HackerOne Surpasses $230 Million in Paid Bug Bounties

Bug bounty platform HackerOne says ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022.

The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception.

To date, 22 hackers submitting vulnerability reports through HackerOne have earned over $1 million in bounties, up from 12 in 2021.

“Reports for vulnerability types typically introduced by digital transformation have seen the most significant growth with misconfigurations growing by 150% and improper authorization by 45%,” HackerOne notes in its latest annual report.

HackerOne reports that the overall time to remediation has increased from 35 to 37 days. Aviation and aerospace companies were the slowest to patch, with a median time to remediate of 148.3 days, followed by medical technology organizations, at 73.9 days. Cryptocurrency and blockchain firms were the fastest, with 11.6 days to remediate.

“A limited scope puts off 50% of hackers, but slow response time and poor communication are the issues that are most likely to prevent a hacker reporting a vulnerability,” the report shows.

According to HackerOne, organizations need to implement effective vulnerability reporting means, as 50% of hackers chose not to disclose the identified security issues because the impacted entities did not have a vulnerability disclosure program. Others (12%) were deterred by threatening legal language.

Cross-site scripting (XSS) vulnerabilities earned ethical hackers the largest amount of money in 2022, followed by improper access control bugs and information disclosure flaws. Insecure direct object reference (IDOR) and improper authorization rounded up the top five.

The report also shows that 95% of the hackers focus on identifying vulnerabilities in websites, while 24% of them focus on cloud platforms.

HackerOne says it has observed an overall 45% increase in program adoption, with organizations in the pharmaceutical sector registering the highest increase, at 700%. The automotive, telecommunications, and cryptocurrency and blockchain industries also registered high program adoption, at 400%, 156%, and 143% growth, respectively.

Related: HackerOne Bags $49 Million in Series E Funding

Related: Apple Paid Out $20 Million via Bug Bounty Program

Related: Google Boosts Bug Bounty Rewards for Linux Kernel Vulnerabilities