Interactive Hacker Powered Security Report | HackerOne

the
hacker-powered
security report
2018

The study on the hacker-powered security ecosystem

The 2018 Hacker-Powered Security Report is the Most Comprehensive Report on Hacker-Powered Security.

Data is derived from HackerOne’s community of hackers and from platform data for 2017 (defined as May 2017–April 2018) unless otherwise noted. We analyzed 78,275 security vulnerability reports received in the past year from ethical hackers that reported them to over 1,000 organizations through HackerOne.

According to Gartner, crowdsourced security testing is ‘rapidly approaching critical mass’. You will find supporting evidence in this report on the hacker-powered security ecosystem.

important terms

hacker

One who enjoys the intellectual challenge of creatively overcoming limitations.

hacker-powered security

Any technique that utilizes the external hacker community to find unknown security vulnerabilities and reduce cyber risk. Common examples include private bug bounty programs, public bug bounty programs, time-bound bug bounty programs and vulnerability disclosure policies. With hacker-powered security testing, organizations can identify high-value bugs faster with help from the results-driven ethical hacker community.

Section 1

Key Findings

key finding #1

Critical Vulnerabilties are Earning Higher Bounties.

Figure 1: Bug bounty reward competitiveness for critical vulnerabilities from May 2017 to April 2018. Organizations in the 99th percentile, rewarding $20,000 on average, are rewarding bounties higher on average than 99% of the programs on HackerOne.
Bounties 99th Percentile
Bounties 90th Percentile
Bounties 80th Percentile
Bounties 60th Percentile
prev
next

average bounty payout by severity

key finding #2

Bug Bounty Earning Potential is Changing Lives.

Figure 2: Median annual wage of a “software engineer” was derived from PayScale for each region. The multiplier was found by dividing the upper range of bounty earners on HackerOne for the region by the median annual wage of a software engineer for the related region.
prev
next

salary multiplier

key finding #3

Governments are Leading the way with Adoption Globally.

Legal experts and market leaders embrace VDPs. The practice has been defined by the U.S. Department of Justice (DoJ) and in ISO 29147. The VDP instructs hackers on how to submit vulnerability reports, and defines the organization’s commitment to the hacker on how reports will be handled.
prev
next
All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system ," said Rod Rosenstein, Deputy Attoney General. "The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises."

key finding #4

Valid Reports Hit an All-Time High as Program Signal Becomes a Primary Performance Metric

Clear Signal: Bug bounty reward competitiveness for critical vulnerabilities from May 2017 to April 2018. Organizations in the 99th percentile, rewarding $20,000 on average, are rewarding bounties higher on average than 99% of the programs on HackerOne. Nominal Signal: These reports are closed as marked "informative" or duplicates of resolved issues. While not contributing to clear signal, many of these reports were technially accurate based on the best information available to the researcher. Noise: These reports are closed as “Not Applicable,” “Spam” or duplicates of these types. This represents the noise in the signal to noise ratio
prev
next

Historical signal-to-noise ratio

public programs

private programs

key finding #5

Adoption of Vulnerability Disclosure Policies (VDP) are on the Rise Across Enterprise Organizations.

20% of conglomerates have vulnerability disclosure or bug bounty programs, including General Electric, Siemens, Honeywell Internation, ABB, Phillips and others- up from 14% in 2017.
prev
next

key finding #6

Less Than 5% of Hackers Learn to Hack in the Classroom

A consistent theme every hacker has in common: curiosity and the thirst to learn. To train future cybersecurity leaders, the broader security community needs to invest in education. In 2017, HackerOne continued to do just that.

Hacker101 is an online web security course designed to educate the next generation of ethical hackers. Taught by HackerOne security researcher Cody Brocious, the material trains enthusiastic bug hunters the skills required to be successful. Visit www.hacker101.com to learn more.
prev
next

key finding #1

Critical Vulnerabilties are Earning Higher Bounties.

Figure 1: Bug bounty reward competitiveness for critical vulnerabilities from May 2017 to April 2018. Organizations in the 99th percentile, rewarding $20,000 on average, are rewarding bounties higher on average than 99% of the programs on HackerOne.
Bounties 99th Percentile
Bounties 90th Percentile
Bounties 80th Percentile
Bounties 60th Percentile

average bounty payout by severity

key finding #2

Bug Bounty Earning Potential is Changing Lives.

Figure 2: Median annual wage of a “software engineer” was derived from PayScale for each region. The multiplier was found by dividing the upper range of bounty earners on HackerOne for the region by the median annual wage of a software engineer for the related region.

salary multiplier

key finding #3

Governments are Leading the way with Adoption Globally.

Legal experts and market leaders embrace VDPs. The practice has been defined by the U.S. Department of Justice (DoJ) and in ISO 29147. The VDP instructs hackers on how to submit vulnerability reports, and defines the organization’s commitment to the hacker on how reports will be handled.
All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system ," said Rod Rosenstein, Deputy Attoney General. "The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises."

key finding #4

Valid Reports Hit an All-Time High as Program Signal Becomes a Primary Performance Metric

Clear Signal: Bug bounty reward competitiveness for critical vulnerabilities from May 2017 to April 2018. Organizations in the 99th percentile, rewarding $20,000 on average, are rewarding bounties higher on average than 99% of the programs on HackerOne.

Nominal Signal: These reports are closed as marked "informative" or duplicates of resolved issues. While not contributing to clear signal, many of these reports were technially accurate based on the best information available to the researcher.

Noise: These reports are closed as “Not Applicable,” “Spam” or duplicates of these types. This represents the noise in the signal to noise ratio

Historical signal-to-noise ratio

public programs

private programs

key finding #5

Adoption of Vulnerability Disclosure Policies (VDP) are on the Rise Across Enterprise Organizations.

20% of conglomerates have vulnerability disclosure or bug bounty programs, including General Electric, Siemens, Honeywell Internation, ABB, Phillips and others- up from 14% in 2017.

key finding #6

Less Than 5% of Hackers Learn to Hack in the Classroom

A consistent theme every hacker has in common: curiosity and the thirst to learn. To train future cybersecurity leaders, the broader security community needs to invest in education. In 2017, HackerOne continued to do just that.

Hacker101 is an online web security course designed to educate the next generation of ethical hackers. Taught by HackerOne security researcher Cody Brocious, the material trains enthusiastic bug hunters the skills required to be successful. Visit www.hacker101.com to learn more.
Section 2

A History of
Hacker-Powered Security

A timeline of defining events related to vulnerability disclosure policies, bug bounties, security research, and hackers.
  1. The first known “bug” bounty program that paved the way for today’s industry is launched by operating system company Hunter & Ready, Inc.
  2. In response to the first major computer virus, the Computer Emergency Response Team (CERT) coordination center is created to research software vulnerabilities.
  3. Netscape launches the first “modern-day” bug bounty program, offering monetary rewards for Netscape Navigator 2.0 Beta.
  4. MAY: Seven members of Boston-based hacker think tank “L0pht” appeared before a Senate committee and bluntly stated that networks of computers and software were terribly insecure.
  5. Nomad Mobile Research Center (NMRC) publishes a bug disclosure policy stating their intent to verify problems and contact vendors with technical details.
  6. FEBRUARY: Chris Wysopal and Steve Christey of the Internet Engineering Task Force publish the Responsible Vulnerability Disclosure Process.
  7. AUGUST: IDefense’s Vulnerability Contributor Program launches with rewards to researchers who find vulnerabilities in software systems.
  8. AUGUST: Open Sourced Vulnerability Database (OSVDB) is launched to provide technical information on vulnerabilities.
  9. AUGUST: Mozilla Foundation starts offering bug bounties up to $500 for critical vulnerabilities found in Firefox and other Mozilla software.
  10. JULY: Zero Day Initiative launches to help connect security researchers with vendors and encourage the responsible reporting of zero-day vulnerabilities through financial incentives.
  11. The first PWN2OWN contest kicks off, igniting a competition to exploit Mac OSX across a limited time frame.
  12. MARCH: Alex Sotirov, Dino Dai Zovi, and Charlie Miller petition for “no more free bugs” at the CanSecWest conference.
  13. Google announces a bug bounty program for web applications, Mozilla expands its program to include web properties, and Microsoft announces their Coordinated Vulnerability Disclosure Policy.
  14. APRIL: Microsoft implements a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products.
  15. JULY: Facebook announces a bug bounty program with a $500 minimum reward for valid bugs.
  16. HackerOne is founded with the mission to empower the world to build a safer internet.
  17. MARCH: The Government of the Netherlands publishes their Guideline for responsible disclosure of IT vulnerabilities.
  18. OCTOBER: Microsoft offers its first bug bounty to identify bugs in Internet Explorer.
  19. NOVEMBER: Facebook and Microsoft sponsor the creation of the Internet Bug Bounty (IBB) program for core internet infrastructure and free open source software.
  20. JANUARY: Microsoft helps draft ISO/IEC 29147:2014, which provides guidelines for the disclosure of potential vulnerabilities in products and online services.
  21. APRIL: HackerOne launches Hacktivity, showcasing public vulnerability coordination activity occurring on the HackerOne platform.
  22. JULY: Google creates Project Zero, a team of top security researchers working full-time to identify zero-day vulnerabilities in any software.
  23. AUGUST: Oracle’s security chief, Mary Ann Davidson, publishes a rambling missive against the security research industry.
  24. NOVEMBER: HackerOne launches Disclosure Assistance to help hackers report vulnerabilities safely to organizations without public disclosure programs.
  25. JANUARY: European Union Agency for Network and Information Security (ENISA) publishes “Good Practice Guide on Vulnerability Disclosure” to propose recommendations for vulnerability disclosure.
  26. APRIL: First Federal bug bounty program, Hack the Pentagon launches.
  27. MAY: Global Forum on Cyber Expertise announces that 29 organizations signed the “Coordinated Vulnerability Disclosure Manifesto” to showcase their public vulnerability reporting mechanisms.
  28. AUGUST: HackerOne kicks off its first live hacking event in Las Vegas, H1-702, paying out over $150K in bounties in just 3 days.
  29. NOVEMBER: The U.S. Department of Defense kicks off the first government VDP.
  30. DECEMBER: National Telecommunications and Information Administration (NTIA) Safety Working Group publishes v1.1 of “Coordinated Vulnerability Disclosure Template” as a guide for companies on security researcher disclosure best practices and policies.
  31. DECEMBER: Food and Drug Administration issues “Postmarket Management of Cybersecurity in Medical Devices” to inform industry and FDA staff of the Agency’s recommendations for proactively managing cybersecurity vulnerabilities.
  32. FEBRUARY: Federal Trade Commission provides comments on the NTIA’s “Coordinated Vulnerability Disclosure Template”, stating that “the template could be a useful tool for any company providing software-based products and services to consumers.”
  33. MAY: Hack the DHS, a bill to establish a bug bounty pilot program within the Department of Homeland Security is proposed, and later in 2018 passes the U.S. Senate by unanimous vote.
  34. JULY: US Department of Justice publishes A Framework for a Vulnerability Disclosure Program for Online Systems.
  35. AUGUST: Carnegie Mellon University’s Software Engineering Institute publishes “The CERT® Guide to Coordinated Vulnerability Disclosure” to describe best practices for when vulnerabilities are discovered.
  36. AUGUST: UC Berkeley class CS 194-138/294-138 opens to undergraduate and graduate level engineering students with a cybersecurity curriculum utilizing bug bounty programs in coursework.
  37. AUGUST: U.S. Senators Cory Gardner (R-CO) and Mark R. Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT), introduce bipartisan legislation to improve the cybersecurity of Internet of Things (IoT) devices.
  38. OCTOBER: In remarks delivered at the Global Cybersecurity Summit, Deputy Attorney General Rod J. Rosenstein says “All companies should consider promulgating a vulnerability disclosure policy.”
  39. FEBRUARY: HackerOne and others testify before the U.S. Senate on the benefits and nature of hacker-powered security. Senators express their support for this vital form of cybersecurity.
  40. APRIL: Hack Your State Department Act is proposed and would require the Secretary of State to design and establish a VDP.
  41. APRIL: Facebook announces their Data Abuse Bounty, offering rewards for reports of data abuse.
  42. MAY: Goldman Sachs becomes the first investment bank to launch a public VDP.
  43. JUNE: U.S. Representatives Mike Quigley (R-IL) and John Katko (R-NY) introduced “Hack the Election” or the Prevent Election Hacking Act of 2018 to help combat the threat of election hacking in part by creating a bug bounty program.
  44. JUNE: HackerOne exceeds $30,000,000 in bounties paid out to hackers.

customer spotlight

General Motors

General Motors became the first major automaker to launch a public vulnerability disclosure program (VDP) in 2016. Its purpose? To protect its customers by working with hackers to safely identify and resolve security vulnerabilities. In just two years, GM has resolved more than 700 vulnerabilities across the entire supply chain, with help from over 500 hackers.

download the full report

Hackers have become an essential part of our security ecosystem.

jeff massimilla
vice president global
cybersecurity
customer data
vulnerabilities resolved
company size
participating hackers
product HackerOne Response
Section 3

Industry Trends

Vulnerabilities by Industry

More than 72,000 vulnerabilities have been resolved on HackerOne as of May 2018, with more than one-third of those—27,000—resolved in the past year alone.

consumer goods

Listed are the top 15 vulnerability types platform wide, and the percentage of vulnerabilities received per industry.

Trending Vulnerability Spotlight

There has been a significant rise in security incidents as a result of insecure storage vulnerabilities. The most popular of which is Amazon Simple Storage Service (often referred to as S3 Buckets). S3 Buckets are typically used by IT departments to store source code, certificates, passwords, and other data. Misconfigurations have exposed names, addresses, credit scores, partial Social Security numbers, and allowed for man-in-the-middle attacks. Recent incidents with auto loan, telecommunications, and entertainment organizations have affected as many as 17 million consumers. Over the past year, there has been a stark increase in vulnerabilities related to Insecure Storage of sensitive information. In fact, there were 38 times more insecure storage vulnerabilities reported in 2017 compared to 2016 on HackerOne.

Time to Resolution by Industry

Time to resolution is the number of business days it takes for a security team to resolve a reported bug and a key indicator of program health. It is the primary metric that shows hackers what they can expect from the program.

Average number of days to resolution and to reward, measured from May, 2017 to April, 2017.
avg days to resolution avg days to bounty

Bounty Trends: Top Awards

From HackerOne’s inception in 2012 through June 2018, organizations have awarded hackers over $31 million. More than one-third of that, $11.7 million, was awarded in the past year alone, reflecting the striking growth trajectory of hacker- powered security.

Top Bounties Awarded
Total Bounties Paid
The top bounties awarded in 2017 on the HackerOne platform by industry.

customer spotlight

download the full report

Oath

In April 2018, 41 hackers representing 11 countries were in San Francisco hacking Oath, a media and tech company that includes: Yahoo, AOL, Verizon Digital Media Services, TechCrunch, and many more dynamic brands. In just nine hours of hacking, Oath awarded hackers over $400,000 in bounties. This live-hacking event was dubbed H1-415, with 415 representing the San Francisco area code.

It was empowering to witness the dedication, persistence and creativity of the hacker community live and in person.

chris nims
CISO, Oath
customer data
vulnerabilities resolved
company size
participating hackers
product HackerOne Bounty
Section 4

Community
Statistics

The 2018 Hacker Report, published by HackerOne in January, is the largest documented survey ever conducted of the ethical hacking community.

Here are some of the top highlights of the report, providing insights on the hacker mindset, statistics and growth metrics, where they’re from, and what vulnerabilities they hunt.
total registered hackers
total vulnerabilities resolved to-date
total bounties paid

On average, approximately how many hours per week do you spend hacking?

1-10
10-20
20-30
30-40
40+
prev
next

Why do you hack?

prev
next

What is your age?

18-24
25-34
35-49
13-17
50-64
Under 13
prev
next

On average, approximately how many hours per week do you spend hacking?

1-10
10-20
20-30
30-40
40+

Why do you hack?

What is your age?

18-24
25-34
35-49
13-17
50-64
Under 13

The Hacktivity Feed

The Hacktivity feed continues to be a resource for hackers to learn from their peers. Of note, in total, over 6,200 reports have been disclosed on HackerOne’s hacktivity. These disclosed vulnerability reports are an invaluable learning tool for hackers, and a simple disclosure mechanism for HackerOne customers.

Section 5

Live-Hacking
Events

Bringing the Community Together for Global Live-Hacking Events

We host live-hacking events in cities around the world, connecting security teams with top hackers. In the past year, HackerOne hosted live-hacking events in seven cities: Las Vegas (H1-702), New York City (H1-212), Goa, India (H1- 91832), Washington DC (H1-202), San Francisco (H1-415), Amsterdam (H1-3120), and London (H1-4420). For each event, we partner with our customers to fly out 25 to 40 (sometimes over 50!) of the top members of our community from across the globe to participate.

H1-702 Las Vegas July 2017
H1-212 New York December 2017
H1-91832 India February 2018
H1-202 Washington, DC March 2018
H1-415 San Francisco April 2018
H1-3120 Amsterdam May 2018
H1-4420 London June 2018
read the full report

The Hacker-Powered
Security Report 2018

Thanks for your interest. Click below to view the report.

Download Now