Skip to main content

Bug Bounty Programs Taking Off!

  • October 4th , 2016

The more you let friendly hackers hack you, the less the criminals can hack you.

Bug bounty programs are revolutionizing the security industry and becoming an indispensable part of the modern software development lifecycle. You get useful results in the first 24 hours, and your program keeps producing results for years.

Bug bounty programs are the fastest, most diverse and most complete way of identifying vulnerabilities in live systems. It’s remarkably cost-effective too. Unlike most other security offerings, you don’t pay for false positives or defense not used. In a bug bounty program, you pay for results: the vulnerability reports that you deem truly valuable.

If your company relies on software, you need a bug bounty program. The skill set available outside of the company is greater than what’s inside, no matter how strong the inside security team is. Just like in a neighborhood watch, there is strength in numbers.

Cyber security is such a hot topic that Donald Trump made controversial statements about it on the presidential debate. Hillary Clinton recommends every government agency to run bug bounty programs modeled after Hack the Pentagon. That’s the bug bounty program that the DoD handpicked HackerOne to run. Even the strongest organization has vulnerabilities, and admitting them is the path to increased strength.

We are coming out of Q3 with flying colors. HackerOne is by far the world’s largest marketplace for white hat hackers helping organizations to find flaws in their systems. Through our platform, over $10,000,000 has been paid in bounties to thousands of hackers around the world.

Alt text

Thanks to these hackers, our customers have fixed over 30,000 vulnerabilities in their systems. We can only imagine the saving compared to leaving those vulnerabilities open to criminal exploitation. By some estimates, the average cyber breach carries a cost of $6m. Even a single vulnerability can be enough for a criminal to break in and cause a big loss. Fortunately, the average bounty for a vulnerability report is less than $600. This points at the enormous benefit and value of bug bounty programs. Six hundred bucks can save you six million.

Today HackerOne is running over 600 customer programs, aided by tens of thousands of hackers around the world. Our platform produces the best signal-to-noise ratio in the industry, and for every dollar we receive, we pay much more to the hackers than any other platform. The buck belongs to the one who found the bug. The hackers are typically young (under 24) and self-taught. They hack for several reasons: money, fun, challenge, career, and to do good. They have the best of our connected society in mind.

We take our mission seriously. HackerOne is here to empower the whole world to build a safer internet. We intend to keep growing the number of programs and the number of hackers rapidly. We also are key sponsors of the Internet Bug Bounty, a program that pays bounties to hackers who identify vulnerabilities in vital open source products and projects. The absence of a wealthy owner of some vital piece of software must not stop us from making it more secure.

The quality of our hacker community is growing quickly. We have distributed nearly 5,000 ebooks on hacking to aspiring hackers in our network. As with other two-sided marketplaces such as Uber and AirBnB, there is a reputation system that ensures that you get the best possible service. When you join as a hacker, you get 100 points. Through hard work and by submitting useful vulnerability reports, your score will increase. If you produce useless reports, your score will shrink. In the past few months we have seen 4 top hackers go beyond 10,000 reputation points. That if anything is sign of hackers skills that can measure up against anyone and anything.

HackerOne has paid out more in bounties than anyone other platform or program. It is not just the total amount that is high; the average bounty amount per rewarded hacker is also higher on HackerOne. This means that hackers make more money on HackerOne than on any other platform. A great example is Mark Litchfield who recently crossed the magical limit of $500,000 earned on HackerOne programs alone. Another hacker bought an apartment for his mother. Bug hunting can be a great source of income for skilled white hat hackers.

Among our recently launched public bug bounty programs, Uber deserves a special mention for paying out $345,000 in bounties in the first 100 days. We also saw Yelp go from private program to public. Kaspersky Lab and Panasonic Avionics launched at Black Hat in Las Vegas in August. On the European scene, Insurance company LocalTapiola increased their maximum bounty to an impressive $50,000 and Swisscom launched their new program. Earlier this year, we launched Github, New Relic and General Motors. The leading companies of the world are making sure their vulnerabilities are found, so that they can be fixed.

In summary, HackerOne is the place where the best security practices come to bear and vulnerabilities meet their nemesis. With 30,000 vulnerabilities fixed so far, the internet is more secure. But with over 100 billion lines of new software code are produced and deployed each year, we still have much much work to do, so please help us spread the word! Every organization needs a bug bounty program.

Marten Mickos
marten@hackerone.com
CEO, HackerOne

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…