Pierluigi Paganini October 30, 2023

HackerOne announced that it has awarded over $300 million bug hunters as part of its bug bounty programs since the launch of its platform.

HackerOne announced that it has surpassed $300 million in total all-time rewards on the HackerOne platform. Thirty white hat hackers have earned more than one million dollars submitting vulnerabilities through the platform, with one hacker surpassing four million dollars in total earnings.

Most of bug hunters (61%) are experimenting Generative AI (GenAI) and believe it is essential to develop a new generation of hacking tools that can help them find more vulnerabilities.

62% of hackers plan to train their AI to specialize in the OWASP Top 10 for Large Language Models.

HackerOne customers praised the results of the bug bounty programs, 70% of them stated that the bug bounty programs helped them to increase their cyber security and avoid a significant cyber incident.

Most HackerOne customers (57%) believe that exploited vulnerabilities are the greatest threat to their organizations.

One of the most interesting aspects that emerged from the 2023 Hacker-Powered Security Report is the improvement of the patch management process, customers are getting faster at fixing vulnerabilities. The average platform-wide remediation time dropped 10 days in 2023.

“Organizations are under pressure to adopt GenAI to stay ahead of competitors, which, in turn, is transforming the threat landscape. If you want to remain proactive about new threats, you need to learn from the experts in the trenches: hackers,” said Chris Evans, HackerOne CISO and Chief Hacking Officer. “The Hacker-Powered Security Report makes clear that hackers are actively growing their skillsets to meet emerging threats. The versatility of hackers and the impact of the vulnerabilities they surface make them instrumental to how our customers anticipate and address risk.”

Crypto and blockchain organizations continue to offer the highest average overall payouts for vulnerabilities in their platforms, this year’s top reward was $100,050.

The median price of a vulnerability reported through the HackerOne platform is $500, up from $400 in 2022. The company reported that the automotive industry has seen the largest increase in bounties.

The average bounty for all industries is $3,700 and goes up to $12,000 in the 90th percentile.

The report states that discovering vulnerabilities before a product has shipped can help to drastically reduce mitigation costs and economic impact on organizations.

Below is the analysis of vulnerability type by industry:

How do the company customers measure the ROI of the HackerOne security program?
The majority of the organizations (71%) measure the absence of incidents or breaches, and many (59%) combine this with the estimated savings of reputational or customer-related incidents.
71% Absence of incidents or breaches, 59% Estimated savings of reputational or customer-related impacts as a result of a security program. 54% Financial savings estimated from avoiding risk, 51% Risk assessment (internal or external), 32% Agility and speed of security teams’ responsiveness, and 7% Discount on cyber insurance.

Additional info is available in the report published by the company.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, bug bounty)