When a new bug bounty program is launched, in 77% of the cases, hackers report the first valid vulnerability within 24 hours, according to the findings of HackerOne’s 2019 Hacker-Powered Security Report.
The report is the largest study of bug bounty, vulnerability disclosure, and hacker-powered pentest programs. The report examines trends from 120,000+ security vulnerabilities resolved for 1,400+ customers, earning hackers over US$62 million in bounties.
The report reveals that 25% of valid vulnerabilities found are classified as being of high or critical severity. Every five minutes, a hacker reports a vulnerability through a bug bounty or vulnerability disclosure program. Every 60 seconds, a hacker partners with an organization on HackerOne. That’s more than 1,000 interactions per day with hackers and companies or governments working towards a safer internet. That is how fast security can improve when hackers are invited to contribute.
“Hacking is here for good, for the good of all of us,” said HackerOne CEO Marten Mickos. “Half a million hackers have willingly signed up with HackerOne to help solve one of the greatest challenges our society faces today. We cannot prevent data breaches, reduce cybercrime, protect privacy or restore trust in society without pooling our defenses and asking for external help.”
The study also found that the average bounty paid for critical vulnerabilities increased to US$3,384 in the past year. A 48% increase over last year’s average of US$2,281 and a 71% increase over the 2016 average of US$1,977. Bounty values for less severe vulnerabilities are also rising, with the average platform-wide bounty increasing 65%.
Governments had the strongest year over year industry growth at 214%, and last year saw the first launch of programs at the municipal level. Strong program adoption took place in Automotive (113%), Telecommunications (91%), Consumer Goods (64%), and Cryptocurrency & Blockchain (64%) industries.
The majority of bug bounty programs remain private at 79% with little change from years prior. Public bug bounty programs engage six times as many hackers.
Today six out of 10 of the top banks in North America are running hacker-powered security programs on HackerOne. Financial services organizations running hacker-powered security programs increased by 41% this year.
Six hackers surpassed US$1 million in lifetime earnings, seven more hit US$500,000 in lifetime earnings, and more than 50 earned US$100,000 or more in the past year alone. Skilled and dedicated hackers have the potential to build a career and make a competitive living with the opportunities offered by hacker-powered security.
Globalisation of hacker-powered security continues to increase. Several new countries entered the top 10 highest paying, hackers living in 19 countries earned more than US$100,000 in total last year, and more organizations in more countries are hosting live hacking events. Hackers from 84% of all the countries in the world have submitted vulnerability reports.
Hacker-powered pentests on the rise as organizations are using hackers to bring simulations of real-world attacks to security testing. In a recent report, one organization detailed how hacker-powered pen-tests helped them eliminate US$156,784 in total costs and save an additional US$384,793 over three years by reducing internal security and application development efforts.
“Hackers are no longer anonymous guns-for-hire,” the report explains. “They are being embraced by everyone from the insurance industry to government agencies. Today, hacker-powered security is a given part of a mature and proactive security program. It’s not hard to see why. Businesses process more sensitive data and more personal information than ever before. Working with hackers allows you to provide security at the speed of innovation.”