Security bug bounty programs are a nice little earner for hackers

Safe to assume the money will keep getting better

Some security-conscious organizations award hackers up to $900,000 a year, according to what's touted as the biggest bug bounty industry report to date.

The study – commissioned by HackerOne, a bug bounty and vulnerability disclosure platform provider – examined 800 hacker-powered programs and 50,000 resolved security vulnerabilities, from organizations including GitHub, General Motors, Intel, Lufthansa, Nintendo, Uber, the US Department of Defense and more.

Bounty payments are rising – the average that researchers earned for a critical vulnerability was $1,923 in 2017; it was $1,624 in 2015 – an increase of 16 percent. A third (32 per cent) of resolved vulnerabilities were classified as high- to critical-severity, and top rewards reached $30,000 for a single report. In the past year, 88 bug bounty rewards were over $10,000.

The most lucrative bug bounty programs award researchers an average of $50,000 a month, and up to around $900,000 a year.

Programs that acknowledge, validate and resolve submitted vulnerabilities receive the most attention from researchers, according to HackerOne – as would be expected.

E-commerce and retail businesses resolve security issues in four weeks, the fastest on average, the study discovered.

In the face of increased bug bounty program adoption and federal agencies' recommendations, an astounding 94 per cent of the top publicly traded companies have no vulnerability disclosure policy that's available to the public. This remains unchanged from 2015.

Findings from HackerOne's 2017 The Hacker-Powered Security Report are summarized in a blog post, here. ®

Send us news
1 Comment

Veeam says critical flaw can't be abused to trash backups

It's still a rough one, so patch up

Researchers call out QNAP for dragging its heels on patch development

WatchTowr publishes report claiming vendor failed to issue fixes after four months

GitHub Enterprise Server patches 10-outta-10 critical hole

On the bright side, someone made up to $30,000+ for finding it

Critical Fluent Bit bug affects all major cloud providers, say researchers

Crashes galore, plus especially crafty crims could use it for much worse

NCSC CTO: Broken market must be fixed to usher in new tech

It may take ten years but vendors must be held accountable for the vulnerabilities they introduce

NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

When PoC code is released within a day of disclosure, it's only a matter of time before attacks kick off

Federal frenzy to patch gaping GitLab account takeover hole

Warning comes exactly a year after the vulnerability was introduced

The truth about KEV: CISA’s vuln deadlines good influence on private-sector patching

More work to do as most deadlines are missed and worst bugs still take months to fix

CISA says 'no more' to decades-old directory traversal bugs

Recent attacks on healthcare thrust infosec agency into alert mode

Chinese government website security is often worryingly bad, say Chinese researchers

Bad configurations, insecure versions of jQuery, and crummy cookies are some of myriad problems

Patch up – 4 critical bugs in ArubaOS lead to remote code execution

Ten vulnerabilities in total for admins to apply

Open source programming language R patches gnarly arbitrary code exec flaw

An ACE in the hole for miscreants