118 Fascinating Facts from HackerOne’s Hacker-Powered Security Report 2018
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies. (If you’re one of the 1800+ companies without a VDP, click here to change that fact).
Read on for all of the facts (you can also view them in a slideshare presentation)!
GENERAL STATS
A total of 116 bug bounties over $10,000 were paid out in the past year, up 30% from the previous year.
The average bounty for critical issues rose to more than $2,000.
From HackerOne’s inception in 2012 through June 2018, organizations have awarded hackers over $31 million.
$11.7 million in bug bounties was awarded in 2017 alone.
93% of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world.
25% of the hacker community currently enrolled as a full-time student.
Hackers from over 100 countries have been paid for their research through HackerOne programs.
Top earning hackers made 2.7x the median salary of a software engineer in their home country.
The U.S. Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy.
In 2018 to date, HackerOne maintains a platform-wide signal of 80%, greatly reducing the human resources required to run a hacker-powered program.
Goldman Sachs, Toyota, and American Express were a few of the enterprises to launch a VDP in 2018.
HackerOne saw a 54% year-over-year increase in new enterprise VDP program launches.
78,275 total reports were submitted in 2017 on HackerOne.
GEOGRAPHY
Latin America saw the biggest regional increase in hacker-powered security programs, rising by 143% year over year.
North America and the Asia Pacific region each saw hacker-powered security programs increase by 37%.
Europe, the Middle East, and Africa saw a combined 26% increase in the past year.
Organizations located in the U.S. pay 83% of all bounties to hackers around the globe, continuing their trend as the leading bounty-paying country.
Canada-based organizations remain in the second spot for 2017, with $1.5 million in bounties paid.
Organizations in the U.K. rose from sixth place in 2016 to third place this year for total value of bounties paid.
18 countries have hackers earning a combined $500,000 or more.
44 countries have hackers earning a combined $100,000 or more.
Hackers in the U.S. earned 17% of all bounties awarded.
Hackers in India were in second place, earning 13% of all bounties awarded.
Hackers in Germany are on a roll, earning 157% more in 2017 versus 2016.
PUBLIC VS PRIVATE BUG BOUNTY PROGRAMS
On average, public programs engage 3.5 times the number of hackers reporting valid vulnerabilities than private programs.
Private bug bounty programs currently make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 calendar years.
The majority of public bug bounty programs, 63%, are run by Technology organizations.
Financial Services & Banking and Media & Entertainment were tied for second as the industries with the most public bug bounty programs at 9%.
Public programs made up about 19% of HackerOne bug bounty launches in the past 12 months, about double compared to the year before.
INDUSTRY ADOPTION
For the fourth year in a row, industries beyond Technology increased their share of the overall bug bounty market.
Government and Telecommunications account for 43% of today’s bug bounty programs.
In the government sector there was 125% increase year over year globally with new program launches including the European Commission and the Ministry of Defense Singapore.
Automotive bug bounty programs increased 50% in the past year.
In the past year, Technology organizations launched 58% of all new hacker-powered security programs.
Healthcare launched the second-most share of new hacker-powered security programs at 10%.
Telecommunications bug bounty programs increased by 71% in the past year.
Seven of the top 50 automotive vehicle manufacturers globally have a way for external researchers to report vulnerabilities.
INDUSTRY VULNERABILITIES
More than 72,000 vulnerabilities have been resolved on HackerOne as of May 2018.
More than 27,000 vulnerabilities, one-third of the overall total, were resolved in just the past year alone.
Cross-site scripting (XSS, CWE-79) continued to be the most common vulnerability reported across all industries -- with the exception of Healthcare and Technology.
For Healthcare and Technology, the top reported vulnerability type, with nearly 8,000 reported in the past year, were related to Information Disclosure (CWE-200).
For 2017 the total number of critical vulnerabilities reported increased by 26%.
The share of the most impactful bugs—critical and high combined—increased from 22% in 2016 to 24% in 2017.
XSS vulnerabilities represented 59% of the top 15 vulnerabilities reported to Transportation organizations.
XSS vulnerabilities represented 37% of the top 15 vulnerabilities reported to Travel & Hospitality organizations.
Government organizations saw the most cryptographic issues, at 18% of their total reported vulnerabilities, which is 6-times more than the second-place industry, Telecom, which saw just 3% of that category of reports.
There were 38 times more “insecure storage” vulnerabilities reported in 2017 compared to 2016 on HackerOne.
INDUSTRY RESPONSIVENESS
The fastest industry with respect to average resolution times is Consumer Goods at 14 days.
Financial Services & Insurance has the second-best resolution times at 19 days.
Government is the slowest at resolutions, with average resolution times of 68 days.
However, Government is the second-fastest at average days to bounty payment at just 18 days.
Healthcare is the overall fastest industry at paying hackers, with an average days to bounty payment at 15 days.
Government, Transportation, Technology, Retail & Ecommerce, Media & Entertainment, Healthcare, and Financial Services & Insurance all have average days to bounty payments less than their average days to resolution.
Telecom, Professional Services, Travel & Hospitality, and Consumer Goods all have average days to bounty payments more than their average days to resolution.
BOUNTY TRENDS
About 60% of organizations on the platform pay an average of $1,500 for critical vulnerabilities, a 50% ($500) increase from 2016.
The average bounty paid for critical vulnerabilities across all industries on the HackerOne platform rose to $2,041 in 2017. That’s a 6% year over year increase over the 2016 average of $1,923.
Of all categorized vulnerabilities, 6% were critical, 18% were high, 39% were medium, 23% were low, and 13% did not register on the severity scale.
Government has the highest average bounty payout for critical vulnerabilities at $3,892.
Technology has the second-highest average bounty payout for critical vulnerabilities at $3,635.
Travel & Hospitality has the lowest average bounty payout for critical vulnerabilities at $668.
Only Consumer Goods and Travel & Hospitality organizations average critical vulnerability bounty values below $1,000.
Bounty programs on the HackerOne platform that reward an average of $20,000 for critical vulnerabilities are in the top 1% of reward competitiveness, a 33% or $5,000 increase from last year’s average bounties paid for critical vulnerabilities.
Bounty programs on the HackerOne platform that reward an average of $10,000 for high vulnerabilities are in the top 1% of reward competitiveness.
Intel and Microsoft offer top bounties of up to $250,000.
Google and Apple offer top bounties of up to $200,000.
The highest bounty paid on HackerOne in 2017 was $75,000, paid by a Technology company.
Media & Entertainment organizations pay the lowest top bounty awards, with their top award being just $1,767 in 2017.
In just the past year, organizations in the Transportation, Telecommunications, Professional Services, and Technology industries all awarded top bounty awards of $20,000 or more.
Technology organizations paid the most bounties in 2017 at more than $20.2 million.
Media & Entertainment paid the second-most amount of bounties in 2017 at just over $2 million, more than 90% less than Technology organizations.
Consumer Goods was the industry paying the least amount of bounties in 2017 with just under $200,000 awarded.
Technology organizations paid 55% of the total value of all bounties paid in the past year.
SIGNAL-TO-NOISE
Do it yourself bug bounty programs that don’t benefit from noise reducing platform features can experience signal-to-noise ratios as low as 4%.
HackerOne consistently maintains 80% Signal platform wide.
Managed programs on HackerOne consistently garner a Clear Signal of 40%, while unmanaged programs achieve just 33% in Clear Signal.
VULNERABILITY DISCLOSURE POLICIES
Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it.
61% of startups valued at over $1 billion have a VDP.
47% of Technology companies on the Forbes Global 2000 list have a channel for responsible vulnerability disclosure.
24% of Telecommunications companies have a known vulnerability disclosure program.
5% of Transportation companies have vulnerability disclosure policies.
20% of conglomerates have vulnerability disclosure or bug bounty programs, up from 14% in 2017.
4% of Financial Services companies have vulnerability disclosure policies.
HACKERS
HackerOne’s community of white-hat hackers is more than 200,000 strong.
Over 90% of hackers are under the age of 35.
Nearly identical fractions of hackers are under 13 years old (0.4%) and over 50 years old (0.5%).
44% of hackers are IT professionals.
The number one reason hackers hack is their motivation to learn tips and techniques.
Money fell from first in 2016 to to fourth on the list of reasons hackers hack.
10% of hackers do it “to do good in the world”.
Nearly 58% of hackers are self-taught.
Less than 5% of hackers learned their hacking skills in a classroom.
50% of hackers studied computer science at an undergraduate or graduate level.
26% of hackers studied computer science in high school or before.
44% of hackers are just dabbling, spending 10 hours or less per week hacking.
20% of hackers are full-time, spending 30 hours or more per week hacking.
Top-performing hackers living in India make 16-times the median salary of a local software engineer.
Top-performing hackers living in the U.S. make 2.5-times the median salary of a local software engineer.
Top-performing hackers living in the Egypt make 8.1-times the median salary of a local software engineer.
Top-performing hackers living across the a global sample of 40 countries make and average of 2.7-times the median salary of a local software engineer.
At a HackerOne live hacking event, Oath paid hackers more than $400,000 in just a single day.
HISTORY
Hunter & Ready, Inc. announced a “bug” bounty program for their products in 1983.
Netscape launched the first “modern-day” bug bounty program in 1995.
Mozilla Foundation started offering bug bounties up to $500 for critical vulnerabilities in 2004.
The first PWN2OWN contest kicked off in 2007.
Google announced a bug bounty program for web applications in 2010.
Facebook announced their bug bounty program in 2011.
Microsoft and Facebook sponsored the creation of Internet Bug Bounty (IBB) in 2013.
Hack the Pentagon, the U.S. Department of Defense’s pilot bug bounty program, launched on HackerOne’s platform in April 2016.
The manifesto on coordinated cybersecurity disclosure was signed by 29 companies in May 2016.
HackerOne kicked off its first live hacking event in Las Vegas, H1-702, paying out over $150,000 in bounties in just 3 days in August 2016.
The U.S. Department of Defense kicked off the first government VDP in November 2016.
The NTIA Safety Working Group published v1.1 of the Coordinated Vulnerability Disclosure Template in December 2016.
The Hack the DHS bill passed the U.S. Senate in May 2017.
The CERT Guide to Coordinated Vulnerability Disclosure was published in August 2017.
U.S. Deputy Attorney General Rod J. Rosenstein recommended all companies consider promulgating a vulnerability disclosure policy in October 2017.
HackerOne and others were invited to testify in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security in February 2018.
U.S. House of Representatives bill H.R. 5433: Hack Your State Department Act was proposed by Representative Ted Liu in April 2018.
HackerOne exceeded $30,000,000 in bounties paid out to hackers in June 2018.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.
The 8th Annual Hacker-Powered Security Report