$20M in Bounties Paid and $100M In Sight

$20M in Bounties Paid and $100M In Sight

Over 50,000 vulnerabilities found and fixed. Over 100,000 hackers strong in the HackerOne community. Over $20 million paid in bounties to those who help make the connected world more secure.

Hacker-powered security is emerging as the most potent cure to the sorry state of software security. The vulnerabilities that go unnoticed by scanners and other expensive security products are more quickly and more cost-effectively found by ethical hackers.

Once a vulnerability is found and described, it can be fixed. Bad news is good news. When you know what’s wrong, you are just one step away from a fix. Best of all, you only pay for the vulnerabilities you find useful and are able to validate, versus alternative products and services that require up-front cost with no guarantee that any vulnerabilities will be found.

The US Department of Defense (DoD) came to this conclusion in early 2016 when they selected HackerOne’s platform to help connect them directly with the hacker community to find unknown vulnerabilities within their internet-facing systems.

Over the last year, HackerOne and the DoD have partnered on wildly successful bug bounty challenges including, Hack the Pentagon, Hack the Army and Hack the Air Force, awarding nearly $300,000 in bounty rewards and saving the DoD millions of dollars across multiple challenges. HackerOne is proud to partner with and serve the US Government, most recently the General Service Administration's Technology Transformation Service.

“It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” Secretary of Defense, Ash Carter, said of Hack the Pentagon on HackerOne.

Look at the examples of Google, Facebook and Microsoft. They operate the most modern software deployments and are the world’s biggest users of hacker-powered security, spending millions a year rewarding external hackers for helping them find flaws in their systems. Arguably, they are among the most secure companies in the world. What they do first at large scale, others will mimic and do in smaller scale.

That’s what HackerOne is about.

We take the best practices and enlist the best hackers so that we can then offer hacker-powered security to companies of all sizes and all stages of modernization.

We just reached the milestone of $20 million in rewards to hackers. The pace of growth is increasing, and we are now setting our aim at $100 million by the end of 2020.

When we reach that milestone, we may very well have 1 million ethical hackers signed up on our platform. By our estimates we will have helped our customers find and fix over 200,000 vulnerabilities. That amounts to an enormous improvement of the security of the world’s connected systems.

It is not possible to exactly estimate how much these fixes will save the world in terms of avoidance of data breaches, but let’s give it a try. With 200,000 vulnerabilities fixed, about 16,000 of them will be of critical severity.

Let’s further assume that every 10th of those critical vulnerabilities could have led to a data breach or costly security incident if left unfixed. Knowing that the average cost of a data breach is $7 million in the US, we can estimate a total saving of around $10 billion dollars (16,000 vulns divided by 10 and multiplied by $7 million).

Ten billion dollars in savings in a market that spends about $100 billion per year is remarkable. It points to the huge positive impact of hacker-powered security. It points to a future where our connected systems will be much more secure than today. Perhaps the situation isn’t as hopeless as many industry pundits would want us to believe.

At the other side of this equation, the results are equally impressive. All over the world, populations are gathering in giant cities, creating a new urban civilization of highly-skilled people who have access to the internet and understand everything about it. These people long to be useful to the world. They are the builders of our connected society.

A hundred thousand of them have already signed up with HackerOne. That’s far more than there are malicious hackers in the whole world. And the number of ethical hackers is growing. By the end of 2020 we estimate the number to grow close to 1 million.

Today, some of the best hackers on HackerOne who live in India earn more than 18 times the salary of an average software engineer in their home country. This model is providing the new computer-savvy generation a rewarding way to be useful to society and build a successful career making the internet more secure.

The bounties hackers are awarded for their contributions to a safer internet are changing lives. They are paying for education, supporting their families, buying homes and cars, and building a future that may not have been possible otherwise.

Through the relationships with security teams, hackers are starting new careers and building fantastic skills and resumes. The future is brighter when we work together.    

Just a few years ago, bug bounty programs were the privilege of few cloud-based companies. The hackers powering them counted in the thousands, and rewards were modest. Today we stand here 100,000 hackers strong, with 50,000 vulnerabilities eradicated and $20 million in rewards distributed to the heroes of hacker-powered security.

Soon we will have 1 million hackers, 200,000 vulnerabilities found and fixed, and $100 million paid out in rewards. The savings thanks to avoidance of data breaches will be on the order of $10 billion. This is huge, and it’s just the beginning.

Marten Mickos
CEO HackerOne



HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook