Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

HackerOne Surpasses $230 Million in Paid Bug Bounties

Bug bounty platform HackerOne says ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022.

The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception.

Bug bounty platform HackerOne says ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022.

The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception.

To date, 22 hackers submitting vulnerability reports through HackerOne have earned over $1 million in bounties, up from 12 in 2021.

“Reports for vulnerability types typically introduced by digital transformation have seen the most significant growth with misconfigurations growing by 150% and improper authorization by 45%,” HackerOne notes in its latest annual report.

HackerOne reports that the overall time to remediation has increased from 35 to 37 days. Aviation and aerospace companies were the slowest to patch, with a median time to remediate of 148.3 days, followed by medical technology organizations, at 73.9 days. Cryptocurrency and blockchain firms were the fastest, with 11.6 days to remediate.

“A limited scope puts off 50% of hackers, but slow response time and poor communication are the issues that are most likely to prevent a hacker reporting a vulnerability,” the report shows.

According to HackerOne, organizations need to implement effective vulnerability reporting means, as 50% of hackers chose not to disclose the identified security issues because the impacted entities did not have a vulnerability disclosure program. Others (12%) were deterred by threatening legal language.

Cross-site scripting (XSS) vulnerabilities earned ethical hackers the largest amount of money in 2022, followed by improper access control bugs and information disclosure flaws. Insecure direct object reference (IDOR) and improper authorization rounded up the top five.

The report also shows that 95% of the hackers focus on identifying vulnerabilities in websites, while 24% of them focus on cloud platforms.

HackerOne says it has observed an overall 45% increase in program adoption, with organizations in the pharmaceutical sector registering the highest increase, at 700%. The automotive, telecommunications, and cryptocurrency and blockchain industries also registered high program adoption, at 400%, 156%, and 143% growth, respectively.

Related: HackerOne Bags $49 Million in Series E Funding

Related: Apple Paid Out $20 Million via Bug Bounty Program

Related: Google Boosts Bug Bounty Rewards for Linux Kernel Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.