The use of freelance security researchers in bug bounty markets is a concept which enables companies, both large and small, to benefit from professional resources without employing full-time security staff. The article linked below discusses the background of this process and the findings of a research team that took five and a golf years of data from a bug bounty market to prove my opening statement.<\/p>\n\n\n\n
The study stated that, when it was written, there were 4 million vacancies for cybersecurity professionals. Comparatively, in the same year this study was published, there were ~583,000 cybersecurity vacancies in the U.S. and nearly the same in 2023 at ~572,000 vacancies. Although these numbers seem staggering, the topic of the study offers a solution, whether it\u2019s at a big financial company or a small vintage video game store. These bug bounty markets offer an affordable (in a business-sense) mitigation when forced to go without full time security personnel.<\/p>\n\n\n\n
This would of course assume that these businesses have a robust vulnerability disclosure policy, or VDP, which protects these freelance security researchers known as hackers and makes it safe for them to report bugs in a company\u2019s code. All companies should have these if they have hackable code; having a VDP is like having a lost and found at hackers convention, it provides people the opportunity to do the right thing.<\/p>\n\n\n\n
Though the research cites six significant findings, I will focus on two of them. First, the study validated that the use of bug bounties will benefit a company, whether big or small. Second and lastly, the researchers cite their inability to identify variables which affect hacker supply. I assess that the habitual use of these freelance hackers will help the continued growth of the industry, and perhaps even help to turn the tide on hacker supply.<\/p>\n\n\n\n
This, however, is a problem that time is needed to solve. Just like it takes all the right sequence of events to create a truly masterful painting, it needs the same to create a masterful hacker.<\/p>\n\n\n\n