Security Experts:

Verizon, PayPal, Uber Paid Out Most Through Bug Bounty Programs on HackerOne

HackerOne on Monday released a list of the companies that have paid out the most money through their bug bounty programs.

The top 10 bug bounty programs on HackerOne are run by Verizon Media, PayPal, Uber, Intel, Twitter, GitLab,, GitHub, Valve and Airbnb. This is based on how much they paid out since the launch of their program until April 2020, excluding awards from live hacking events.

According to HackerOne, Verizon has paid out more than $9.4 million since the launch of its program in February 2014, with a top bounty of $70,000 and an average first response time of 8 hours. It’s worth noting that Verizon was also at the top of the list last year, but by April 2019 it had only awarded roughly $1.8 million.

PayPal, which last year occupied the third position, was second this year, with a total of nearly $2.8 million paid out between August 2018 and April 2020. The payments giant had an average first response time of 4 hours and its highest bounty was $30,000.

Uber dropped from second to third place, with over $2.4 million paid out since December 2014 and a top bounty of $50,000. Next in line is Intel, with nearly $1.9 million paid out since March 2017.

Twitter was in fifth place with nearly $1.3 million awarded since May 2014. The social media giant had an average response time of 12 hours and its average time to bounty was 8 days, with a maximum bounty of just over $20,000.

GitLab paid out a total of $1.2 million, followed by with $1.1 million. Both companies launched their programs in 2014 and both awarded a top bounty of $20,000, but GitLab has the best response time in the top 10, at one hour.

GitHub, Valve and Airbnb were all getting close to $1 million total bounties paid out by April 2020.

“These 10 organizations are helping to spell out the truth: hackers still have all the advantage today,” said Alex Rice, CTO and co-founder of HackerOne. “With software development cycles becoming increasingly continuous, security teams are left playing catch up. To accommodate this fast-paced method, companies are in desperate need of a security strategy that will grow and adapt at the pace of innovation. These organizations are meeting criminals on the battlefield with hackers devoted to doing good, finding vulnerabilities in real time before they can be exploited.”

HackerOne reported recently that bug bounty hunters earned more than $100 million through its bug bounty platform since October 2013.

Related: Tencent Partners With HackerOne for Bug Bounty Program

Related: Sony Launches PlayStation Bug Bounty Program on HackerOne

Related: Hacker Earns $8,500 for Vulnerability in HackerOne Platform

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.