Some security-conscious organizations award hackers up to $900,000 a year, according to what's touted as the biggest bug bounty industry report to date.
The study – commissioned by HackerOne, a bug bounty and vulnerability disclosure platform provider – examined 800 hacker-powered programs and 50,000 resolved security vulnerabilities, from organizations including GitHub, General Motors, Intel, Lufthansa, Nintendo, Uber, the US Department of Defense and more.
Bounty payments are rising – the average that researchers earned for a critical vulnerability was $1,923 in 2017; it was $1,624 in 2015 – an increase of 16 percent. A third (32 per cent) of resolved vulnerabilities were classified as high- to critical-severity, and top rewards reached $30,000 for a single report. In the past year, 88 bug bounty rewards were over $10,000.
The most lucrative bug bounty programs award researchers an average of $50,000 a month, and up to around $900,000 a year.
Programs that acknowledge, validate and resolve submitted vulnerabilities receive the most attention from researchers, according to HackerOne – as would be expected.
E-commerce and retail businesses resolve security issues in four weeks, the fastest on average, the study discovered.
In the face of increased bug bounty program adoption and federal agencies' recommendations, an astounding 94 per cent of the top publicly traded companies have no vulnerability disclosure policy that's available to the public. This remains unchanged from 2015.
Findings from HackerOne's 2017 The Hacker-Powered Security Report are summarized in a blog post, here. ®