Hackers Report First Security Vulnerability to 77% of Customers Within 24 Hours HackerOne Report Reveals

Government Programs Increased 214%, Customers Resolved 30,541 Security Vulnerabilities, and Hackers Earned $21 Million in Last 12 Months Report Shows

SAN FRANCISCO--()--HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced findings from its 2019 Hacker-Powered Security Report. The report is the largest study of bug bounty, vulnerability disclosure and hacker-powered pentest programs. The report examines trends from 120,000+ security vulnerabilities resolved for 1,400+ customers, earning hackers over $62 million in bounties.

When a new bug bounty program is launched, in 77% of the cases, hackers report the first valid vulnerability within 24 hours. Twenty-five percent of valid vulnerabilities found are classified as being of high or critical severity. Every five minutes, a hacker reports a vulnerability through a bug bounty or vulnerability disclosure program. Every 60 seconds, a hacker partners with an organization on HackerOne. That’s more than 1,000 interactions per day with hackers and companies or governments working towards a safer internet. That is how fast security can improve when hackers are invited to contribute.

“Hacking is here for good, for the good of all of us,” said HackerOne CEO Marten Mickos. “Half a million hackers have willingly signed up with HackerOne to help solve one of the greatest challenges our society faces today. We cannot prevent data breaches, reduce cyber crime, protect privacy or restore trust in society without pooling our defenses and asking for external help.”

Key findings include:

  • The average bounty paid for critical vulnerabilities increased to $3,384 in the past year. A 48% increase over last year’s average of $2,281 and a 71% increase over the 2016 average of $1,977. Bounty values for less severe vulnerabilities are also rising, with the average platform-wide bounty increasing 65%.
  • Governments had the strongest year over year industry growth at 214%, and last year saw the first launch of programs at the municipal level. Strong program adoption took place in Automotive (113%), Telecommunications (91%), Consumer Goods (64%), and Cryptocurrency & Blockchain (64%) industries.
  • The majority of bug bounty programs remain private at 79% with little change from years prior. Public bug bounty programs engage six times as many hackers.
  • Today six out of 10 of the top banks in North America are running hacker-powered security programs on HackerOne. Financial services organizations running hacker-powered security programs increased 41% this year.
  • Six hackers surpassed $1 million in lifetime earnings, seven more hit $500,000 in lifetime earnings, and more than 50 earned $100,000 or more in the past year alone. Skilled and dedicated hackers have the potential to build a career and make a competitive living with the opportunities offered by hacker-powered security.
  • Globalization of hacker-powered security continues to increase. Several new countries entered the top 10 highest paying, hackers living in 19 countries earned more than $100,000 in total last year, and more organizations in more countries are hosting live hacking events. Hackers from 84% of all the countries in the world have submitted vulnerability reports.
  • Hacker-powered pentests on the rise as organizations are using hackers to bring simulations of real-world attacks to security testing. In a recent report, one organization detailed how hacker-powered pentests helped them eliminate $156,784 in total costs and save an additional $384,793 over three years by reducing internal security and application development efforts.

“Hackers are no longer anonymous guns-for-hire,” the report explains. “They are being embraced by everyone from the insurance industry to government agencies. Today, hacker-powered security is a given part of a mature and proactive security program. It’s not hard to see why. Businesses process more sensitive data and more personal information than ever before. Working with hackers allows you to provide security at the speed of innovation.”

The 2019 Hacker Powered Security Report is the industry’s most comprehensive report on security delivered by hackers, evaluating the topics explained above and more. The data comes from HackerOne’s community of hackers and the database of vulnerabilities reported and resolved. Unless otherwise stated, numbers represent the 12 months from May 2018 through April 2019.

The full report is available at https://www.hackerone.com/resources/hacker-powered-security-report-2019.

About HackerOne

HackerOne is the #1 hacker-powered pentest & bug bounty platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,500 other organizations have partnered with HackerOne to find over 130,000 vulnerabilities and award over $64M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, France and Singapore.


Samantha Spielman


Samantha Spielman