The use of freelance security researchers in bug bounty markets is a concept which enables companies, both large and small, to benefit from professional resources without employing full-time security staff. The article linked below discusses the background of this process and the findings of a research team that took five and a golf years of data from a bug bounty market to prove my opening statement.
The study stated that, when it was written, there were 4 million vacancies for cybersecurity professionals. Comparatively, in the same year this study was published, there were ~583,000 cybersecurity vacancies in the U.S. and nearly the same in 2023 at ~572,000 vacancies. Although these numbers seem staggering, the topic of the study offers a solution, whether it’s at a big financial company or a small vintage video game store. These bug bounty markets offer an affordable (in a business-sense) mitigation when forced to go without full time security personnel.
This would of course assume that these businesses have a robust vulnerability disclosure policy, or VDP, which protects these freelance security researchers known as hackers and makes it safe for them to report bugs in a company’s code. All companies should have these if they have hackable code; having a VDP is like having a lost and found at hackers convention, it provides people the opportunity to do the right thing.
Though the research cites six significant findings, I will focus on two of them. First, the study validated that the use of bug bounties will benefit a company, whether big or small. Second and lastly, the researchers cite their inability to identify variables which affect hacker supply. I assess that the habitual use of these freelance hackers will help the continued growth of the industry, and perhaps even help to turn the tide on hacker supply.
This, however, is a problem that time is needed to solve. Just like it takes all the right sequence of events to create a truly masterful painting, it needs the same to create a masterful hacker.
https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true