "researcher success," these are customer focused. I've lost count of the number of times I've had a company not pay out (either by ignorance or on purpose), ignore a vulnerability, or just generally misclassify the severity of something I found to pay less. The one exception to this is Synack, which has solved this issue by having a slightly different business model: It consistently pays out from its own funds and negotiates with companies separately. This is also the reason it has the reputation for having the fastest payouts in the crowdsourced industry. Based on my personal experience, often you can be looking at money in the bank 48 hours after submitting a vulnerability.
It's hard to see this continuing into the future — bug bounties and disclosure platforms aren't new anymore, and it's telling that the researchers you find on one platform are identical to the other platforms because, simply put, those with a desire to do so now participate in bug bounties, resulting in a never-ending stream of researchers to pull from. This is problematic because the entire business model depends on two things: a continuous stream of people looking for vulnerabilities and having those people do it mostly for free.
As a result, platforms have had to switch tactics. Cycling researchers is common. For example, if you have 30 researchers assigned to a private bounty program, and 20 of those haven't logged a single vulnerability in a few months, it's fair to say they aren't looking anyway, so you cycle them out and invite 20 new people in to replace them. This is to generate that constant flow of researchers with a different set of eyeballs that might spot something the others haven't. (This is one of the primary advantages of crowdsourced security over pen testing, so it makes complete sense).
The other technique is gamification. Payments are increased for certain companies, and this is communicated out to everyone to rekindle interest with the introduction of badges, achievements, T-shirts, and all sorts of goodies as rewards for meeting certain targets or types of vulnerabilities. Techniques like this will work in the short term but will eventually come up against the same long-term boundaries because there just isn't an infinite supply of highly skilled specialist labor that works for free.