Skip to main content

How much is a bug worth? Introducing Bounty Statistics

  • December 13th , 2016

Ever wondered how much you should reward a hacker? Too little and you risk offense, too much and you set the wrong expectations. What do other programs tend to pay for a particular vulnerability? Today, HackerOne gives you this insight with Bounty Statistics.

Over the course of bug bounty history, opinions have fluctuated on what a specific report can be worth. From “Mr. Woodbridge” offering $500 for a picked lock, to Hunter & Ready offering up a Volkswagen Beetle. On HackerOne, companies have awarded over 11,000 bounties and counting, for everything from hypothetical issues to mission-critical systems.

After a considerable beta period, HackerOne is proud to publicly launch “Bounty Statistics”. We have collated the data from our 500+ bounty paying programs, and will show you the results every time you award a bounty!

Integrated with the recently launched CVSS severity setting on reports, we will now automatically show you the median bounty across our platform for that severity, as well as what programs at a competitive and top level are paying out.

Alt textCompetitive bounty level for a High severity report

These statistics can help you gauge your reward competitiveness, as well as help you be as consistent as possible in awarding bounties! Please let us know what you think, and if/how bounty statistics helped you at, or on Twitter - @hacker0x01.

  • Dirk Zittersteyn, Philip Kocanda and the HackerOne team.

Recent articles

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…

Intel launches its first bug bounty program

Our friends at Intel have an exciting announcement! Their bug bounty program is live.