Out of the shadows: The rise of ethical hackers in 2021

Pathways to a cyber career

The hacking game is also no longer seen as a side hustle, with 42% of Bugcrowd users saying they hack full-time and 26% part-time. Others are increasingly using hacking as a stepping-stone to a cyber security career.

Among them is 24-year-old, US-based Chris Inzinga, aka cinzinga_, who transitioned into security research after struggling to find the right academic programme for his interests and goals

“A number of years back, I was going through a very uncertain and difficult period in my life,” he said. “Rather than succumb to indecision and inaction, I decided to focus all my attention on learning cyber security as a practical tradecraft.

“As a beginner, I found the Bugcrowd team to be incredibly supportive. They helped me understand why some of my earlier submissions were low-impact, and how I could improve in the future. I found this personalised feedback to be unparalleled among all the other platforms, and it truly helped me in the early days of my cyber security journey.”

Meanwhile, 27-year-old Ankit Singh, aka AnkitCuriosity, who comes from India, is a self-taught hacker who tried to work independently but struggled to get very far, before encountering Bugcrowd.

“I remember in my early days of ethical hacking, when I wasn’t aware of Bugcrowd, I had found some bugs in a few organisations’ production websites,” he said. “I tried really hard to find their contact information and even called them about the issue – but they just hung up the phone before I could even explain. Maybe they didn’t care, or maybe they had no idea what I was talking about.

“If someone told me about platforms like Bugcrowd – and ethical hacking education opportunities – earlier, it would have changed everything.”

Singh added: “I am helping to change the world’s perception of hackers. I want people to look at security research as a creative art form, rather than merely a subject or skill.”

Farah Hawa, who, like Singh, is largely self-taught, and is India-based, has used her learnings to become a hacking influencer with her own growing YouTube channel. “I have niched my channel down in a way that my videos only focus on breaking down complex technical vulnerabilities into more digestible bits,” she said. “I think my audience definitely appreciates that in my content because I try to explain everything in the simplest way possible and, believe it or not, this is a pain point for a huge chunk of the infosec community, especially beginners.

“I would recommend beginners start hunting on smaller programmes because they have less competition and will be more likely to learn, grow their skills, and also build their motivation.”

UK-based Katie Paxton-Fear, aka InsiderPhD, who besides being an ethical hacker is also a cyber lecturer and educator, said the critical skills that hackers need besides technical prowess include communication, attention to detail and curiosity. She said that although anyone can pick up a book or watch a YouTube video, it is more challenging to develop such soft skills.

“Most people can think of 10 uses for a paperclip, but people who are really good at what’s called lateral thinking don’t just stop at thinking of a paperclip as a small, metal thing,” she said. “They think, what if the paperclip was huge? What if the paperclip was made of glass? What if the paperclip was on your computer as an animated character telling you how to solve problems?

“We want people to be able to think outside the box, and that is the real value that things like crowdsourced security offers – a bunch of people that think in very different ways all hacking on one piece of software, because you’ll get so many answers to a question like, ‘How many uses can you think of for a paperclip?’”

Young and diverse

The report also paints a picture of a community that skews young and diverse, with 52% of Bugcrowd’s hackers aged 18 to 24, 35% 25-34, and just 2% over 45. The high number of Generation Z, or Zoomer, hackers born post-1996 reflects some of the generalised trends that are now said to characterise people aged 25 and under – ethnically diverse, digitally native, and establishing their careers at a time of intense job market insecurity.  

While ethical hackers currently lack gender diversity, 96% of those on the Bugcrowd platform are male, 3% female, and 1% agender, genderfluid, non-binary, pangender or of another identity, the community exhibits exceptional diversity in other areas, such as Neurodiversity.

Just over one-fifth of Bugcrowd hackers are neurodivergent, living with conditions such as attention deficit hyperactivity disorder (ADHD), autism, Asperger’s, dyscalculia, dysgraphia, dyslexia, dyspraxia, obsessive-compulsive disorder, sensory processing disorder, synaesthesia, and Tourette syndrome.

It is no secret that some attributes widely seen in neurodivergent individuals, such as memory skills, heightened perception and attention to detail, appear to make careers in ethical hacking – a fast-paced environment that rewards creativity and difference in thinking – ideal for them. Bugcrowd said this was probably reflected in increasing numbers of neurodiverse hackers – up 8% since the last report.

Paxton-Fear is herself on the autistic spectrum. She said: “Someone who is autistic can have hyper-focus moments where they are so invested in something, it is all they can focus on. They can focus for hours on one thing. And that is a real advantage because if you have somebody like that looking at your website, you have got the most dedicated security tester, right? You have got somebody who will go above and beyond, because it is something they really enjoy.”