Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

HackerOne Paid Out Over $107 Million in Bug Bounties

Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Based in San Francisco, the company started paying hackers in October 2013, and has received reports for over 181,000 valid vulnerabilities to date. Last year alone, the platform says 37,259 vulnerability reports were resolved.

HackerOne says it currently has more than 830,000 registered vulnerability hunters from 226 countries and territories, and that nine of them have earned more than $1 million on the platform.

Signups went up 59% as result of the global coronavirus crisis, while the number of submitted bug reports went up 28%. In the months immediately following the start of the COVID-19 pandemic, organizations paid 29% more bounties, with the total paid in bounties going up 87% compared to last year.

The company also says that, while the average amount paid for resolved reports was of $1,201 over the past 12 months, the average bounty payout for critical vulnerabilities went up 8% compared to last year, to reach $3,650.

Spain, HackerOne notes, saw a 4,324% increase in paid bounty awards, followed by Brazil with 1,843%, and China at 1,429% (these three countries paid a combined total of $380,000 in bug bounties).

However, the United States remains at the top when it comes to the paid amounts, accounting for more than 87% of the total ($39.1 million). Russia was second with $887,000, followed by the United Kingdom with $559,000, Singapore at $506,000, and Canada at $497,000.

One hundred countries registered an increase in year-over-year hacker earnings, with China (a 582% growth), Spain (up 307%), France (297%), and Turkey (214%) taking the lead.

“North America remains the largest region, with 69% of all programs, but it’s being challenged by all other regions. EMEA alone accounted for 20% of all new programs launched in the past year, and year-over-year growth in APAC was 93%—nearly doubling in total number of programs in that region,” HackerOne’s latest annual Hacker-Powered Security Report reads.

According to the bug hunting platform, 40% of the hackers that were surveyed for the report said that hacking is their primary occupation, while 53% revealed that more than half of their total yearly earnings come from hacking.

HackerOne also reports an increase in government bug bounty programs, following the launch of the first such program by the U.S. Department of Defense’s (DoD) Defense Digital Service (DDS) in 2016. Such programs are now running in the European Union, the U.K., and Singapore.

The platform encourages all organizations to implement a Vulnerability Disclosure Policy (VDP) to ensure they can receive information on security flaws and improve their overall security posture.

“VDPs are often referred to as the ‘see something, say something’ of the internet. When a skillful eye spots a potential risk, you want to make it as easy and straightforward as possible for them to make you aware. Without it, those vulnerabilities remain unknown, unfixed, and potentially unleashed to people outside your organization, exposing your business and your brand to unnecessary risk or disastrous consequences,” HackerOne notes.

Related: HackerOne Says Bug Bounty Hunters Earned $100 Million Through Its Platform

Related: Sony Launches PlayStation Bug Bounty Program on HackerOne

Related: Verizon, PayPal, Uber Paid Out Most Through Bug Bounty Programs on HackerOne

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.