The practice of turning to end users not only to beta test but also to reengineer products -- something once widely criticized -- has reached historic levels in IT. The trend even has a new, far more benign name: crowdsourcing.
Within an organization, it has resulted in new types of employment for software developers with a talent for hacking. For actual hackers, this kind of beta testing has formed its own career path.
Take Pinkie Pie, a teenage hacker who has yet to be identified in the news media by anything other than an online handle. This year alone, this hacker has earned a healthy $120,000 from Google as a result of winning two competitions.
The first was the Pwnium competition in March. Pinkie Pie took the $60,000 first prize by stringing together six vulnerabilities that allowed the hacker to create malware that could break out of Chrome's sandbox and attack the base operating system. Last month at the Pwnium 2 hackathon in Kuala Lumpur, Malaysia, Pinkie Pie took home another $60,000 by achieving a full Chrome exploit again.
According to published reports, Google has set aside $2 million in prize money for hackers like Pinkie Pie who find and report vulnerabilities to the company. Other vendors, including Hewlett-Packard, are setting aside funds for hackers who find and exploit vulnerabilities and then provide the vendors with the methodology. Given all this activity, it's no surprise that new kinds of development jobs related to hacking are popping up in IT, such as quality assurance engineer and software development engineer in test (commonly abbreviated as SDET).
Ray Zambroski, a senior technical recruiter with Rooster Park Consulting in Seattle, told me in an email about the various kinds of skills required for these posts.
The QA engineer will have a "How can I break this?" way of looking at the world, with an ability to document and communicate well. These guys certainly find flaws, but you wouldn't ordinarily expect them to find the type a good hacker would find. They just aren't typically focused on penetration testing.
SDETs, on the other hand, are actually true developers. Typically, they are building (coding) tools and test harnesses designed to automate the testing of something, which would have the potential of finding dozens or even hundreds of flaws in a very short period of time. They might also design penetration tests, of the type aforementioned hacker may have used (although these types of SDETs are very specialized).
The salary for this type of QA engineer is approximately $60,000 for someone with one to four years of experience, depending on their level and quality of college education, Zambroski said. But SDETs command a salary similar to that for software developers: $80,000 for someone at the junior level with a computer science degree from an average school, or more than $100,000 for someone with a few years of experience and a degree from one of the top 20 computer science schools.
Even SDETs with a top salary may not be as skilled as black hat hackers, Zambroski said.
The best of those care less about breaking something and much more about "getting in." There is a subtle, but very important difference. It actually takes years of "training" to think and act like a hacker, and not many SDETs care to undertake it.
In paying Pinkie Pie, "Google certainly got a deal, and the hacker did also: a paycheck, and Google-caliber notoriety," Zambroski said. In this case, crowdsourcing produced the best beta of all.
— Stephen Lawton is a longtime technology journalist and industry pundit.