Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
Data from The 2018 Hacker-Powered Security Report
The Hacker-Powered Security Report examines the largest dataset of
more than 1,000 hacker-powered security programs, compiles learnings
from application security practitioners and the hackers who participate in
bug bounty and vulnerability disclosure programs. The report also
analyzed vulnerability disclosure data from the world’s 2,000 biggest
publicly traded companies according to Forbes. Consider this your
“cheat sheet” of the top findings. You can also download the full
46-page report packed with key learnings, graphs, and links to other
helpful resources at
For the fourth year in a row, industries
beyond Technology increased their share
of the overall bug bounty market.
Government and Telecommunications
account for 43% of today’s bug bounty
In the government sector there was
125% increase year-over-year
globally with new program launches
including the European
Commission and the Ministry of
Automotive bug bounty programs
increased 50% in the past year.
In the past year, Technology
organizations launched 58% of all new
hacker-powered security programs.
Healthcare launched the second-most
share of new hacker-powered security
programs at 10%.
Telecommunications bug bounty
programs increased by 71% in
the past year.
Seven of the top 50 automotive vehicle
manufacturers globally have a way for
external researchers to report
More than 72,000 vulnerabilities
have been resolved on HackerOne
as of May 2018.
More than 27,000 vulnerabilities,
one-third of the overall total, were
resolved in just the past year alone.
Cross-site scripting (XSS, CWE-79)
continued to be the most common
vulnerability reported across all
industries—with the exception of
Healthcare and Technology.
For Healthcare and Technology, the top
reported vulnerability type, with nearly
8,000 reported in the past year, were
related to Information Disclosure
For 2017 the total number of
critical vulnerabilities reported
increased by 26%.
The share of the most impactful bugs—critical
and high combined—increased from 22% in
2016 to 24% in 2017.
XSS vulnerabilities represented
59% of the top 15 vulnerabilities
reported to Transportation
XSS vulnerabilities represented 37% of
the top 15 vulnerabilities reported to
Travel & Hospitality organizations.
Government organizations saw the most
cryptographic issues, at 18% of their total
reported vulnerabilities, which is 6-times
more than the second-place industry,
Telecom, which saw just 3% of that
category of reports.
There were 38 times more “insecure
storage” vulnerabilities reported in 2017
compared to 2016 on HackerOne.
The fastest industry with
respect to average resolution
times is Consumer Goods at
Financial Services & Insurance has the
second-best resolution times at 19 days.
Government is the slowest at resolutions,
with average resolution times of 68 days.
However, Government is the
second-fastest at average days to
bounty payment at just 18 days.
Healthcare is the overall fastest
industry at paying hackers,
with an average days to bounty
payment at 15 days.
Government, Transportation, Technology,
Retail & Ecommerce, Media & Entertainment,
Healthcare, and Financial Services & Insurance
all have average days to bounty payments
less than their average days to resolution.
Telecom, Professional Services, Travel &
Hospitality, and Consumer Goods all have
average days to bounty payments more
than their average days to resolution.
About 60% of organizations on the
platform pay an average of $1,500 for
critical vulnerabilities, a 50% ($500)
increase from 2016.
The average bounty paid for critical
vulnerabilities across all industries on
the HackerOne platform rose to $2,041
in 2017. That’s a 6% year-over-year
increase over the 2016 average of
Of all categorized vulnerabilities, 6% were
critical, 18% were high, 39% were medium,
23% were low, and 13% did not register on
the severity scale.
Government has the highest average
bounty payout for critical vulnerabilities
Technology has the second-highest
average bounty payout for critical
vulnerabilities at $3,635.
Travel & Hospitality has the lowest
average bounty payout for critical
vulnerabilities at $668.
Only Consumer Goods and Travel &
Hospitality organizations average critical
vulnerability bounty values below $1,000.
Bounty programs on the HackerOne platform
that reward an average of $20,000 for critical
vulnerabilities are in the top 1% of reward
competitiveness, a 33% or $5,000 increase
from last year’s average bounties paid for
Bounty programs on the HackerOne
platform that reward an average of
$10,000 for high vulnerabilities are in
the top 1% of reward competitiveness.
Intel and Microsoft offer top
bounties of up to $250,000.
Google and Apple offer top bounties
of up to $200,000.
The highest bounty paid on HackerOne
in 2017 was $75,000, paid by a
Media & Entertainment organizations pay
the lowest top bounty awards, with their
top award being just $1,767 in 2017.
In just the past year, organizations in
the Transportation, Telecommunications,
Professional Services, and Technology
industries all awarded top bounty
awards of $20,000 or more.
Technology organizations paid the
most bounties all time at more than
Media & Entertainment paid the
second-most amount of bounties all time
at just over $2 million, more than 90% less
than Technology organizations.
Consumer Goods was the industry paying
the least amount of bounties all time with
just under $200,000 awarded.
Technology organizations paid
55% of the total value of all
Hunter & Ready, Inc. announced
a “bug” bounty program for their
products in 1983.
Netscape launched the first
“modern-day” bug bounty
program in 1995.
Mozilla Foundation started offering
bug bounties up to $500 for critical
vulnerabilities in 2004.
The first PWN20WN contest
kicked off in 2007.
Google announced a bug bounty
program for web applications in 2010.
Facebook announced their bug
bounty program in 2011.
Microsoft and Facebook sponsored
the creation of Internet Bug Bounty
(IBB) in 2013.
Hack the Pentagon, the U.S.
Department of Defense’s,
launched on HackerOne’s
platform in April 2016.
The manifesto on coordinated
cybersecurity disclosure was signed
by 29 companies in May 2016.
HackerOne kicked off its first live
hacking event in Las Vegas,
H1-702, paying out over $150,000
in bounties in just 3 days in
The U.S. Department of Defense
kicked off the first government
VDP in November 2016.
The NTIA Safety Working Group
published v1.1 of the Coordinated
Vulnerability Disclosure Template
in December 2016.
The Hack the DHS bill passed
the U.S. Senate in May 2017.
The CERT Guide to Coordinated
Vulnerability Disclosure was
published in August 2017.
U.S. Deputy Attorney General Rod J.
Rosenstein recommended all companies
consider promulgating a vulnerability
disclosure policy in October 2017.
HackerOne and others were
invited to testify in front of the
U.S. Senate Subcommittee on
Consumer Protection, Product
Safety, Insurance, and Data
Security in February 2018.
U.S. House of Representatives bill H.R.
5433: Hack Your State Department Act
was proposed by Representative Ted Liu
in April 2018.
HackerOne exceeded $30,000,000
in bounties paid out to hackers in