Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges. In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries. Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies. Read on for all of the facts!

1. Data from The 2018 Hacker-Powered Security Report
118
HACKER-
POWERED
FACTS

2. The Hacker-Powered Security Report examines the largest dataset of
more than 1,000 hacker-powered security programs, compiles learnings
from application security practitioners and the hackers who participate in
bug bounty and vulnerability disclosure programs. The report also
analyzed vulnerability disclosure data from the world’s 2,000 biggest
publicly traded companies according to Forbes. Consider this your
“cheat sheet” of the top findings. You can also download the full
46-page report packed with key learnings, graphs, and links to other
helpful resources at
https://www.hackerone.com/resources/hacker-powered-security-report.
#hackerpoweredfacts
INTRODUCTION

3. GENERAL
FACTS

4. A total of 116 bug bounties over $10,000
were paid out in the past year, up 30%
from the previous year.
#hackerpoweredfacts
FACT #1

5. The average bounty for critical issues rose
to more than $2,000.
#hackerpoweredfacts
FACT #2

6. From HackerOne’s inception in 2012
through June 2018, organizations have
awarded hackers over $31 million.
#hackerpoweredfacts
FACT #3

7. $11.7 million in bug bounties
was awarded in 2017 alone.
#hackerpoweredfacts
FACT #4

8. FACT #5
93% of the Forbes Global 2000 list do
not have a policy to receive, respond,
and resolve critical bug reports
submitted by the outside world.
#hackerpoweredfacts

9. FACT #6
25% of the hacker community is currently
enrolled as a full-time student.
#hackerpoweredfacts

10. FACT #7
Hackers from over 100 countries have
been paid for their research through
HackerOne programs.
#hackerpoweredfacts

11. FACT #8
#hackerpoweredfacts
Top earning hackers made 2.7x the
median salary of a software engineer
in their home country.

12. FACT #9
The U.S. Department of Defense has received
over 5,000 reports since the launch of their
vulnerability disclosure policy.
#hackerpoweredfacts

13. FACT #10
In 2018 to date, HackerOne maintains
a platform-wide signal of 80%, greatly
reducing the human resources required to
run a hacker-powered program.
#hackerpoweredfacts

14. FACT #11
Goldman Sachs, Toyota, and American
Express were a few of the enterprises
to launch a VDP in 2018.
#hackerpoweredfacts

15. FACT #12
#hackerpoweredfacts
HackerOne saw a 54% year-over-year
increase in new enterprise VDP
program launches.

16. FACT #13
78,275 total reports were submitted
in 2017 on HackerOne.
#hackerpoweredfacts

17. GEOGRAPHY

18. FACT #14
Latin America saw the biggest regional
increase in hacker-powered security
programs, rising by 143% year-over-year.
#hackerpoweredfacts

19. FACT #15
North America and the Asia Pacific region
each saw hacker-powered security
programs increase by 37%.
#hackerpoweredfacts

20. FACT #16
#hackerpoweredfacts
Europe, the Middle East, and Africa
saw a combined 26% increase in
the past year.

21. FACT #17
Organizations located in the U.S. pay 83%
of all bounties to hackers around the
globe, continuing their trend as the
leading bounty-paying country.
#hackerpoweredfacts

22. FACT #18
Canada-based organizations remain in the
second spot for 2017, with $1.5 million in
bounties paid.
#hackerpoweredfacts

23. FACT #19
Organizations in the U.K. rose from sixth
place in 2016 to third place this year
for total value of bounties paid.
#hackerpoweredfacts

24. FACT #20
18 countries have hackers earning
a combined $500,000 or more.
#hackerpoweredfacts

25. FACT #21
44 countries have hackers earning
a combined $100,000 or more.
#hackerpoweredfacts

26. FACT #22
Hackers in the U.S. earned 17% of all
bounties awarded.
#hackerpoweredfacts

27. FACT #23
Hackers in India were in second place,
earning 13% of all bounties awarded.
#hackerpoweredfacts

28. FACT #24
Hackers in Germany are on a roll,
earning 157% more in 2017
versus 2016.
#hackerpoweredfacts

29. PUBLIC VS.
PRIVATE

30. FACT #25
On average, public programs engage
3.5 times the number of hackers
reporting valid vulnerabilities than private
programs.
#hackerpoweredfacts

31. FACT #26
Private bug bounty programs currently
make up 79% of all bug bounty
programs on HackerOne, down from 88%
in 2017 and 92% in 2016 calendar years.
#hackerpoweredfacts

32. FACT #27
The majority of public bug bounty
programs, 63%, are run by Technology
organizations.
#hackerpoweredfacts

33. FACT #28
Financial Services & Banking and
Media & Entertainment were tied
for second as the industries with
the most public bug bounty
programs at 9%.
#hackerpoweredfacts

34. FACT #29
Public programs made up about 19% of
HackerOne bug bounty launches in the
past 12 months, about double compared
to the year before.
#hackerpoweredfacts

35. INDUSTRY
ADOPTION

36. FACT #30
For the fourth year in a row, industries
beyond Technology increased their share
of the overall bug bounty market.
#hackerpoweredfacts

37. FACT #31
Government and Telecommunications
account for 43% of today’s bug bounty
programs.
#hackerpoweredfacts

38. FACT #32
In the government sector there was
125% increase year-over-year
globally with new program launches
including the European
Commission and the Ministry of
Defense Singapore.
#hackerpoweredfacts

39. FACT #33
Automotive bug bounty programs
increased 50% in the past year.
#hackerpoweredfacts

40. FACT #34
In the past year, Technology
organizations launched 58% of all new
hacker-powered security programs.
#hackerpoweredfacts

41. FACT #35
Healthcare launched the second-most
share of new hacker-powered security
programs at 10%.
#hackerpoweredfacts

42. FACT #36
Telecommunications bug bounty
programs increased by 71% in
the past year.
#hackerpoweredfacts

43. FACT #37
Seven of the top 50 automotive vehicle
manufacturers globally have a way for
external researchers to report
vulnerabilities.
#hackerpoweredfacts

44. INDUSTRY
VULNERABILITIES

45. FACT #38
More than 72,000 vulnerabilities
have been resolved on HackerOne
as of May 2018.
#hackerpoweredfacts

46. FACT #39
More than 27,000 vulnerabilities,
one-third of the overall total, were
resolved in just the past year alone.
#hackerpoweredfacts

47. FACT #40
Cross-site scripting (XSS, CWE-79)
continued to be the most common
vulnerability reported across all
industries—with the exception of
Healthcare and Technology.
#hackerpoweredfacts

48. FACT #41
For Healthcare and Technology, the top
reported vulnerability type, with nearly
8,000 reported in the past year, were
related to Information Disclosure
(CWE-200).
#hackerpoweredfacts

49. FACT #42
For 2017 the total number of
critical vulnerabilities reported
increased by 26%.
#hackerpoweredfacts

50. FACT #43
The share of the most impactful bugs—critical
and high combined—increased from 22% in
2016 to 24% in 2017.
#hackerpoweredfacts

51. FACT #44
XSS vulnerabilities represented
59% of the top 15 vulnerabilities
reported to Transportation
organizations.
#hackerpoweredfacts

52. FACT #45
XSS vulnerabilities represented 37% of
the top 15 vulnerabilities reported to
Travel & Hospitality organizations.
#hackerpoweredfacts

53. FACT #46
Government organizations saw the most
cryptographic issues, at 18% of their total
reported vulnerabilities, which is 6-times
more than the second-place industry,
Telecom, which saw just 3% of that
category of reports.
#hackerpoweredfacts

54. FACT #47
There were 38 times more “insecure
storage” vulnerabilities reported in 2017
compared to 2016 on HackerOne.
#hackerpoweredfacts

55. INDUSTRY
RESPONSIVENESS

56. FACT #48
The fastest industry with
respect to average resolution
times is Consumer Goods at
14 days.
#hackerpoweredfacts

57. FACT #49
Financial Services & Insurance has the
second-best resolution times at 19 days.
#hackerpoweredfacts

58. FACT #50
Government is the slowest at resolutions,
with average resolution times of 68 days.
#hackerpoweredfacts

59. FACT #51
However, Government is the
second-fastest at average days to
bounty payment at just 18 days.
#hackerpoweredfacts

60. FACT #52
Healthcare is the overall fastest
industry at paying hackers,
with an average days to bounty
payment at 15 days.
#hackerpoweredfacts

61. FACT #53
Government, Transportation, Technology,
Retail & Ecommerce, Media & Entertainment,
Healthcare, and Financial Services & Insurance
all have average days to bounty payments
less than their average days to resolution.
#hackerpoweredfacts

62. FACT #54
Telecom, Professional Services, Travel &
Hospitality, and Consumer Goods all have
average days to bounty payments more
than their average days to resolution.
#hackerpoweredfacts

63. BOUNTY
TRENDS

64. FACT #55
About 60% of organizations on the
platform pay an average of $1,500 for
critical vulnerabilities, a 50% ($500)
increase from 2016.
#hackerpoweredfacts

65. FACT #56
The average bounty paid for critical
vulnerabilities across all industries on
the HackerOne platform rose to $2,041
in 2017. That’s a 6% year-over-year
increase over the 2016 average of
$1,923.
#hackerpoweredfacts

66. FACT #57
Of all categorized vulnerabilities, 6% were
critical, 18% were high, 39% were medium,
23% were low, and 13% did not register on
the severity scale.
#hackerpoweredfacts

67. FACT #58
Government has the highest average
bounty payout for critical vulnerabilities
at $3,892.
#hackerpoweredfacts

68. FACT #59
Technology has the second-highest
average bounty payout for critical
vulnerabilities at $3,635.
#hackerpoweredfacts

69. FACT #60
Travel & Hospitality has the lowest
average bounty payout for critical
vulnerabilities at $668.
#hackerpoweredfacts

70. FACT #61
Only Consumer Goods and Travel &
Hospitality organizations average critical
vulnerability bounty values below $1,000.
#hackerpoweredfacts

71. FACT #62
Bounty programs on the HackerOne platform
that reward an average of $20,000 for critical
vulnerabilities are in the top 1% of reward
competitiveness, a 33% or $5,000 increase
from last year’s average bounties paid for
critical vulnerabilities.
#hackerpoweredfacts

72. FACT #63
Bounty programs on the HackerOne
platform that reward an average of
$10,000 for high vulnerabilities are in
the top 1% of reward competitiveness.
#hackerpoweredfacts

73. FACT #64
Intel and Microsoft offer top
bounties of up to $250,000.
#hackerpoweredfacts

74. FACT #65
Google and Apple offer top bounties
of up to $200,000.
#hackerpoweredfacts

75. FACT #66
The highest bounty paid on HackerOne
in 2017 was $75,000, paid by a
Technology company.
#hackerpoweredfacts

76. FACT #67
Media & Entertainment organizations pay
the lowest top bounty awards, with their
top award being just $1,767 in 2017.
#hackerpoweredfacts

77. FACT #68
In just the past year, organizations in
the Transportation, Telecommunications,
Professional Services, and Technology
industries all awarded top bounty
awards of $20,000 or more.
#hackerpoweredfacts

78. FACT #69
Technology organizations paid the
most bounties all time at more than
$20.2 million.
#hackerpoweredfacts

79. FACT #70
Media & Entertainment paid the
second-most amount of bounties all time
at just over $2 million, more than 90% less
than Technology organizations.
#hackerpoweredfacts

80. FACT #71
Consumer Goods was the industry paying
the least amount of bounties all time with
just under $200,000 awarded.
#hackerpoweredfacts

81. FACT #72
Technology organizations paid
55% of the total value of all
bounties paid.
#hackerpoweredfacts

82. SIGNAL-TO-NOISE

83. FACT #73
Do it yourself bug bounty programs
that don’t benefit from noise reducing
platform features can experience
signal-to-noise ratios as low as 4%.
#hackerpoweredfacts

84. FACT #74
HackerOne consistently maintains
80% Signal platform wide.
#hackerpoweredfacts

85. FACT #75
Managed programs on HackerOne
consistently garner a Clear Signal of
40%, while unmanaged programs achieve
just 33% in Clear Signal.
#hackerpoweredfacts

86. Vulnerability
Disclosure
Policies

87. FACT #76
Nearly 1 in 4 hackers have not
reported a vulnerability that they
found because the company didn’t
have a channel to disclose it.
#hackerpoweredfacts

88. FACT #77
61% of startups valued at over
$1 billion have a VDP.
#hackerpoweredfacts

89. FACT #78
47% of Technology companies on the
Forbes Global 2000 list have a channel for
responsible vulnerability disclosure.
#hackerpoweredfacts

90. FACT #79
24% of Telecommunications
companies have a known vulnerability
disclosure program.
#hackerpoweredfacts

91. FACT #80
5% of Transportation
companies have vulnerability
disclosure policies.
#hackerpoweredfacts

92. FACT #81
20% of conglomerates have
vulnerability disclosure or bug bounty
programs, up from 14% in 2017.
#hackerpoweredfacts

93. FACT #82
4% of Financial Services companies
have vulnerability disclosure policies.
#hackerpoweredfacts

94. HACKERS

95. FACT #83
HackerOne’s community of ethical
hackers is more than 200,000 strong.
#hackerpoweredfacts

96. FACT #84
Over 90% of hackers are under
the age of 35.
#hackerpoweredfacts

97. FACT #85
Nearly identical fractions of hackers
are under 13 years old (0.4%) and
over 50 years old (0.5%).
#hackerpoweredfacts

98. FACT #86
44% of hackers are IT professionals.
#hackerpoweredfacts

99. FACT #87
The number one reason hackers hack
is their motivation to learn tips and
techniques.
#hackerpoweredfacts

100. FACT #88
Money fell from first in 2016 to
fourth on the list of reasons
hackers hack.
#hackerpoweredfacts

101. FACT #89
10% of hackers do it “to do good in
the world”.
#hackerpoweredfacts

102. FACT #90
Nearly 58% of hackers are self-taught.
#hackerpoweredfacts

103. FACT #91
Less than 5% of hackers learned their
hacking skills in a classroom.
#hackerpoweredfacts

104. FACT #92
50% of hackers studied computer
science at an undergraduate or
graduate level.
#hackerpoweredfacts

105. FACT #93
26% of hackers studied computer
science in high school or before.
#hackerpoweredfacts

106. FACT #94
44% of hackers are just dabbling,
spending 10 hours or less per
week hacking.
#hackerpoweredfacts

107. FACT #95
20% of hackers are full-time,
spending 30 hours or more per
week hacking.
#hackerpoweredfacts

108. FACT #96
Top-performing hackers living in
India make 16-times the median
salary of a local software engineer.
#hackerpoweredfacts

109. FACT #97
Top-performing hackers living in the
U.S. make 2.5-times the median
salary of a local software engineer.
#hackerpoweredfacts

110. FACT #98
Top-performing hackers living in the
Egypt make 8.1-times the median
salary of a local software engineer.
#hackerpoweredfacts

111. FACT #99
Top-performing hackers living across a
global sample of 40 countries make an
average of 2.7-times the median salary
of a local software engineer.
#hackerpoweredfacts

112. FACT #100
At a HackerOne live hacking event,
Oath paid hackers more than
$400,000 in just a single day.
#hackerpoweredfacts

113. HISTORY

114. FACT #101
Hunter & Ready, Inc. announced
a “bug” bounty program for their
products in 1983.
#hackerpoweredfacts

115. FACT #102
Netscape launched the first
“modern-day” bug bounty
program in 1995.
#hackerpoweredfacts

116. FACT #103
Mozilla Foundation started offering
bug bounties up to $500 for critical
vulnerabilities in 2004.
#hackerpoweredfacts

117. FACT #104
The first PWN20WN contest
kicked off in 2007.
#hackerpoweredfacts

118. FACT #105
Google announced a bug bounty
program for web applications in 2010.
#hackerpoweredfacts

119. FACT #106
Facebook announced their bug
bounty program in 2011.
#hackerpoweredfacts

120. FACT #107
Microsoft and Facebook sponsored
the creation of Internet Bug Bounty
(IBB) in 2013.
#hackerpoweredfacts

121. FACT #108
Hack the Pentagon, the U.S.
Department of Defense’s,
launched on HackerOne’s
platform in April 2016.
#hackerpoweredfacts

122. FACT #109
The manifesto on coordinated
cybersecurity disclosure was signed
by 29 companies in May 2016.
#hackerpoweredfacts

123. FACT #110
HackerOne kicked off its first live
hacking event in Las Vegas,
H1-702, paying out over $150,000
in bounties in just 3 days in
August 2016.
#hackerpoweredfacts

124. FACT #111
The U.S. Department of Defense
kicked off the first government
VDP in November 2016.
#hackerpoweredfacts

125. FACT #112
The NTIA Safety Working Group
published v1.1 of the Coordinated
Vulnerability Disclosure Template
in December 2016.
#hackerpoweredfacts

126. FACT #113
The Hack the DHS bill passed
the U.S. Senate in May 2017.
#hackerpoweredfacts

127. FACT #114
The CERT Guide to Coordinated
Vulnerability Disclosure was
published in August 2017.
#hackerpoweredfacts

128. FACT #115
U.S. Deputy Attorney General Rod J.
Rosenstein recommended all companies
consider promulgating a vulnerability
disclosure policy in October 2017.
#hackerpoweredfacts

129. FACT #116
HackerOne and others were
invited to testify in front of the
U.S. Senate Subcommittee on
Consumer Protection, Product
Safety, Insurance, and Data
Security in February 2018.
#hackerpoweredfacts

130. FACT #117
U.S. House of Representatives bill H.R.
5433: Hack Your State Department Act
was proposed by Representative Ted Liu
in April 2018.
#hackerpoweredfacts

131. FACT #118
HackerOne exceeded $30,000,000
in bounties paid out to hackers in
June 2018.
#hackerpoweredfacts

132. #hackerpoweredfacts https://www.hackerone.com/contact
DOWNLOAD REPORT