Earned $11.7M in Last 12 Months
July 12, 2018
released findings from the 2018 Hacker-Powered Security Report, based on
over 72,000 resolved security vulnerabilities, 1,000 customer programs
and more than $31 million in bounties awarded to hackers from over 100
countries. The annual report is a benchmark study of the bug bounty and
vulnerability disclosure ecosystem based on the largest data set of
Hackers are finding more severe vulnerabilities than ever before. The
total number of high or critical severity vulnerabilities increased by
22 percent in 2017. Furthermore, 24 percent of resolved vulnerabilities
were classified as high to critical severity across industries. As a
result, bounties for high impact findings are rising. The top bounty
awarded for a single report reached $75,000 in 2017. The most
competitive programs like Google, Microsoft and Intel are offering
$250,000 bounty awards for critical issues. Meanwhile, false positives
are becoming a relic of the past, with 80 percent Signal platform-wide,
meaning 80 percent of submitted and qualified reports are valid.
Here’s a quick
review of some of the statistics you’ll find in the report:
Over $31M has been awarded to hackers as of June 2018 with $11.7M
awarded in 2017 alone.
A total of 116 unique bug reports earned bounties over $10,000 in the
past year with the average amount paid for critical issues rising to
over $2,000.Organizations are now offering as much as $250,000.
Governments are leading the way with 125 percent increase year over
year. New public program including the European Commission and the
Ministry of Defense Singapore, among others joining the U.S. Department
of Defense on HackerOne.
Global adoption continues and Latin America is realizing the largest
uptake of vulnerability disclosure policies and bug bounty programs,
with an increase of 143% year over year.
93% of the Forbes Global 2000 list do not have a policy to receive,
respond, and resolve critical bug reports submitted by the outside
Less than 5% of hackers learn their skills in the classroom - hackers
want more education.
security testing is rapidly approaching critical mass, and ongoing
adoption and uptake by buyers is expected to be rapid,” Gartner
reported. Governments are leading the way with adoption globally. In the
government sector there was a 125 percent increase year over year with
new program launches including the European Commission and the Ministry
of Defense Singapore, joining the U.S. Department of Defense on
HackerOne. Proposed legislations like Hack the Department of Homeland
Security Act, Hack Your State Department Act, Prevent Election Voting
Act, and the Department of Justice Vulnerability Disclosure Framework
further demonstrate public sector support for hacker-powered security.
Industries beyond technology continued to increase share of the overall
hacker-powered security markets. Consumer Goods, Financial Services &
Insurance, Government, and Telecommunications account for 43 percent of
today’s bug bounty programs. Automotive programs increased 50% in the
past year and Telecommunications programs increased 71 percent.
Enterprises across industries saw a 54 percent increase in year over
year VDP adoption. Still, leading organizations remain vastly
underprepared for effective discovery, communication, remediation, and
disclosure of vulnerabilities as 93% of the 2017 Forbes Global 2000 list
do not have a policy to receive, respond, and resolve critical bug
reports submitted by third parties.
world is embracing the highly skilled and creative hacker community to
help reduce cyber risk,” said Marten Mickos, CEO of HackerOne. “A model
once reserved for the largest, tech-advanced companies in the world, is
now being implemented by organizations of any size, industry and
connected corner of the globe. Hacker-powered security is reaching
critical mass, and everyone is benefitting from a more secure internet.”
The 2018 Hacker-Powered Security Report examines data collected from
over 1,000 bug bounty and vulnerability disclosure programs around the
world. The report includes analysis of nearly 72,000 resolved
vulnerabilities, plus insight from HackerOne’s community of over 200,000
registered hackers. HackerOne also analyzed VDP data from the Forbes
Global 2000 to better understand hacker-powered security adoption.