Connect with us

Hi, what are you looking for?


Management & Strategy

HackerOne Paid Out Over $107 Million in Bug Bounties

Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Based in San Francisco, the company started paying hackers in October 2013, and has received reports for over 181,000 valid vulnerabilities to date. Last year alone, the platform says 37,259 vulnerability reports were resolved.

HackerOne says it currently has more than 830,000 registered vulnerability hunters from 226 countries and territories, and that nine of them have earned more than $1 million on the platform.

Signups went up 59% as result of the global coronavirus crisis, while the number of submitted bug reports went up 28%. In the months immediately following the start of the COVID-19 pandemic, organizations paid 29% more bounties, with the total paid in bounties going up 87% compared to last year.

The company also says that, while the average amount paid for resolved reports was of $1,201 over the past 12 months, the average bounty payout for critical vulnerabilities went up 8% compared to last year, to reach $3,650.

Spain, HackerOne notes, saw a 4,324% increase in paid bounty awards, followed by Brazil with 1,843%, and China at 1,429% (these three countries paid a combined total of $380,000 in bug bounties).

However, the United States remains at the top when it comes to the paid amounts, accounting for more than 87% of the total ($39.1 million). Russia was second with $887,000, followed by the United Kingdom with $559,000, Singapore at $506,000, and Canada at $497,000.

Advertisement. Scroll to continue reading.

One hundred countries registered an increase in year-over-year hacker earnings, with China (a 582% growth), Spain (up 307%), France (297%), and Turkey (214%) taking the lead.

“North America remains the largest region, with 69% of all programs, but it’s being challenged by all other regions. EMEA alone accounted for 20% of all new programs launched in the past year, and year-over-year growth in APAC was 93%—nearly doubling in total number of programs in that region,” HackerOne’s latest annual Hacker-Powered Security Report reads.

According to the bug hunting platform, 40% of the hackers that were surveyed for the report said that hacking is their primary occupation, while 53% revealed that more than half of their total yearly earnings come from hacking.

HackerOne also reports an increase in government bug bounty programs, following the launch of the first such program by the U.S. Department of Defense’s (DoD) Defense Digital Service (DDS) in 2016. Such programs are now running in the European Union, the U.K., and Singapore.

The platform encourages all organizations to implement a Vulnerability Disclosure Policy (VDP) to ensure they can receive information on security flaws and improve their overall security posture.

“VDPs are often referred to as the ‘see something, say something’ of the internet. When a skillful eye spots a potential risk, you want to make it as easy and straightforward as possible for them to make you aware. Without it, those vulnerabilities remain unknown, unfixed, and potentially unleashed to people outside your organization, exposing your business and your brand to unnecessary risk or disastrous consequences,” HackerOne notes.

Related: HackerOne Says Bug Bounty Hunters Earned $100 Million Through Its Platform

Related: Sony Launches PlayStation Bug Bounty Program on HackerOne

Related: Verizon, PayPal, Uber Paid Out Most Through Bug Bounty Programs on HackerOne

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.