Connect with us

Hi, what are you looking for?


Management & Strategy

HackerOne Bug Bounty Programs Paid Out $11 Million in 2017

White hat hackers who responsibly disclosed vulnerabilities through bug bounty programs hosted by HackerOne earned more than $11 million last year, according to the company’s 2018 Hacker-Powered Security Report.

White hat hackers who responsibly disclosed vulnerabilities through bug bounty programs hosted by HackerOne earned more than $11 million last year, according to the company’s 2018 Hacker-Powered Security Report.

HackerOne hosts roughly 1,000 programs that over the past years have received over 72,000 vulnerability reports from researchers in more than 100 countries. The bounties paid out since the launch of the company until June 2018 reached over $31 million.

Of the total, more than $25 million was paid out by organizations in the United States, which was also the country where the highest percentage of money went to ($5.3 million).

According to the company, 116 of the bug reports submitted last year resulted in payouts that exceeded $10,000, and the average amount paid out by companies for critical issues has increased to over $2,000, with organizations such as Microsoft and Intel offering as much as $250,000.

Average bug bounty payout per industry

An increasing number of companies have launched public bug bounty programs, but still nearly 80% of programs were private last year. The majority of public programs are launched by organizations in the tech sector, which accounts for 63%.

The government sector recorded the biggest increase in new program launches, with the European Commission, and Singapore’s Ministry of Defense announcing initiatives. The U.S. government has also continued to run programs, including Hack the Air Force and Hack the Army.

Roughly 27,000 valid vulnerabilities were reported last year and cross-site scripting (XSS) remained the most common type of flaw, followed by information disclosure bugs.

Advertisement. Scroll to continue reading.

When it comes to the time it takes organizations to patch security holes, the consumer goods industry was the fastest, with an average of 14 days. At the other end of the chart we have the government sector, which patched vulnerabilities, on average, in 68 days.

The highest bug bounty paid out last year was $75,000. A technology firm awarded the sum for three vulnerabilities that could have been chained for remote code execution without user interaction. Successful exploitation could have allowed an attacker to access credit card information, hijack user and employee accounts, access infrastructure code, or deploy mass ransomware campaigns.

The complete 2018 Hacker-Powered Security Report is available from HackerOne in PDF format.

Related: Intel Pays $100,000 Bounty for New Spectre Variants

Related: Facebook to Offer ‘Bounty’ for Reporting Data Abuse

Related: Oath Pays $400,000 in Bug Bounties in One Day

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.