Skip to main content

How much is a bug worth? Introducing Bounty Statistics

  • December 13th , 2016

Ever wondered how much you should reward a hacker? Too little and you risk offense, too much and you set the wrong expectations. What do other programs tend to pay for a particular vulnerability? Today, HackerOne gives you this insight with Bounty Statistics.

Over the course of bug bounty history, opinions have fluctuated on what a specific report can be worth. From “Mr. Woodbridge” offering $500 for a picked lock, to Hunter & Ready offering up a Volkswagen Beetle. On HackerOne, companies have awarded over 11,000 bounties and counting, for everything from hypothetical issues to mission-critical systems.

After a considerable beta period, HackerOne is proud to publicly launch “Bounty Statistics”. We have collated the data from our 500+ bounty paying programs, and will show you the results every time you award a bounty!

Integrated with the recently launched CVSS severity setting on reports, we will now automatically show you the median bounty across our platform for that severity, as well as what programs at a competitive and top level are paying out.

Alt textCompetitive bounty level for a High severity report

These statistics can help you gauge your reward competitiveness, as well as help you be as consistent as possible in awarding bounties! Please let us know what you think, and if/how bounty statistics helped you at, or on Twitter - @hacker0x01.

  • Dirk Zittersteyn, Philip Kocanda and the HackerOne team.

Recent articles

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…

Bug fixes just got a little easier; HackerOne introduces bi-directional JIRA integration

It’s now possible to view updates on JIRA issues right inside your HackerOne Reports. The two-way integration…