This article is more than 1 year old

Like my new wheels? All I did was squash a bug, and they gave me $72k

Bug bounty platform reports that vuln hunters are making bank

Vuln hunters brought home the bacon last year, according to figures released today by bug bounty platform HackerOne.

The Hacker-Powered Security Report is a biannual study of vulnerability disclosure ecosystems.

It found that organisations resolved 27,000 vulnerabilities, earning ethical hackers $11.7m in 2017 alone. The average award for a critical vulnerability increased a third to $20,000 for the top-awarding programmes managed by HackerOne.

A total of 116 unique critical vulnerabilities each earned $10,000 or more. The top bounty awarded for a single report reached $75,000 in 2017.

Hackers are finding more serious vulnerabilities than ever before, with 24 per cent of resolved bugs classified as high to critical severity. False positives are becoming less common, with four in five (80 per cent) of submitted and qualified reports turning out to be valid.

Hackers in the US earned 17 per cent of all bounties awarded, with India (13 per cent), Russia (6 per cent), UK (4 per cent), and Germany (3 per cent) rounding out the top five highest-earning countries. Bug hunters in Germany are on a roll, earning 157 per cent more in 2017 compared to the year before.

Nine out of 10 hackers are 35 years old or under and more than half are self-taught. The top-earning researchers make on average 2.7 times the median salary of a software engineer in their home country. In India, that number increases to 16 times.

HackerOne does comic book cover mock ups for its top earners [pic: John Leyden at Infosec]

HackerOne does comic book cover mock-ups for its top earners

Cross-site scripting (XSS, CWE-79) continued to be the most common vulnerability across all industries, with the exception of healthcare and technology, where nearly 8,000 vulnerabilities reported were related to information disclosure.

red team

Stealing, scamming, bluffing: El Reg rides along with pen-testing 'red team hackers'


Governments are leading the way in adopting crowdsourced security testing. There was a 125 percent increase year-over-year in new programme launches, including from the European Commission and Singapore's Ministry of Defense, joining the US Department of Defense on the HackerOne roster. The DoD has received over 5,000 reports since the launch of its vulnerability disclosure policy in November 2016. Enterprise vulnerability disclosure policy adoption is also increasing, albeit slowly. Only 7 per cent of the Forbes Global 2000 have a policy in place.

The majority of public bug bounty programmes are run by technology firms (63 per cent) with the finance (9 per cent) and entertainment (9 per cent) industries making up the other two podium positions. Programmes in other sectors (including consumer goods, healthcare and telecoms) are nearly all private. Private programmes currently make up 79 per cent of all bug bounty schemes on HackerOne. ®

More about

More about

More about


Send us news

Other stories you might like