Hackers earned a record $40m (£28m) in 2020 for reporting software flaws via a leading bug bounty reporting service.
HackerOne said nine hackers made more than $1m each after it flagged their findings to affected organisations.
One Romanian man, who only started bug-hunting two years ago, saw his total earnings to date top $2m. The UK’s top-earning hacker made $370,000 last year.
The platform suggested the pandemic had given the volunteers more time to pursue the endeavour.
A survey HackerOne commissioned indicated that 38% of participants had spent more time hacking since the Covid-19 outbreak began.
‘Literally shaking’
Many of those involved work part-time and are based in dozens of different countries including the US, Argentina, China, India, Nigeria and Egypt.
The amount of money awarded depends on the severity of the flaw, and can range from less than $140 to much bigger sums.
HackerOne, which is based in California, charges a subscription fee to businesses for use of its platform.
British bug bounty hunter Katie Paxton-Fear, a lecturer at Manchester Metropolitan University, says she looks for bugs in her spare time.
Whilst the money is good, she says it is not a get-rich-quick activity.
“I’ve earned around £12,000 in 12 months,” she told the BBC.
“I remember finding my first bug and literally shaking and realising: ‘Wow I just saved people from a pretty big flaw.’
“I’m not just using my time to win a prize, I’m actively helping secure applications I use, so for me it’s a challenge mixed with doing something good.”
Another similar platform called YesWeHack, which is based in France, said its 22,000 hackers had submitted double the number of bugs in 2020 than the previous year.
It does not release figures on money rewards made via its service.
“Given the new risks and the importance of cyber-security in the economic survival of companies, an increasing number of chief information security officers have turned to bug bounties,” said chief executive Guillaume Vassault-Houlière.
Another, BugCrowd, said it saw a 50% increase in submissions on its platform in the last 12 months.
Bounty sceptic
Commercial bug bounty programmes have grown in popularity in the last five years, but some experts think there are flaws to the system if they are relied upon too heavily.
Security researcher Victor Gevers, who runs the GDI Foundation for responsible disclosure in the Netherlands, said he never accepted money for bugs he found.
“We don’t participate in bug bounties because they are sometimes quite narrow in their scope and only give researchers permission to look for flaws in certain parts of their systems,” he said.
“We want to be able to ethically search for vulnerabilities where we think they are, and maintain our independence.
“But for starting security researchers or students, then these commercial bug bounty platforms are great as they offer a lot of protection, resources and are a perfect place to start.”