how are things with white russian hackers?

The oldest platform is bugbounty.ru, which has existed since 2021 and unites more than 2 thousand Russian bug hunters.
Standoff Bug Bounty launched in May 2022, and VK's programs were among the first to be placed there. The platform often hosts special events for bug hunters, and recently it became possible to receive reports from foreign hackers from several countries.
Bi.ZONE Bug Bounty launched in August 2022. This platform has a large number of programs, a progressive rating of bug hunters and the ability to disclose reports.

VK programs are presented on all three Russian Bug Bounty platforms, and this is done specifically to cover as many bug hunters as possible – although the audiences overlap on different platforms, they are still different.

Let's look at the statistics of Bug Bounty programs in Russia since the end of 2022.

As of January 2023, there were about 55 different Bug Bounty programs launched in Russia, and their number has increased to 90+ in a year. In addition to the colossal increase in programs – by almost 60%, there was also a general market increase in prices, and the maximum possible reward ultimately increased by 2 times. Sounds very cool, but how are things with bug hunters on the Russian market?

The numbers will explain everything

Let me start from a little further back. Perhaps you know that there is currently an extreme shortage of information security specialists on the Russian market The accumulated shortage of personnel amounts to 100 thousand peopleand will only continue to grow. 62% of surveyed companies note a shortage of qualified information security specialists. Another 32% complained about the excessive workload of specialists – this is when there is less time than the existing volume of tasks.

And what do bug hunters have to do with it? The thing is that it is mainly information security specialists (your K.O.) who search for bugs, and given their shortage, it is logical to assume that there is a shortage of bug hunters too.

What is the difference between bug hunters and information security specialists? If we talk about technical skills, then essentially – nothing. It's more about desires, time, money and how a person can manage all of this. It all starts with a general interest in finding bugs, and then it either gets replaced by full-time work in information security, or becomes the main way of earning money, or remains a favorite hobby.

There are many stories about how people came to bug hunting from pentesting, AppSec and even development, and vice versa, how they went from self-taught enthusiasts to professionals in AppSec, DevSecOps, etc. and never gave up. I sometimes look for vulnerabilities myself, but in short bursts — when I have free time. Most often, when I fly somewhere. So, if suddenly at the airport you see a person sitting at a laptop and cursing under his breath, then it’s me — hi!

By the way, we had this last year interview with ethical hackers (as bug hunters are also called) about how they got into the profession and what motivates them to look for vulnerabilities. They still participate in our VK Bug Bounty programs – some in combination with their main job, and some devoting all their time to searching for bugs.

Let's turn to statistics. We decided to analyze how many active bug hunters there were in Russia at the beginning of 2023 and 2024 to understand how their number has changed. First of all, who is an active bug hunter? In our understanding, this is someone who submitted at least 1 report for the 4th quarter of last year and January of this year.

In addition, if we took only our own data, it would not be representative and would not show the whole picture that exists on the market. To enrich the statistics, we analyzed the number and activity of researchers registered on Russian platforms.

It turned out to be a rather interesting picture – at the beginning of 2023 there were about 250 active bughunters, and a year later (in January 2024) their number grew to 300-330 bughunters.

That is, the increase was from 20 to 30%. Is it good? Of course. But if you compare it with the increase in the number of programs, you can see that the increase in bug hunters is not so significant, and this leads to problems.

Let's look back

First, I suggest looking at the statistics of the Bug Bounty programs that VK had on HackerOne from 2014 to early 2022

Number of reports and unique hackers on Hackerone

It can be concluded that the number of reports correlates with the number of bug hunters. Let's go further and look at the average number of reports from a bug hunter per month – it varies in the range of 1-1.5, increasing during the launch of any programs, increase in the cost of rewards, disclosure of reports or other activities.

Average number of bughunter reports on Hackerone

Now let's compare it with statistics on domestic platforms in 2023:

Average number of bughunter reports on domestic platforms at VK

If you analyze the average number of reports from one bug hunter in VK programs, you can see that from January to March they are in the range from 1.6 to 2.7.

If we look at the platform statistics without VK data, the picture is similar:

Average number of reports from bug hunters on domestic platforms (excluding VK)

That is, things are about the same – in the range of 1.5 to 2.5 reports per bug hunter. The question arises: why have there been more reports from bug hunters?

One possible reason is that there is no longer much competition from international Bug Bounty programs, which has led to a decrease in the “cost” of vulnerabilities.

Since the rewards have become smaller, bug hunters need to find more vulnerabilities to make a good profit. Hence the increase in the average number of reports.

But that's not all. Let's look at the statistics of Bug Bounty platforms. If we compare the statistics of the growth of programs and bug hunters, we can see that the number of researchers on the platforms is decreasing.

Average number of bughunters in one program on domestic platforms (excluding VK)

And remembering the correlation with the number of reports, it turns out that since the average number of bug hunters in programs is decreasing…

Average number of reports in one program on domestic platforms (excluding VK)

…then the average number of reports in the program on the sites decreases.

That is, the average number of reports of one program is decreasing due to the growing number of programs and the slowly growing number of active bug hunters.

On the one hand, it is good for bug hunters when there is a large selection of programs, this opens up many opportunities. For programs, however, everything is not so rosy, because competition for bug hunters begins among them.

Where to find bughunters?

Personally, I see the solution in actively educating new bug hunters – attracting high school and university students, demonstrating to young talents how to properly enter programs so that their first experience does not become their last. I have repeatedly lectured to students and schoolchildren, telling them about the career path in information security and about Bug Bounty programs as a great opportunity to try yourself in the role of an ethical hacker, gain new skills thanks to this and start making money from it.

It is also worth looking at young specialists in information security, especially in the AppSec and pentest areas, because their information security profile is closest to searching for vulnerabilities. I think that even among established specialists you can find those who want to look for bugs in their spare time, but for this, the conditions of the programs should become as interesting and comfortable for them as possible. In addition, it is necessary to maintain high-quality communication in bug bounty programs so that hackers come and continue to search for vulnerabilities.

To understand how to attract hackers, you can refer to the study HackerOne about the reasons for choosing and leaving a particular program.

What criteria do bug hunters use to select programs?

At the absolute top are rewards for vulnerabilities, and this is logical.

But among the reasons for leaving, there are many points related to improper work with bug hunters. Note that it is communication with researchers that ultimately comes to the forefront – “slow responses from triagers” and “poor communication” outstrip “low cost” and “speed of payments”. Therefore, direct interaction with researchers is a very important task. Otherwise, the Bug Bounty program will not work as an information security tool.

But what to do if the budget is limited, but you want to attract bug hunters? Here, various material rewards can come to the rescue – rewarding with cool creative merch for achievements in the program can be very valuable. By the way, unique merch is just one of our features in Bounty Passbut perhaps we’ll talk about that another time.

All in all

The problem of the shortage of bug hunters will remain relevant until conditions and opportunities for their training or attraction are created. A good option would be to invite foreign researchers (and the results are already there), but we should not lose sight of the development of our own young (and not so young) specialists.

We can say that we are in a unique moment: due to the growth of the Bug Bounty market and a small increase in bug hunters, competition for them begins not only between platforms, but also between companies that have already launched Bug Bounty programs. The number of new companies will continue to grow, as will the number of bug hunters. It's just a pity that the growth rates will vary.