A bug bounty platform has revealed that bug hunters made some big money last year, taking home over $11 million. In its 2018 Hacker-Powered Security Report, HackerOne reveals that white hat hackers helped organizations fix some 27,000 security exploits, with the average bounty increasing to $2,000 up from $1,923, with some organizations offering as much as $250,000.
The average award for a critical vulnerability? It increased 33% to $20,000 for the top awarding programs. HackerOne reports that 116 unique critical vulnerabilities made their hunters over $10,000 each in the past year.
"Over $31M has been awarded to hackers as of June 2018 with $11.7M awarded in 2017 alone"
"The US Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy and conducted another three time-bound bug bounty challenges in the same model as 'Hack The Pentagon'," the report reveals. "The Singapore Ministry of Defense and the EU Commission also launched public programs."
This latest report also indicates a huge uptick in private, non-tech firms launching their own vulnerability disclosure policies to attract white hat hackers help them before security bugs are exploited for data breaches or other cyberattacks.
"Goldman Sachs, Toyota, and American Express were a few of the enterprises to launch a VDP in 2018," the report suggests. "Overall, HackerOne saw a 54% year-over-year increase in new Enterprise VDP program launches, however, the adoption of the Forbes 2000 only marginally improved."
Today, 93% of the Forbes 2000 still do NOT have a public-facing VDP [vulnerability disclosure policies].
The numbers also reveal interesting findings about what countries are paying the most bounties. It's the US, of course, considering the power of the Silicon Valley. However, Latin America is experiencing a 143% yoy increase in bug bounty programs.
Tech firms continue to lead these bug bounty programs. 63% of all public bug bounty programs are headed by the technology sector, followed by finance at 9% and entertainment at 9%. Bug bounty programs in sectors like Consumer Goods, Healthcare and Telecommunications industries are 100% private with private bug bounty programs making up "79% of all bug bounty programs on HackerOne."
The winner? A hacker who took home $75,000 paid by a technology firm for three vulnerabilities that could have been chained for remote code execution (RCE) without user interaction.
The report offers some interesting insights into the world of white hat hackers. If you are interested in more details and numbers, head over here [PDF].