Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
1. Data from The 2018 Hacker-Powered Security Report
118
HACKER-
POWERED
FACTS
2. The Hacker-Powered Security Report examines the largest dataset of
more than 1,000 hacker-powered security programs, compiles learnings
from application security practitioners and the hackers who participate in
bug bounty and vulnerability disclosure programs. The report also
analyzed vulnerability disclosure data from the world’s 2,000 biggest
publicly traded companies according to Forbes. Consider this your
“cheat sheet” of the top findings. You can also download the full
46-page report packed with key learnings, graphs, and links to other
helpful resources at
https://www.hackerone.com/resources/hacker-powered-security-report.
#hackerpoweredfacts
INTRODUCTION
4. A total of 116 bug bounties over $10,000
were paid out in the past year, up 30%
from the previous year.
#hackerpoweredfacts
FACT #1
5. The average bounty for critical issues rose
to more than $2,000.
#hackerpoweredfacts
FACT #2
6. From HackerOne’s inception in 2012
through June 2018, organizations have
awarded hackers over $31 million.
#hackerpoweredfacts
FACT #3
7. $11.7 million in bug bounties
was awarded in 2017 alone.
#hackerpoweredfacts
FACT #4
8. FACT #5
93% of the Forbes Global 2000 list do
not have a policy to receive, respond,
and resolve critical bug reports
submitted by the outside world.
#hackerpoweredfacts
9. FACT #6
25% of the hacker community is currently
enrolled as a full-time student.
#hackerpoweredfacts
10. FACT #7
Hackers from over 100 countries have
been paid for their research through
HackerOne programs.
#hackerpoweredfacts
12. FACT #9
The U.S. Department of Defense has received
over 5,000 reports since the launch of their
vulnerability disclosure policy.
#hackerpoweredfacts
13. FACT #10
In 2018 to date, HackerOne maintains
a platform-wide signal of 80%, greatly
reducing the human resources required to
run a hacker-powered program.
#hackerpoweredfacts
14. FACT #11
Goldman Sachs, Toyota, and American
Express were a few of the enterprises
to launch a VDP in 2018.
#hackerpoweredfacts
21. FACT #17
Organizations located in the U.S. pay 83%
of all bounties to hackers around the
globe, continuing their trend as the
leading bounty-paying country.
#hackerpoweredfacts
30. FACT #25
On average, public programs engage
3.5 times the number of hackers
reporting valid vulnerabilities than private
programs.
#hackerpoweredfacts
31. FACT #26
Private bug bounty programs currently
make up 79% of all bug bounty
programs on HackerOne, down from 88%
in 2017 and 92% in 2016 calendar years.
#hackerpoweredfacts
32. FACT #27
The majority of public bug bounty
programs, 63%, are run by Technology
organizations.
#hackerpoweredfacts
33. FACT #28
Financial Services & Banking and
Media & Entertainment were tied
for second as the industries with
the most public bug bounty
programs at 9%.
#hackerpoweredfacts
34. FACT #29
Public programs made up about 19% of
HackerOne bug bounty launches in the
past 12 months, about double compared
to the year before.
#hackerpoweredfacts
36. FACT #30
For the fourth year in a row, industries
beyond Technology increased their share
of the overall bug bounty market.
#hackerpoweredfacts
37. FACT #31
Government and Telecommunications
account for 43% of today’s bug bounty
programs.
#hackerpoweredfacts
38. FACT #32
In the government sector there was
125% increase year-over-year
globally with new program launches
including the European
Commission and the Ministry of
Defense Singapore.
#hackerpoweredfacts
43. FACT #37
Seven of the top 50 automotive vehicle
manufacturers globally have a way for
external researchers to report
vulnerabilities.
#hackerpoweredfacts
45. FACT #38
More than 72,000 vulnerabilities
have been resolved on HackerOne
as of May 2018.
#hackerpoweredfacts
46. FACT #39
More than 27,000 vulnerabilities,
one-third of the overall total, were
resolved in just the past year alone.
#hackerpoweredfacts
47. FACT #40
Cross-site scripting (XSS, CWE-79)
continued to be the most common
vulnerability reported across all
industries—with the exception of
Healthcare and Technology.
#hackerpoweredfacts
48. FACT #41
For Healthcare and Technology, the top
reported vulnerability type, with nearly
8,000 reported in the past year, were
related to Information Disclosure
(CWE-200).
#hackerpoweredfacts
49. FACT #42
For 2017 the total number of
critical vulnerabilities reported
increased by 26%.
#hackerpoweredfacts
50. FACT #43
The share of the most impactful bugs—critical
and high combined—increased from 22% in
2016 to 24% in 2017.
#hackerpoweredfacts
51. FACT #44
XSS vulnerabilities represented
59% of the top 15 vulnerabilities
reported to Transportation
organizations.
#hackerpoweredfacts
52. FACT #45
XSS vulnerabilities represented 37% of
the top 15 vulnerabilities reported to
Travel & Hospitality organizations.
#hackerpoweredfacts
53. FACT #46
Government organizations saw the most
cryptographic issues, at 18% of their total
reported vulnerabilities, which is 6-times
more than the second-place industry,
Telecom, which saw just 3% of that
category of reports.
#hackerpoweredfacts
54. FACT #47
There were 38 times more “insecure
storage” vulnerabilities reported in 2017
compared to 2016 on HackerOne.
#hackerpoweredfacts
56. FACT #48
The fastest industry with
respect to average resolution
times is Consumer Goods at
14 days.
#hackerpoweredfacts
57. FACT #49
Financial Services & Insurance has the
second-best resolution times at 19 days.
#hackerpoweredfacts
58. FACT #50
Government is the slowest at resolutions,
with average resolution times of 68 days.
#hackerpoweredfacts
59. FACT #51
However, Government is the
second-fastest at average days to
bounty payment at just 18 days.
#hackerpoweredfacts
60. FACT #52
Healthcare is the overall fastest
industry at paying hackers,
with an average days to bounty
payment at 15 days.
#hackerpoweredfacts
61. FACT #53
Government, Transportation, Technology,
Retail & Ecommerce, Media & Entertainment,
Healthcare, and Financial Services & Insurance
all have average days to bounty payments
less than their average days to resolution.
#hackerpoweredfacts
62. FACT #54
Telecom, Professional Services, Travel &
Hospitality, and Consumer Goods all have
average days to bounty payments more
than their average days to resolution.
#hackerpoweredfacts
64. FACT #55
About 60% of organizations on the
platform pay an average of $1,500 for
critical vulnerabilities, a 50% ($500)
increase from 2016.
#hackerpoweredfacts
65. FACT #56
The average bounty paid for critical
vulnerabilities across all industries on
the HackerOne platform rose to $2,041
in 2017. That’s a 6% year-over-year
increase over the 2016 average of
$1,923.
#hackerpoweredfacts
66. FACT #57
Of all categorized vulnerabilities, 6% were
critical, 18% were high, 39% were medium,
23% were low, and 13% did not register on
the severity scale.
#hackerpoweredfacts
67. FACT #58
Government has the highest average
bounty payout for critical vulnerabilities
at $3,892.
#hackerpoweredfacts
68. FACT #59
Technology has the second-highest
average bounty payout for critical
vulnerabilities at $3,635.
#hackerpoweredfacts
69. FACT #60
Travel & Hospitality has the lowest
average bounty payout for critical
vulnerabilities at $668.
#hackerpoweredfacts
70. FACT #61
Only Consumer Goods and Travel &
Hospitality organizations average critical
vulnerability bounty values below $1,000.
#hackerpoweredfacts
71. FACT #62
Bounty programs on the HackerOne platform
that reward an average of $20,000 for critical
vulnerabilities are in the top 1% of reward
competitiveness, a 33% or $5,000 increase
from last year’s average bounties paid for
critical vulnerabilities.
#hackerpoweredfacts
72. FACT #63
Bounty programs on the HackerOne
platform that reward an average of
$10,000 for high vulnerabilities are in
the top 1% of reward competitiveness.
#hackerpoweredfacts
73. FACT #64
Intel and Microsoft offer top
bounties of up to $250,000.
#hackerpoweredfacts
74. FACT #65
Google and Apple offer top bounties
of up to $200,000.
#hackerpoweredfacts
75. FACT #66
The highest bounty paid on HackerOne
in 2017 was $75,000, paid by a
Technology company.
#hackerpoweredfacts
76. FACT #67
Media & Entertainment organizations pay
the lowest top bounty awards, with their
top award being just $1,767 in 2017.
#hackerpoweredfacts
77. FACT #68
In just the past year, organizations in
the Transportation, Telecommunications,
Professional Services, and Technology
industries all awarded top bounty
awards of $20,000 or more.
#hackerpoweredfacts
79. FACT #70
Media & Entertainment paid the
second-most amount of bounties all time
at just over $2 million, more than 90% less
than Technology organizations.
#hackerpoweredfacts
80. FACT #71
Consumer Goods was the industry paying
the least amount of bounties all time with
just under $200,000 awarded.
#hackerpoweredfacts
83. FACT #73
Do it yourself bug bounty programs
that don’t benefit from noise reducing
platform features can experience
signal-to-noise ratios as low as 4%.
#hackerpoweredfacts
85. FACT #75
Managed programs on HackerOne
consistently garner a Clear Signal of
40%, while unmanaged programs achieve
just 33% in Clear Signal.
#hackerpoweredfacts
87. FACT #76
Nearly 1 in 4 hackers have not
reported a vulnerability that they
found because the company didn’t
have a channel to disclose it.
#hackerpoweredfacts
88. FACT #77
61% of startups valued at over
$1 billion have a VDP.
#hackerpoweredfacts
89. FACT #78
47% of Technology companies on the
Forbes Global 2000 list have a channel for
responsible vulnerability disclosure.
#hackerpoweredfacts
90. FACT #79
24% of Telecommunications
companies have a known vulnerability
disclosure program.
#hackerpoweredfacts
91. FACT #80
5% of Transportation
companies have vulnerability
disclosure policies.
#hackerpoweredfacts
92. FACT #81
20% of conglomerates have
vulnerability disclosure or bug bounty
programs, up from 14% in 2017.
#hackerpoweredfacts
93. FACT #82
4% of Financial Services companies
have vulnerability disclosure policies.
#hackerpoweredfacts
103. FACT #91
Less than 5% of hackers learned their
hacking skills in a classroom.
#hackerpoweredfacts
104. FACT #92
50% of hackers studied computer
science at an undergraduate or
graduate level.
#hackerpoweredfacts
105. FACT #93
26% of hackers studied computer
science in high school or before.
#hackerpoweredfacts
106. FACT #94
44% of hackers are just dabbling,
spending 10 hours or less per
week hacking.
#hackerpoweredfacts
107. FACT #95
20% of hackers are full-time,
spending 30 hours or more per
week hacking.
#hackerpoweredfacts
108. FACT #96
Top-performing hackers living in
India make 16-times the median
salary of a local software engineer.
#hackerpoweredfacts
109. FACT #97
Top-performing hackers living in the
U.S. make 2.5-times the median
salary of a local software engineer.
#hackerpoweredfacts
110. FACT #98
Top-performing hackers living in the
Egypt make 8.1-times the median
salary of a local software engineer.
#hackerpoweredfacts
111. FACT #99
Top-performing hackers living across a
global sample of 40 countries make an
average of 2.7-times the median salary
of a local software engineer.
#hackerpoweredfacts
112. FACT #100
At a HackerOne live hacking event,
Oath paid hackers more than
$400,000 in just a single day.
#hackerpoweredfacts
120. FACT #107
Microsoft and Facebook sponsored
the creation of Internet Bug Bounty
(IBB) in 2013.
#hackerpoweredfacts
121. FACT #108
Hack the Pentagon, the U.S.
Department of Defense’s,
launched on HackerOne’s
platform in April 2016.
#hackerpoweredfacts
122. FACT #109
The manifesto on coordinated
cybersecurity disclosure was signed
by 29 companies in May 2016.
#hackerpoweredfacts
123. FACT #110
HackerOne kicked off its first live
hacking event in Las Vegas,
H1-702, paying out over $150,000
in bounties in just 3 days in
August 2016.
#hackerpoweredfacts
124. FACT #111
The U.S. Department of Defense
kicked off the first government
VDP in November 2016.
#hackerpoweredfacts
125. FACT #112
The NTIA Safety Working Group
published v1.1 of the Coordinated
Vulnerability Disclosure Template
in December 2016.
#hackerpoweredfacts
126. FACT #113
The Hack the DHS bill passed
the U.S. Senate in May 2017.
#hackerpoweredfacts
127. FACT #114
The CERT Guide to Coordinated
Vulnerability Disclosure was
published in August 2017.
#hackerpoweredfacts
128. FACT #115
U.S. Deputy Attorney General Rod J.
Rosenstein recommended all companies
consider promulgating a vulnerability
disclosure policy in October 2017.
#hackerpoweredfacts
129. FACT #116
HackerOne and others were
invited to testify in front of the
U.S. Senate Subcommittee on
Consumer Protection, Product
Safety, Insurance, and Data
Security in February 2018.
#hackerpoweredfacts
130. FACT #117
U.S. House of Representatives bill H.R.
5433: Hack Your State Department Act
was proposed by Representative Ted Liu
in April 2018.
#hackerpoweredfacts