Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report

1,895 views

Published on

Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.

In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.

Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.

Read on for all of the facts!

Published in: Internet
  • Login to see the comments

118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report

  1. 1. Data from The 2018 Hacker-Powered Security Report 118 HACKER- POWERED FACTS
  2. 2. The Hacker-Powered Security Report examines the largest dataset of more than 1,000 hacker-powered security programs, compiles learnings from application security practitioners and the hackers who participate in bug bounty and vulnerability disclosure programs. The report also analyzed vulnerability disclosure data from the world’s 2,000 biggest publicly traded companies according to Forbes. Consider this your “cheat sheet” of the top findings. You can also download the full 46-page report packed with key learnings, graphs, and links to other helpful resources at https://www.hackerone.com/resources/hacker-powered-security-report. #hackerpoweredfacts INTRODUCTION
  3. 3. GENERAL FACTS
  4. 4. A total of 116 bug bounties over $10,000 were paid out in the past year, up 30% from the previous year. #hackerpoweredfacts FACT #1
  5. 5. The average bounty for critical issues rose to more than $2,000. #hackerpoweredfacts FACT #2
  6. 6. From HackerOne’s inception in 2012 through June 2018, organizations have awarded hackers over $31 million. #hackerpoweredfacts FACT #3
  7. 7. $11.7 million in bug bounties was awarded in 2017 alone. #hackerpoweredfacts FACT #4
  8. 8. FACT #5 93% of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world. #hackerpoweredfacts
  9. 9. FACT #6 25% of the hacker community is currently enrolled as a full-time student. #hackerpoweredfacts
  10. 10. FACT #7 Hackers from over 100 countries have been paid for their research through HackerOne programs. #hackerpoweredfacts
  11. 11. FACT #8 #hackerpoweredfacts Top earning hackers made 2.7x the median salary of a software engineer in their home country.
  12. 12. FACT #9 The U.S. Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy. #hackerpoweredfacts
  13. 13. FACT #10 In 2018 to date, HackerOne maintains a platform-wide signal of 80%, greatly reducing the human resources required to run a hacker-powered program. #hackerpoweredfacts
  14. 14. FACT #11 Goldman Sachs, Toyota, and American Express were a few of the enterprises to launch a VDP in 2018. #hackerpoweredfacts
  15. 15. FACT #12 #hackerpoweredfacts HackerOne saw a 54% year-over-year increase in new enterprise VDP program launches.
  16. 16. FACT #13 78,275 total reports were submitted in 2017 on HackerOne. #hackerpoweredfacts
  17. 17. GEOGRAPHY
  18. 18. FACT #14 Latin America saw the biggest regional increase in hacker-powered security programs, rising by 143% year-over-year. #hackerpoweredfacts
  19. 19. FACT #15 North America and the Asia Pacific region each saw hacker-powered security programs increase by 37%. #hackerpoweredfacts
  20. 20. FACT #16 #hackerpoweredfacts Europe, the Middle East, and Africa saw a combined 26% increase in the past year.
  21. 21. FACT #17 Organizations located in the U.S. pay 83% of all bounties to hackers around the globe, continuing their trend as the leading bounty-paying country. #hackerpoweredfacts
  22. 22. FACT #18 Canada-based organizations remain in the second spot for 2017, with $1.5 million in bounties paid. #hackerpoweredfacts
  23. 23. FACT #19 Organizations in the U.K. rose from sixth place in 2016 to third place this year for total value of bounties paid. #hackerpoweredfacts
  24. 24. FACT #20 18 countries have hackers earning a combined $500,000 or more. #hackerpoweredfacts
  25. 25. FACT #21 44 countries have hackers earning a combined $100,000 or more. #hackerpoweredfacts
  26. 26. FACT #22 Hackers in the U.S. earned 17% of all bounties awarded. #hackerpoweredfacts
  27. 27. FACT #23 Hackers in India were in second place, earning 13% of all bounties awarded. #hackerpoweredfacts
  28. 28. FACT #24 Hackers in Germany are on a roll, earning 157% more in 2017 versus 2016. #hackerpoweredfacts
  29. 29. PUBLIC VS. PRIVATE
  30. 30. FACT #25 On average, public programs engage 3.5 times the number of hackers reporting valid vulnerabilities than private programs. #hackerpoweredfacts
  31. 31. FACT #26 Private bug bounty programs currently make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 calendar years. #hackerpoweredfacts
  32. 32. FACT #27 The majority of public bug bounty programs, 63%, are run by Technology organizations. #hackerpoweredfacts
  33. 33. FACT #28 Financial Services & Banking and Media & Entertainment were tied for second as the industries with the most public bug bounty programs at 9%. #hackerpoweredfacts
  34. 34. FACT #29 Public programs made up about 19% of HackerOne bug bounty launches in the past 12 months, about double compared to the year before. #hackerpoweredfacts
  35. 35. INDUSTRY ADOPTION
  36. 36. FACT #30 For the fourth year in a row, industries beyond Technology increased their share of the overall bug bounty market. #hackerpoweredfacts
  37. 37. FACT #31 Government and Telecommunications account for 43% of today’s bug bounty programs. #hackerpoweredfacts
  38. 38. FACT #32 In the government sector there was 125% increase year-over-year globally with new program launches including the European Commission and the Ministry of Defense Singapore. #hackerpoweredfacts
  39. 39. FACT #33 Automotive bug bounty programs increased 50% in the past year. #hackerpoweredfacts
  40. 40. FACT #34 In the past year, Technology organizations launched 58% of all new hacker-powered security programs. #hackerpoweredfacts
  41. 41. FACT #35 Healthcare launched the second-most share of new hacker-powered security programs at 10%. #hackerpoweredfacts
  42. 42. FACT #36 Telecommunications bug bounty programs increased by 71% in the past year. #hackerpoweredfacts
  43. 43. FACT #37 Seven of the top 50 automotive vehicle manufacturers globally have a way for external researchers to report vulnerabilities. #hackerpoweredfacts
  44. 44. INDUSTRY VULNERABILITIES
  45. 45. FACT #38 More than 72,000 vulnerabilities have been resolved on HackerOne as of May 2018. #hackerpoweredfacts
  46. 46. FACT #39 More than 27,000 vulnerabilities, one-third of the overall total, were resolved in just the past year alone. #hackerpoweredfacts
  47. 47. FACT #40 Cross-site scripting (XSS, CWE-79) continued to be the most common vulnerability reported across all industries—with the exception of Healthcare and Technology. #hackerpoweredfacts
  48. 48. FACT #41 For Healthcare and Technology, the top reported vulnerability type, with nearly 8,000 reported in the past year, were related to Information Disclosure (CWE-200). #hackerpoweredfacts
  49. 49. FACT #42 For 2017 the total number of critical vulnerabilities reported increased by 26%. #hackerpoweredfacts
  50. 50. FACT #43 The share of the most impactful bugs—critical and high combined—increased from 22% in 2016 to 24% in 2017. #hackerpoweredfacts
  51. 51. FACT #44 XSS vulnerabilities represented 59% of the top 15 vulnerabilities reported to Transportation organizations. #hackerpoweredfacts
  52. 52. FACT #45 XSS vulnerabilities represented 37% of the top 15 vulnerabilities reported to Travel & Hospitality organizations. #hackerpoweredfacts
  53. 53. FACT #46 Government organizations saw the most cryptographic issues, at 18% of their total reported vulnerabilities, which is 6-times more than the second-place industry, Telecom, which saw just 3% of that category of reports. #hackerpoweredfacts
  54. 54. FACT #47 There were 38 times more “insecure storage” vulnerabilities reported in 2017 compared to 2016 on HackerOne. #hackerpoweredfacts
  55. 55. INDUSTRY RESPONSIVENESS
  56. 56. FACT #48 The fastest industry with respect to average resolution times is Consumer Goods at 14 days. #hackerpoweredfacts
  57. 57. FACT #49 Financial Services & Insurance has the second-best resolution times at 19 days. #hackerpoweredfacts
  58. 58. FACT #50 Government is the slowest at resolutions, with average resolution times of 68 days. #hackerpoweredfacts
  59. 59. FACT #51 However, Government is the second-fastest at average days to bounty payment at just 18 days. #hackerpoweredfacts
  60. 60. FACT #52 Healthcare is the overall fastest industry at paying hackers, with an average days to bounty payment at 15 days. #hackerpoweredfacts
  61. 61. FACT #53 Government, Transportation, Technology, Retail & Ecommerce, Media & Entertainment, Healthcare, and Financial Services & Insurance all have average days to bounty payments less than their average days to resolution. #hackerpoweredfacts
  62. 62. FACT #54 Telecom, Professional Services, Travel & Hospitality, and Consumer Goods all have average days to bounty payments more than their average days to resolution. #hackerpoweredfacts
  63. 63. BOUNTY TRENDS
  64. 64. FACT #55 About 60% of organizations on the platform pay an average of $1,500 for critical vulnerabilities, a 50% ($500) increase from 2016. #hackerpoweredfacts
  65. 65. FACT #56 The average bounty paid for critical vulnerabilities across all industries on the HackerOne platform rose to $2,041 in 2017. That’s a 6% year-over-year increase over the 2016 average of $1,923. #hackerpoweredfacts
  66. 66. FACT #57 Of all categorized vulnerabilities, 6% were critical, 18% were high, 39% were medium, 23% were low, and 13% did not register on the severity scale. #hackerpoweredfacts
  67. 67. FACT #58 Government has the highest average bounty payout for critical vulnerabilities at $3,892. #hackerpoweredfacts
  68. 68. FACT #59 Technology has the second-highest average bounty payout for critical vulnerabilities at $3,635. #hackerpoweredfacts
  69. 69. FACT #60 Travel & Hospitality has the lowest average bounty payout for critical vulnerabilities at $668. #hackerpoweredfacts
  70. 70. FACT #61 Only Consumer Goods and Travel & Hospitality organizations average critical vulnerability bounty values below $1,000. #hackerpoweredfacts
  71. 71. FACT #62 Bounty programs on the HackerOne platform that reward an average of $20,000 for critical vulnerabilities are in the top 1% of reward competitiveness, a 33% or $5,000 increase from last year’s average bounties paid for critical vulnerabilities. #hackerpoweredfacts
  72. 72. FACT #63 Bounty programs on the HackerOne platform that reward an average of $10,000 for high vulnerabilities are in the top 1% of reward competitiveness. #hackerpoweredfacts
  73. 73. FACT #64 Intel and Microsoft offer top bounties of up to $250,000. #hackerpoweredfacts
  74. 74. FACT #65 Google and Apple offer top bounties of up to $200,000. #hackerpoweredfacts
  75. 75. FACT #66 The highest bounty paid on HackerOne in 2017 was $75,000, paid by a Technology company. #hackerpoweredfacts
  76. 76. FACT #67 Media & Entertainment organizations pay the lowest top bounty awards, with their top award being just $1,767 in 2017. #hackerpoweredfacts
  77. 77. FACT #68 In just the past year, organizations in the Transportation, Telecommunications, Professional Services, and Technology industries all awarded top bounty awards of $20,000 or more. #hackerpoweredfacts
  78. 78. FACT #69 Technology organizations paid the most bounties all time at more than $20.2 million. #hackerpoweredfacts
  79. 79. FACT #70 Media & Entertainment paid the second-most amount of bounties all time at just over $2 million, more than 90% less than Technology organizations. #hackerpoweredfacts
  80. 80. FACT #71 Consumer Goods was the industry paying the least amount of bounties all time with just under $200,000 awarded. #hackerpoweredfacts
  81. 81. FACT #72 Technology organizations paid 55% of the total value of all bounties paid. #hackerpoweredfacts
  82. 82. SIGNAL-TO-NOISE
  83. 83. FACT #73 Do it yourself bug bounty programs that don’t benefit from noise reducing platform features can experience signal-to-noise ratios as low as 4%. #hackerpoweredfacts
  84. 84. FACT #74 HackerOne consistently maintains 80% Signal platform wide. #hackerpoweredfacts
  85. 85. FACT #75 Managed programs on HackerOne consistently garner a Clear Signal of 40%, while unmanaged programs achieve just 33% in Clear Signal. #hackerpoweredfacts
  86. 86. Vulnerability Disclosure Policies
  87. 87. FACT #76 Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it. #hackerpoweredfacts
  88. 88. FACT #77 61% of startups valued at over $1 billion have a VDP. #hackerpoweredfacts
  89. 89. FACT #78 47% of Technology companies on the Forbes Global 2000 list have a channel for responsible vulnerability disclosure. #hackerpoweredfacts
  90. 90. FACT #79 24% of Telecommunications companies have a known vulnerability disclosure program. #hackerpoweredfacts
  91. 91. FACT #80 5% of Transportation companies have vulnerability disclosure policies. #hackerpoweredfacts
  92. 92. FACT #81 20% of conglomerates have vulnerability disclosure or bug bounty programs, up from 14% in 2017. #hackerpoweredfacts
  93. 93. FACT #82 4% of Financial Services companies have vulnerability disclosure policies. #hackerpoweredfacts
  94. 94. HACKERS
  95. 95. FACT #83 HackerOne’s community of ethical hackers is more than 200,000 strong. #hackerpoweredfacts
  96. 96. FACT #84 Over 90% of hackers are under the age of 35. #hackerpoweredfacts
  97. 97. FACT #85 Nearly identical fractions of hackers are under 13 years old (0.4%) and over 50 years old (0.5%). #hackerpoweredfacts
  98. 98. FACT #86 44% of hackers are IT professionals. #hackerpoweredfacts
  99. 99. FACT #87 The number one reason hackers hack is their motivation to learn tips and techniques. #hackerpoweredfacts
  100. 100. FACT #88 Money fell from first in 2016 to fourth on the list of reasons hackers hack. #hackerpoweredfacts
  101. 101. FACT #89 10% of hackers do it “to do good in the world”. #hackerpoweredfacts
  102. 102. FACT #90 Nearly 58% of hackers are self-taught. #hackerpoweredfacts
  103. 103. FACT #91 Less than 5% of hackers learned their hacking skills in a classroom. #hackerpoweredfacts
  104. 104. FACT #92 50% of hackers studied computer science at an undergraduate or graduate level. #hackerpoweredfacts
  105. 105. FACT #93 26% of hackers studied computer science in high school or before. #hackerpoweredfacts
  106. 106. FACT #94 44% of hackers are just dabbling, spending 10 hours or less per week hacking. #hackerpoweredfacts
  107. 107. FACT #95 20% of hackers are full-time, spending 30 hours or more per week hacking. #hackerpoweredfacts
  108. 108. FACT #96 Top-performing hackers living in India make 16-times the median salary of a local software engineer. #hackerpoweredfacts
  109. 109. FACT #97 Top-performing hackers living in the U.S. make 2.5-times the median salary of a local software engineer. #hackerpoweredfacts
  110. 110. FACT #98 Top-performing hackers living in the Egypt make 8.1-times the median salary of a local software engineer. #hackerpoweredfacts
  111. 111. FACT #99 Top-performing hackers living across a global sample of 40 countries make an average of 2.7-times the median salary of a local software engineer. #hackerpoweredfacts
  112. 112. FACT #100 At a HackerOne live hacking event, Oath paid hackers more than $400,000 in just a single day. #hackerpoweredfacts
  113. 113. HISTORY
  114. 114. FACT #101 Hunter & Ready, Inc. announced a “bug” bounty program for their products in 1983. #hackerpoweredfacts
  115. 115. FACT #102 Netscape launched the first “modern-day” bug bounty program in 1995. #hackerpoweredfacts
  116. 116. FACT #103 Mozilla Foundation started offering bug bounties up to $500 for critical vulnerabilities in 2004. #hackerpoweredfacts
  117. 117. FACT #104 The first PWN20WN contest kicked off in 2007. #hackerpoweredfacts
  118. 118. FACT #105 Google announced a bug bounty program for web applications in 2010. #hackerpoweredfacts
  119. 119. FACT #106 Facebook announced their bug bounty program in 2011. #hackerpoweredfacts
  120. 120. FACT #107 Microsoft and Facebook sponsored the creation of Internet Bug Bounty (IBB) in 2013. #hackerpoweredfacts
  121. 121. FACT #108 Hack the Pentagon, the U.S. Department of Defense’s, launched on HackerOne’s platform in April 2016. #hackerpoweredfacts
  122. 122. FACT #109 The manifesto on coordinated cybersecurity disclosure was signed by 29 companies in May 2016. #hackerpoweredfacts
  123. 123. FACT #110 HackerOne kicked off its first live hacking event in Las Vegas, H1-702, paying out over $150,000 in bounties in just 3 days in August 2016. #hackerpoweredfacts
  124. 124. FACT #111 The U.S. Department of Defense kicked off the first government VDP in November 2016. #hackerpoweredfacts
  125. 125. FACT #112 The NTIA Safety Working Group published v1.1 of the Coordinated Vulnerability Disclosure Template in December 2016. #hackerpoweredfacts
  126. 126. FACT #113 The Hack the DHS bill passed the U.S. Senate in May 2017. #hackerpoweredfacts
  127. 127. FACT #114 The CERT Guide to Coordinated Vulnerability Disclosure was published in August 2017. #hackerpoweredfacts
  128. 128. FACT #115 U.S. Deputy Attorney General Rod J. Rosenstein recommended all companies consider promulgating a vulnerability disclosure policy in October 2017. #hackerpoweredfacts
  129. 129. FACT #116 HackerOne and others were invited to testify in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security in February 2018. #hackerpoweredfacts
  130. 130. FACT #117 U.S. House of Representatives bill H.R. 5433: Hack Your State Department Act was proposed by Representative Ted Liu in April 2018. #hackerpoweredfacts
  131. 131. FACT #118 HackerOne exceeded $30,000,000 in bounties paid out to hackers in June 2018. #hackerpoweredfacts
  132. 132. #hackerpoweredfacts https://www.hackerone.com/contact DOWNLOAD REPORT

×