Skip to main content

HackerOne Report Unveils Latest Hacker-Powered Security Trends From Largest Vulnerability Data Set

Organizations Resolved 27,000 Vulnerabilities, Hackers Earned $11.7 Million in Last 12 Months

SAN FRANCISCO-- July 11, 2018 --HackerOne, the leading bug bounty and vulnerability disclosure platform, today announced findings from the 2018 Hacker-Powered Security Report, based on over 72,000 resolved security vulnerabilities, 1,000 customer programs and more than $31 million in bounties awarded to hackers from over 100 countries. The annual report is a benchmark study of the bug bounty and vulnerability disclosure ecosystem based on the largest data set of reported vulnerabilities.

Hackers are finding more severe vulnerabilities than ever before. The total number of high or critical severity vulnerabilities increased by 22 percent in 2017. Furthermore, 24 percent of resolved vulnerabilities were classified as high to critical severity across industries. As a result, bounties for high impact findings are rising. The top bounty awarded for a single report reached $75,000 in 2017. The most competitive programs like Google, Microsoft and Intel are offering $250,000 bounty awards for critical issues. Meanwhile, false positives are becoming a relic of the past, with 80 percent Signal platform-wide, meaning 80 percent of submitted and qualified reports are valid.

“Crowdsourced security testing is rapidly approaching critical mass, and ongoing adoption and uptake by buyers is expected to be rapid,” Gartner reported. Governments are leading the way with adoption globally. In the government sector there was a 125 percent increase year over year with new program launches including the European Commission and the Ministry of Defense Singapore, joining the U.S. Department of Defense on HackerOne. Proposed legislations like Hack the Department of Homeland Security Act, Hack Your State Department Act, Prevent Election Voting Act, and the Department of Justice Vulnerability Disclosure Framework further demonstrate public sector support for hacker-powered security.

Industries beyond technology continued to increase share of the overall hacker-powered security markets. Consumer Goods, Financial Services & Insurance, Government, and Telecommunications account for 43 percent of today’s bug bounty programs. Automotive programs increased 50% in the past year and Telecommunications programs increased 71 percent. Enterprises across industries saw a 54 percent increase in year over year VDP adoption. Still, leading organizations remain vastly underprepared for effective discovery, communication, remediation, and disclosure of vulnerabilities as 93% of the 2017 Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by third parties.

“The world is embracing the highly skilled and creative hacker community to help reduce cyber risk,” said Marten Mickos, CEO of HackerOne. “A model once reserved for the largest, tech-advanced companies in the world, is now being implemented by organizations of any size, industry and connected corner of the globe. Hacker-powered security is reaching critical mass, and everyone is benefitting from a more secure internet.”

The most authoritative report on the hacker-powered security ecosystem.

The 2018 Hacker-Powered Security Report examines data collected from over 1,000 bug bounty and vulnerability disclosure programs around the world. The report includes analysis of nearly 72,000 resolved vulnerabilities, plus insight from HackerOne’s community of over 200,000 registered hackers. HackerOne also analyzed VDP data from the Forbes Global 2000 to better understand hacker-powered security adoption.