Bug Bounty' millionaires could face financial ruin

26 April 2022

Cyber-attacks on businesses continue to rise and in a survey of middle market business leaders, RSM UK’s ‘The Real Economy’ report on Cyber Security shows 27 per cent of respondents experienced an attack in the last 12 months, up from 20 per cent in 2021. Businesses are fighting back though with more than half of respondents increasing their investment in cyber security. Part of this fight back includes businesses offering a 'bug bounty' as a reward to those who can identify and help fix vulnerabilities in their cyber security systems. It is fast becoming big business with Google paying out $8.7m in 'bug bounty' rewards to 696 researchers in 2021.

The need for ethical hackers, or 'white hat hackers' as they are also known, is particularly important in the world of cryptocurrency. This is illustrated by a recent hack of a blockchain gaming company, Sky Mavis, which created the popular computer game Axie Infinity. The company recently announced in a blog that cryptocurrency worth approximately $545m had been stolen in a hack on 23 March 2022, with the FBI reportedly attributing the attack to the Lazarus Group in North Korea.

In response to the hack and theft of funds it suffered, Sky Mavis have announced a 'bug bounty' programme which will pay rewards of up to $1m in cryptocurrency. This is a growing trend and the speed at which the cryptocurrency market has grown has made it an attractive target for hackers, as well as a lucrative source of work for 'white hat hackers'. Those with the expertise can become millionaires overnight, as highlighted by one prominent 'white hat hacker', Jay Freeman, who confirmed on Twitter that he was paid a $2.1m 'bug bounty' reward in February this year.

However, 'white hat hackers' in the UK that receive rewards face significant uncertainty in terms of how they will be taxed. There is no published guidance from HMRC as to how 'bug bounties' should be taxed and queries on the subject from taxpayers in HMRC’s online forums have been broadly left unanswered. Taxpayers need guidance on the issue and fast.

There are different interpretations of how a 'bug bounty' may be taxed, with some speculating it might even be tax-free on the basis the reward represents a prize. However, in the majority of cases, the likely tax treatment is that the 'bug bounty' will be treated as income. Depending on the level and scale of the 'white hat hacking' activities undertaken, it might be enough to represent a trade but failing that, it is still likely to be taxed as miscellaneous income.

On this basis, those receiving significant 'bug bounty' rewards could face significant financial risk if they are paid in cryptocurrency. Some of the reward programmes, such as that proposed by Sky Mavis, will pay out the 'bug bounty' in a coin which has a volatile value and also require the coins to be vested (i.e. retained) for a certain period of time. The 'white hat hacker' might therefore trigger an income tax liability at one value, only to see the coins’ value plummet in the meantime whilst they are unable to sell them during the vesting period. In these circumstances, any loss is unlikely to be available to offset against the income tax liability and could leave the individual facing financial ruin as they would be unable to settle their tax liability. What could be a teenager’s hobby in their bedroom might have serious financial consequences.