Bug bounty earnings soar, but 63% of ethical hackers have withheld security flaws – study

HackerOne community has doubled in 12 months

White hat hackers collectively earned more in bug bounties through HackerOne in 2019 than in every other year combined since the platform’s launch in 2012, a new study has revealed.

Bug hunters together earned around $40 million through the world’s biggest bug bounty platform last year, and more than $82 million for submissions of valid security vulnerability reports, according to HackerOne’s 2020 Hacker Report.

The jump in total earnings appears to be driven by a rise in both the number of programs and the average value of payouts.

Year on year, the number of bug bounty and vulnerability disclosure programs on the HackerOne platform jumped from around 1,200 in 2019 to 1,700 last year, while the average bounty for critical flaws nearly doubled to $3,384.

Alarmingly, nearly two-thirds of those polled (63%) said they had found security bugs only to decide against notifying the organization in question.

The most common reason for withholding their discovery, cited by 38% of respondents, was threatening legal language on the organization’s website around reporting vulnerabilities, followed by the lack of an obvious reporting channel (21%), and the organization having been unresponsive to previous bug reports (15%).

HackerOne’s fourth annual report also reveals that seven hackers have now earned more than $1 million in bug bounties so far in their career, with another 13 surpassing $500,000 in lifetime earnings.

A growing number of hackers have crossed the million-dollar earnings threshold

Time is money

Incentivised by growing money-making opportunities, hackers appear to be devoting more time to ethical hacking.

Nearly one in five (18%) of those surveyed described themselves as full-time hackers, and almost 40% spent 20 hours or more a week hunting for security flaws in web, mobile, and IoT applications.

However, HackerOne says the bulk of its members make less than $20,000 per year, with 27% earning 10% of their income or less through bug bounty payouts.

The San Francisco-based platform also suggests freelancing as a bug hunter can act as a springboard to prestigious careers, with 80% of respondents saying they intended to leverage their hacker experience to land jobs, or that doing so had already secured them positions.

Regional growth

The report, which polled 3,150 respondents from more than 120 countries and territories, also notes a 250% year-on-year jump in bounties earned in the Asia-Pacific region.

A spokesperson for HackerOne told The Daily Swig that “the Singapore government has been particularly investing in growing hacker talent in the region. In the last few MINDEF challenges, they invited a majority of hackers from Singapore to help them train and get better.”

They also said that HackerOne is focusing greater resources on “regional hacker experiences”.

READ MORE Safe harbor needs to be built to provide haven for ethical hackers

“Hacker meetups are a very exciting development,” the spokesperson continued. “Our first one outside the US was held in India a few months ago.

“We have also maintained a strong presence for other hacker events in APAC and will look for that to continue – in 2019, we did 11 community-focused events across APAC and EMEA.”

US-based hackers generated the largest share of rewards, earning 19% of bug bounties, followed by India (10%), Russia (8%), China (7%), Germany (5%), and Canada (4%).

The US also led the way in terms of payout sources, with US-based organizations paying out over $29 million, followed by counterparts in the UK, Russia, Singapore, Germany, and Canada.

Community focus

HackerOne’s community of hackers, pen testers, and security researchers has nearly doubled year-on-year to surpass 600,000 people spanning 170 countries. Some 850 new recruits are joining the platform each day, the report said.

The report also found that 10% of HackerOne bug hunters – a growing proportion – are female or non-binary.

“As hacking becomes a critical component of security for more, larger, and more risk averse organizations, business leaders view hackers as just another consultant, contractor, or otherwise outsourced area of domain expertise,” said the report.
“Add in an extreme shortage of security professionals and their high salaries, and outsourced security […] has moved from the fringes of corporate infosec and into a decidedly mainstream occupation.”

Interestingly, although bug bounty hunting’s credibility as a career path is improving, only 16% of the hackers polled said they had completed formal training in the discipline, with the other 84% professing to be self-taught.

RELATED Meet the bug bounty platform putting community into crowdsourced security