Sam Spielman

Leading hacker-powered security platform reveals the global community of hackers uncovered 170,000 vulnerabilities, changing the way organizations do security

Hackers earn record-breaking $100M on HackerOne

HackerOne, the number one hacker-powered security platform, today announced that hackers have earned $100 Million in bug bounties by hacking for good on the HackerOne platform. A bounty — or bug bounty — is a monetary award given to a hacker who finds and reports a valid security weakness to an organization so it can be safely resolved. With nearly half of bounty earnings awarded in the past year alone, this record-breaking milestone showcases how the world’s largest hacker community is addressing the growing security needs of our increasingly interconnected society.

From $30,000 paid to hackers across the globe in October 2013 — the first month of bounty payments on HackerOne — to $5.9 million paid to hackers in April 2020, working with hackers has proven to be both a powerful way to pinpoint vulnerabilities across digital assets and more than just a past-time. It’s a career.

“We started out as a couple hackers in the Netherlands with a crazy belief that hackers like us could make organizations safer and do it more efficiently and cost-effectively than traditional approaches,” explained HackerOne co-founders Jobert Abma and Michiel Prins in their blog post about the milestone. “$100 Million in bounties later, maybe this idea isn’t so crazy after all. Thank you to all the hackers who have made the internet safer one vulnerability at a time. Hacking is here for good, for the good of all of us.”

The positive power of a growing community of ethical hackers pools our defenses against data breaches, reduces cybercrime, protects privacy, and restores trust in our digital society. Highlights from this journey to $100M include:

  • 84: The number of new hackers that sign up to the platform every hour
  • $6,000: The amount of bounties paid out on the platform every hour
  • 214%: Year-over-year hacker-powered security growth in the federal government
  • 85.6%: The year over year growth in total bounty payments, with 17.5% increase since February when COVID-19 was declared a pandemic.
  • 343%: The increase in signups over the past year on Hacker101 — HackerOne’s free online classes for aspiring hackers.
  • 38%: The increase in average weekly new registrants for Hacker101 since February, when COVID-19 was declared a pandemic.
  • Over 170,000: The number of vulnerabilities hackers have uncovered in nearly 2,000 customer programs

“We are building a community able to test and vet every piece of our digital connected civilization,” said HackerOne CEO Marten Mickos. “$100 Million is a number that attracts the best hackers, providing companies and governments unmatched ROI, significantly reducing the risk of data breach. We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers. In this new world of ever-evolving threats, the only way to get ahead is to get transparent. Openness, not secrecy, is the way forward.”

Back in 2017, Mickos predicted the community of hackers on HackerOne would grow to one million strong and would have earned $100 Million in bounties by the end of 2020. With over three quarters of a million individuals signed up to hack for good, we’re well on our way to exceeding these expectations. Mickos shared the following predictions for the future:

  • The HackerOne community produces outstanding security experts to fill the talent gap in the industry. Within the next 15 years, we expect to have produced over 500 Chief Information Security Officers (CISOs) out of our hacker ranks. These skilled and motivated people will help reduce cyber risk in key commercial enterprises and government agencies.
  • Hackers will earn $1 billion in bug bounties within five years on HackerOne.

“Some of my favorite highlights are absolutely the interactions with the people on the other side, and reactions to some of the bugs I've found,” reflected elite hacker Frans Rosen. “When the CISO of a company calls me up in the middle of the night to understand the severity and panics when he realizes the impact. When I build a little game to show the impact of a bug and the company responds with, ‘This is the best game ever, we've played it all day in the office.’ On live hacking events, when you submit a really critical bug and the team of the company fills the room afterwards to understand exactly what happened. I live for the reactions since I understand myself how I would feel to get the same kind of report.”

Every minute of every day, hackers and companies across the globe come together to enhance security. Businesses are constantly seeking to grow: expanding into new markets, shipping new products and services, adding customers, releasing mobile offerings, processing new forms of payment, increasing web assets, and so on. And every time they do, they add a new layer to their attack surface.

By partnering with willing organizations, trusted hackers are an extension of any security team and earn up to 36% more than they would as a software engineer in their home country. For companies, working with the largest, most active community of hackers allows them to be proactive about their security strategy in an efficient and cost effective way.

“Our first priority at Dropbox is the safety of our customers’ data, and we’ve looked to the global security research community on HackerOne to validate the security of our platform continuously,” said Justin Berman, Head of Security at Dropbox. “We have an industry-leading vulnerability disclosure program that protects ethical researchers and partnered with HackerOne to include sensitive vendors in the scope of our bug bounty program to help protect our entire ecosystem. Our hope is that bug bounty programs like ours continue to spearhead a culture of collaboration and transparency that benefits cybersecurity as a whole.”

For our founders’ reflections on this milestone and the journey to $100 Million in bounties, read more in their blog. CEO Marten Mickos also shares his analysis of the industry and what is to come for hacker-powered security. And for more about how organizations like Dropbox are working with hackers hacking for good to secure their attack surface, visit our blog.