HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform’s inception.
Thirty hackers have earned over a million USD for their submissions, and one has broken the record, receiving over $4 million for his bug reports.
Founded over a decade ago, HackerOne is a bug bounty platform that connects organizations with a community of ethical hackers who identify and report vulnerabilities and weaknesses in software in exchange for a reward.
Essentially, it is a bug bounty hosting and disclosure coordination platform allowing companies to manage reports and resolve identified issues promptly while guaranteeing payouts to reporters.
This year, it took an average of 25.5 days for organizations to finalize the remediation of reported bugs, a 28% improvement over last year.
How much for a bug?
HackerOne released its ‘2023 Hacker-Power Security Report‘, sharing insights on this year’s trends.
The company highlighted that crypto and blockchain entities continue to enjoy the most attention from ethical hackers, fueled by the promise of the highest payouts. This year, the largest bounty paid was $100,050 from a crypto firm.
The median price of a bug on the platform is $500 this year and reaches $3,000 in the 90th percentile (highest 10%).
For critical and high-severity flaws, the average payout is $3,700 across all industries and goes up to $12,000 in the 90th percentile.
HackerOne says traditional bug hunting isn’t the only activity on the platform, as pen-testing engagements rose by 54% this year.
AI is both a help and a target
Over half of the ethical hackers participating in HackerOne programs report using generative AI in some way, including writing better reports, writing code, and reducing language barriers.
61% of them report planning to use generative AI to find more vulnerabilities, and 55% report expecting AI tools themselves to become a significant target in the coming years.
The bounty hunters are split in predicting whether AI will lead to safer software products or an increase in vulnerabilities.
Other opinions recorded in the report include motivation and discouraging factors, with bounties playing the biggest (73%) role in participating, followed by an abundance of flaws (50%), opportunity to learn (45%), varied scope (46%), and quick payments (42%).
On the other hand, things that drive hackers away from a program include slow response times (60%), limited scope (58%), poor communication (55%), low bounties (48%), and negative reviews (44%).
For those interested in getting involved in HackerOne’s bug bounty program, you can browse the directory of companies to learn what is in scope for finding bugs.