Top 5 Takeaways from the 2021 Hacker-Powered Security Report: Industry Insights

December 21, 2021 HackerOne Team

For the fifth year in a row, HackerOne published a report that provides insights from the world’s largest database of vulnerabilities and bug bounty customer programs. Here are the top five findings:

  1. The adoption of ethical hacker programs is growing across all industries, with a 34% increase in total customer programs in 2021. The traditionally conservative industries of financial services and government continue to lead in the adoption of these testing programs, with a 62% increase in financial services programs and an 89% increase of government programs, led this year by the UK’s Ministry of Defence and Singapore’s GovTech agency.
     
  2. Hackers reported 21% more vulnerabilities in 2021 than in 2020. While traditional bug bounty saw a 10% increase in valid vulnerability reports, Vulnerability Disclosure Programs (VDPs) saw a 47% increase, and reports from hacker-powered pentests rose by 264%.
     
  3. The median price of a critical bug rose 20% from $2,500 in 2020 to $3,000 in 2021. The average bounty price for a critical bug rose by 13%, and by 30% for a high severity-rated bug. 
     
  4. In the past year, the industry-wide median time to resolution fell by 19% from 33 days to 26.7 days, with some industries such as retail and e-commerce seeing time-to-remediation dropping by more than 50%.
     
  5. The number-one most discovered bug on HackerOne continues to be Cross Site Scripting, but other bug categories have seen a significant increase since 2020. Information Disclosure saw a 58% increase in valid reports and Business Logic Errors had a 67% increase, giving them a spot on the HackerOne Top 10 for the first time. 


Join HackerOne’s new CISO, Chris Evans, to delve into the findings of the report at a free webinar where you’ll discover the fastest-growing vulnerability categories, how bounty prices are changing year over year, and which industries are fastest to fix. Read the full 2021 Hacker-Powered Security Report: Industry Insights here.

Previous Article
Log4Shell: Attack Evolution
Log4Shell: Attack Evolution

For many security teams, the holiday season was spoiled by the challenging remediation of Log4Shell. The af...

Next Article
CWE [Common Weakness Enumeration] | Why It Is Important
CWE [Common Weakness Enumeration] | Why It Is Important

Common Weakness Enumeration (CWE) is a system to categorize software security flaws—implementation defects ...