The average bug bounty reward for finding critical vulnerabilities increased year-over-year by six percent from $1,923 to $2,041, according to statistics compiled from HackerOne’s bug disclosure platform between May 2017 and April 2018. Over this same time period, a grand total of $11.7 million in bounties were awarded to participating hackers.
HackerOne revealed these numbers earlier this week as part of its 2018 Hacker-Powered Security Report, which asserts that crowdsourced bug hunting is reaching critical mass, as companies across industry sectors become increasingly comfortable with reaching out to the hacker community for help. Additional findings gleaned from the HackerOne platform itself, as well as a recent survey of 1,700 hackers who use the platform, appear to back up this notion.
For instance, the total number of reported critical vulnerabilities increased by 26% since HackerOne’s previous annual report (2017), while the share of most impactful bugs (critical and high-severity flaws, combined) rose from 22% to 24% year-over-year.
Payouts jumped as well since HackerOne’s 2017 report, as researchers saw a 30 percent increase in the total number of critical bug discoveries earning at least $10,000. Of these 116 cases, one report earned a whopping $75,000 for exposing three vulnerabilities that when combined could allow for remote code execution.
“The world is embracing the highly skilled and creative hacker community to help reduce cyber risk,” said Marten Mickos, CEO of HackerOne, in a press release. “A model once reserved for the largest tech-advanced companies in the world is now being implemented by organizations of any size, industry and connected corner of the globe. Hacker-powered security is reaching critical mass, and everyone is benefiting from a more secure internet.”
HackerOne also found that the total share of bug bounty programs on its platform that operate privacy shrank from 88 percent in the 2017 calendar year to 79 percent during the course of the study — a sign that a growing number of companies feel confident enough to take their programs public.
While technology companies continued to lead the way, comprising 58 percent of HackerOne’s bug bounty programs from May 2017 through April 2018, other sectors are gradually increasing their share. According to the report, consumer goods, financial services and insurance, government, and telecommunications combined to make up additional 43 percent of vulnerability disclosure programs. Consumer goods was the sector with the fastest average vulnerability resolution time — 14 days.
However, HackerOne warns that many leading organizations within the vary sectors remain unprepared, claiming in its report that 93 percent of the companies named to the 2017 Forbes Global 2000 list still “do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world.”
Geographically, HackerOne found that organizations based in the U.S. continue to pay the highest share of bounties to hackers worldwide — 83%, while hackers in the U.S. earned 17 percent of all the bounties awarded during the course of the study.
For the purpose of the study, the report examined a total of 78,275 vulnerability reports, collectively sent to more than 1,000 organizations via HackerOne.