Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

HackerOne Surpasses $230 Million in Paid Bug Bounties

Bug bounty platform HackerOne says ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022.

The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception.

Bug bounty platform HackerOne says ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022.

The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception.

To date, 22 hackers submitting vulnerability reports through HackerOne have earned over $1 million in bounties, up from 12 in 2021.

“Reports for vulnerability types typically introduced by digital transformation have seen the most significant growth with misconfigurations growing by 150% and improper authorization by 45%,” HackerOne notes in its latest annual report.

HackerOne reports that the overall time to remediation has increased from 35 to 37 days. Aviation and aerospace companies were the slowest to patch, with a median time to remediate of 148.3 days, followed by medical technology organizations, at 73.9 days. Cryptocurrency and blockchain firms were the fastest, with 11.6 days to remediate.

“A limited scope puts off 50% of hackers, but slow response time and poor communication are the issues that are most likely to prevent a hacker reporting a vulnerability,” the report shows.

According to HackerOne, organizations need to implement effective vulnerability reporting means, as 50% of hackers chose not to disclose the identified security issues because the impacted entities did not have a vulnerability disclosure program. Others (12%) were deterred by threatening legal language.

Cross-site scripting (XSS) vulnerabilities earned ethical hackers the largest amount of money in 2022, followed by improper access control bugs and information disclosure flaws. Insecure direct object reference (IDOR) and improper authorization rounded up the top five.

Advertisement. Scroll to continue reading.

The report also shows that 95% of the hackers focus on identifying vulnerabilities in websites, while 24% of them focus on cloud platforms.

HackerOne says it has observed an overall 45% increase in program adoption, with organizations in the pharmaceutical sector registering the highest increase, at 700%. The automotive, telecommunications, and cryptocurrency and blockchain industries also registered high program adoption, at 400%, 156%, and 143% growth, respectively.

Related: HackerOne Bags $49 Million in Series E Funding

Related: Apple Paid Out $20 Million via Bug Bounty Program

Related: Google Boosts Bug Bounty Rewards for Linux Kernel Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.