Critical bug-bounty disclosures rising, bounty-hunter payouts up

News by Bradley Barth

The average bug bounty reward for finding critical vulnerabilities increased year-over-year by six percent according to statistics compiled from HackerOne's bug disclosure platform in the year to April 2018

The average bug bounty reward for finding critical vulnerabilities increased year-over-year by six percent from £1450 to £1540  according to statistics compiled from HackerOne's bug disclosure platform between May 2017 and April 2018. Over this same time period, a grand total of £8.8 million in bounties were awarded to participating hackers.

HackerOne revealed these numbers last week as part of its 2018 Hacker-Powered Security Report, which asserts that crowdsourced bug hunting is reaching critical mass, as companies across industry sectors become increasingly comfortable with reaching out to the hacker community for help. Additional findings gleaned from the HackerOne platform itself, as well as a recent survey of 1,700 hackers who use the platform, appear to back up this notion.

For instance, the total number of reported critical vulnerabilities increased by 26 percent since HackerOne's previous annual report (2017), while the share of most impactful bugs (critical and high-severity flaws, combined) rose from 22 percent to 24 percnet year-over-year.

Payouts jumped as well since HackerOne's 2017 report, as researchers saw a 30 percent increase in the total number of critical bug discoveries earning at least £7,500 (US$ 10,000). Of these 116 cases, one report earned a whopping £57,000 for exposing three vulnerabilities that when combined could allow for remote code execution.

"The world is embracing the highly skilled and creative hacker community to help reduce cyber-risk," said Marten Mickos, CEO of HackerOne, in a press release. "A model once reserved for the largest tech-advanced companies in the world is now being implemented by organisations of any size, industry and connected corner of the globe. Hacker-powered security is reaching critical mass, and everyone is benefiting from a more secure internet."

HackerOne also found that the total share of bug bounty programmes on its platform that operate privacy shrank from 88 percent in the 2017 calendar year to 79 percent during the course of the study - a sign that a growing number of companies feel confident enough to take their programmes public.

While technology companies continued to lead the way, comprising 58 percent of HackerOne's bug bounty programmes from May 2017 through April 2018, other sectors are gradually increasing their share. According to the report, consumer goods, financial services and insurance, government, and telecommunications combined to make up additional 43 percent of vulnerability disclosure programmes. Consumer goods was the sector with the fastest average vulnerability resolution time -- 14 days.

However, HackerOne warns that many leading organisations within the various sectors remain unprepared, claiming in its report that 93 percent of the companies named to the 2017 Forbes Global 2000 list still "do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world."

Geographically, HackerOne found that organisations based in the US continue to pay the highest share of bounties to hackers worldwide -- 83 percent, while hackers in the US earned 17 percent of all the bounties awarded during the course of the study.

For the purpose of the study, the report examined a total of 78,275 vulnerability reports, collectively sent to more than 1,000 organisations via HackerOne.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews