Skip to main content

How much is a bug worth? Introducing Bounty Statistics

  • December 13th , 2016

Ever wondered how much you should reward a hacker? Too little and you risk offense, too much and you set the wrong expectations. What do other programs tend to pay for a particular vulnerability? Today, HackerOne gives you this insight with Bounty Statistics.

Over the course of bug bounty history, opinions have fluctuated on what a specific report can be worth. From “Mr. Woodbridge” offering $500 for a picked lock, to Hunter & Ready offering up a Volkswagen Beetle. On HackerOne, companies have awarded over 11,000 bounties and counting, for everything from hypothetical issues to mission-critical systems.

After a considerable beta period, HackerOne is proud to publicly launch “Bounty Statistics”. We have collated the data from our 500+ bounty paying programs, and will show you the results every time you award a bounty!

Integrated with the recently launched CVSS severity setting on reports, we will now automatically show you the median bounty across our platform for that severity, as well as what programs at a competitive and top level are paying out.

Alt textCompetitive bounty level for a High severity report

These statistics can help you gauge your reward competitiveness, as well as help you be as consistent as possible in awarding bounties! Please let us know what you think, and if/how bounty statistics helped you at, or on Twitter - @hacker0x01.

  • Dirk Zittersteyn, Philip Kocanda and the HackerOne team.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…