Ethical hackers ‘hit the jackpot’ as tech groups pay for protection

In late 2019, Dawn Isabel was on the hunt for glitches and vulnerabilities in a particular mobile application. She was taking part in the app maker’s “bug bounty” programme — the development stage when a business hires hackers to find weaknesses in its systems.

“On TV, it looks exciting, with lots of bright green text, and six screens,” Isabel says, of the way this work is sometimes portrayed. “In reality, it’s me hunched at my laptop for hours straight, scrolling.”

But, eventually, Isabel — who also works full time as the director of research at mobile security company NowSecure — “hit the jackpot”. She discovered a devastating vulnerability in the app and soon collected a tidy five-figure sum as a reward.

Dawn Isabel, director of research at mobile security company NowSecure
Dawn Isabel, director of research at mobile security company NowSecure

It is this work by so-called ethical hackers that helps to protect the companies — from Big Tech giants such as Google, Microsoft and Facebook through to bootstrapped start-ups — against nefarious digital actors. And it has proven increasingly lucrative for those taking on the task.

“Companies have been opening up more and more,” says Tanner Emek, a 32-year-old ethical hacker. Over the past four years, he estimates to have made $1mn in bug bounties.

These typically range from the thousands to the hundreds of thousands of dollars. “Not only are more companies running bug bounty programmes, the scope seems to be getting wider as well,” he adds.

According to Bill Conner, chief executive of cyber security group SonicWall, ethical hacking, which has existed since the 1970s, is evolving.

It used to focus on a “single purpose”. This might be, for example, a penetration test — a simulated cyber attack on a computer system to expose flaws — or vulnerability hunting in products. “But now it’s also gone to [testing] your business network, your internal network for vulnerabilities,” Conner adds. “It’s gone to phishing and email testing. It’s gone to cloud testing. It’s become a fully fledged business.”