• United States




How to be an ethical hacker

Mar 28, 20164 mins
CareersIT JobsSecurity

Ethical hackers are making a solid living using their skills of breaking in to help the enterprise defend against criminals

data breach hacker
Credit: Thinkstock

As more companies are growing to see a return on investment for relying on bug bounty programs, more ethical hackers are reaping the rewards of these trusting relationships that help build stronger security.

According to research conducted by Payscale, 30 percent of those who work as ethical hackers have only one to four years of experience. The salary range in the field (largely dominated by men at 93 percent) is anywhere from $53,000 to $108,000. Not only that, but of those 229 ethical hackers who participated in the survey, 100 percent of them rated their job satisfaction at 5 out of 5. They love their work.

Peter Adkins, one of Bugcrowd’s top rated researchers, worked his way up to this top rated status in only one year. Adkins has long had an interest in the security space from an offensive not defensive perspective. Adkins has long had an interest in the security space from an offensive not defensive perspective.

“I’ve always taken things apart,” said Adkins. “At the start of last year, I was doing some work home on a modem/router. I can’t remember why I took it apart, but I noticed a vulnerability right away,” he continued.

After he found a couple glaring vulnerabilities, Adkins contacted the vendor and attempted to work with them on remediation. This process was incredibly frustrating for Adkins as it was nearly impossible for him to get a hold of anyone who could fix the issues. “Some tools have a published security contact, but they aren’t readily available. I called, and they said that they had to get a hold of this person. Other times I had to go through the help desk,” Adkins said.

Acting as the good guy trying to help out turned out to be a challenge for Adkins who was only alerting them out of a sense of moral obligation. It wasn’t his job. It was a hobby.

Eventually, the hobby began to drain his wallet. “Every time I took apart a device, I had to buy the device to test it, which became an expensive hobby. I started looking for other things I could actively do research on. Bugcrowd ran a list of bounty programs, and I was successful at a few of them,” Adkins said..

For Adkins, a systems guy who had long worked on implementing and building systems and networks, he said, “I’ve always had an interest in security and how I can keep the networks secure.”

[ MORE: Why bug bounty hunters love the thrill of the chase ]

The problem with his hobby, Adkins found, is that most larger enterprises tend to not deal with ethical hackers directly. “A company like Bugcrowd is a liaison between researchers and vendors,” Adkins said. Getting a hold of the right people was an obstacle without a reputable middle man. While Adkins did say that every company will react differently, he did have some who responded with anything from ‘thanks’, or ‘thanks but no thanks’, all the way to nasty worded letters.

“I’m quite lucky in that the work I have done for the last year. Some of the people I speak to in the community are incredibly intelligent, and I still feel intimidated by them. I feel lucky,” Adkins said.

Before finding Bugcrowd, Adkins recalled working for three months trying to get a hold of the right people with one vendor. He said, “I looked around for a couple of security response groups to help me engage with the vendor. In the end after three months of no successful contact, I ended up disclosing the vulnerability publicly.”

In the past year, he has discovered some high impact vulnerabilities. “I’ve found misconfigurations of a service or a device. One of them gave me remote access to their servers login and run, which I could then use to attempt to get further access into the network,” Adkins said..

Adkins, who has never himself looked into the CEH certification, recommended, “If you’re not sure whether you would be a good ethical hacker, I encourage people to give it a try. There is nothing stopping you from attempting to work with bug bounty companies and their clients. For Adkins, a hobby turned into a new career path, so it might be worth it for you to have a look at the programs that are out there.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author