Hacker powered security programmes are rapidly becoming a global phenomenon and as a result the business of bug bounties has become immensely lucrative. Experts predict that by 2022, hacker powered security will be used by more than 50% of enterprises.
Data from HackerOne, the world’s largest bug bounty and vulnerability disclosure platform, has revealed that white-hat hackers are finding more severe vulnerabilities than ever before. As of May 2018, more than 72,000 vulnerabilities have been resolved on HackerOne, with more than one-third of those (27,000) resolved in the past year alone.
Due to the critical nature of these vulnerabilities, these ethical hackers are earning significantly higher bounties. According to HackerOne’s 2018 Hacker powered security report, the total number of high or critical severity vulnerabilities increased by 22% in 2017, with 24% of resolved vulnerabilities being classified as high to critical severity across industries.
HackerOne’s report draws on data collected from more than 1,000 bug bounty and vulnerability disclosure programmes around the world.
Business is Booming for Ethical Hackers
Due to these increasingly positive outcomes, the average award for a critical vulnerability jumped by 33% to $20,000 for the top awarding programmes. A total of 116 unique critical vulnerabilities earned over $10,000 each in the past year. The top bounty awarded for a single report reached $75,000 in 2017, with the most competitive programmes, such as Google, Microsoft and Intel, offering $250,000 bounty awards for critical issues.
Currently, the US pays the highest volume of bounties to hackers around the globe (83%) with Canada taking second place, having paid $1.5 million. The UK has risen from sixth place in 2016 to third in 2018. According to the report, hackers in the US earned 17% of all bounties awarded, with India taking 13%, Russia took 6%, while the UK and Germany took 4% and 3% respectively. German hackers are enjoying an earning boost, as they are earning 157% more in 2017 than in 2016.
The report also shows that the number of false positives has dramatically decreased, with 80% of submitted and qualified reports being valid. Interestingly, the report found that less than 5% of hackers learned their trade in the classroom.
Many Leading Companies Still Underprepared
Marten Mickos, CEO of HackerOne said: “The world is embracing the highly skilled and creative hacker community to help reduce cyber risk. A model once reserved for the largest, tech-advanced companies in the world is now being implemented by organisations of any size, industry and connected corner of the globe.”
This wider adoption of hacker powered security is proof that industry and organisations are starting to recognise the real risk of cyber security vulnerabilities. However, HackerOne warned there is still a long way to go. The report revealed that many leading organisations still remain under-prepared. 93% of the 2017 Forbes Global 2000 list do not have a policy to receive, respond and resolve critical bug reports submitted by third parties.