HackerOne Paid Out Over $107 Million in Bug Bounties

Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Based in San Francisco, the company started paying hackers in October 2013, and has received reports for over 181,000 valid vulnerabilities to date. Last year alone, the platform says 37,259 vulnerability reports were resolved.

HackerOne says it currently has more than 830,000 registered vulnerability hunters from 226 countries and territories, and that nine of them have earned more than $1 million on the platform.

Signups went up 59% as result of the global coronavirus crisis, while the number of submitted bug reports went up 28%. In the months immediately following the start of the COVID-19 pandemic, organizations paid 29% more bounties, with the total paid in bounties going up 87% compared to last year.

The company also says that, while the average amount paid for resolved reports was of $1,201 over the past 12 months, the average bounty payout for critical vulnerabilities went up 8% compared to last year, to reach $3,650.

Spain, HackerOne notes, saw a 4,324% increase in paid bounty awards, followed by Brazil with 1,843%, and China at 1,429% (these three countries paid a combined total of $380,000 in bug bounties).

However, the United States remains at the top when it comes to the paid amounts, accounting for more than 87% of the total ($39.1 million). Russia was second with $887,000, followed by the United Kingdom with $559,000, Singapore at $506,000, and Canada at $497,000.

One hundred countries registered an increase in year-over-year hacker earnings, with China (a 582% growth), Spain (up 307%), France (297%), and Turkey (214%) taking the lead.

“North America remains the largest region, with 69% of all programs, but it’s being challenged by all other regions. EMEA alone accounted for 20% of all new programs launched in the past year, and year-over-year growth in APAC was 93%—nearly doubling in total number of programs in that region,” HackerOne’s latest annual Hacker-Powered Security Report reads.

According to the bug hunting platform, 40% of the hackers that were surveyed for the report said that hacking is their primary occupation, while 53% revealed that more than half of their total yearly earnings come from hacking.

HackerOne also reports an increase in government bug bounty programs, following the launch of the first such program by the U.S. Department of Defense’s (DoD) Defense Digital Service (DDS) in 2016. Such programs are now running in the European Union, the U.K., and Singapore.

The platform encourages all organizations to implement a Vulnerability Disclosure Policy (VDP) to ensure they can receive information on security flaws and improve their overall security posture.

“VDPs are often referred to as the ‘see something, say something’ of the internet. When a skillful eye spots a potential risk, you want to make it as easy and straightforward as possible for them to make you aware. Without it, those vulnerabilities remain unknown, unfixed, and potentially unleashed to people outside your organization, exposing your business and your brand to unnecessary risk or disastrous consequences,” HackerOne notes.

Related: HackerOne Says Bug Bounty Hunters Earned $100 Million Through Its Platform

Related: Sony Launches PlayStation Bug Bounty Program on HackerOne

Related: Verizon, PayPal, Uber Paid Out Most Through Bug Bounty Programs on HackerOne