ThreatList: Bug Bounty Payouts Increase Six Percent for Critical Vulnerabilities

HackerOne’s 2018 Hacker-Powered Security Report showed that the average award for critical vulnerabilities has increased.

The average payout price for critical vulnerabilities are up six percent and now average $2,041 compared to the prior year.

The numbers are from HackerOne’s 2018 Hacker-Powered Security Report, published Wednesday. The study looked at data derived from the HackerOne community between May 2017 and April 2018. In the report the company also revealed a total of 116 bug reports were filed across all sectors of its program and worth over $10,000 each last year – a 30 percent jump from 2016.  HackerOne said bounty program run by government agencies had the largest average bounty payout for critical vulnerabilities at $3,492. The travel and hospitality sectors paid out the least for a critical vulnerability, at $668.

Medium severity vulnerabilities are still the most commonly reported as part of bug bounty programs, with 39 percent of all reported bugs in 2018 being medium (only 6 percent were rated critical).

Here are some other big takeaways from the report:

  • Hackers globally have taken home $31 million from bug bounty payouts overall. According to HackerOne, the top earning hackers made almost three times the median salary of a software engineer in their home country – with some making up to 16 times.
  • Governments are leading the way with adoption globally after the Hack the Pentagon program was first launched in 2016, said HackerOne. The U.S. Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy. The government has also launched three more bug bounty challenges in the same model as Hack The Pentagon – including the Hack the DTS challenge launched in April. Beyond the U.S., HackerOne said that the Singapore Ministry of Defense and the EU Commission also launched public programs.
  • Valid reports hit an all-time high as program signal becomes a primary program performance metric. The fear of program noise (ie, informative or duplicate submissions) is a relic of the past across hacker-powered programs. With a platform-wide signal of 80%, the human resources required to run a hacker-powered program were greatly reduced in 2018.
  • Adoption of of vulnerability disclosure policies (VDP) are increasing at enterprises, said HackerOne – overall, there has been a 54 percent annual increase in new Enterprise VDP program launches. That includes organizations like Goldman Sachs, Toyota, and American Express, who launched VDPs in 2018. HackerOne said that companies still have a ways to go, however: “The adoption of the Forbes 2000 only marginally improved,” said the company’s report. “Today, 93% of the Forbes 2000 still do NOT have a public-facing VDP.”

Suggested articles