HackerOne announced findings from the 2018 Hacker-Powered Security Report, based on over 72,000 resolved security vulnerabilities, 1,000 customer programs and more than $31 million in bounties awarded to hackers from over 100 countries. The annual report is a benchmark study of the bug bounty and vulnerability disclosure ecosystem based on the largest data set of reported vulnerabilities.
Bounties for high impact findings are rising
Hackers are finding more severe vulnerabilities than ever before. The total number of high or critical severity vulnerabilities increased by 22 percent in 2017. Furthermore, 24 percent of resolved vulnerabilities were classified as high to critical severity across industries. As a result, bounties for high impact findings are rising. The top bounty awarded for a single report reached $75,000 in 2017.
The most competitive programs like Google, Microsoft and Intel are offering $250,000 bounty awards for critical issues. Meanwhile, false positives are becoming a relic of the past, with 80 percent Signal platform-wide, meaning 80 percent of submitted and qualified reports are valid.
“Crowdsourced security testing is rapidly approaching critical mass, and ongoing adoption and uptake by buyers is expected to be rapid,” Gartner reported. Governments are leading the way with adoption globally. In the government sector there was a 125 percent increase year over year with new program launches including the European Commission and the Ministry of Defense Singapore, joining the U.S. Department of Defense on HackerOne. Proposed legislations like Hack the Department of Homeland Security Act, Hack Your State Department Act, Prevent Election Voting Act, and the Department of Justice Vulnerability Disclosure Framework further demonstrate public sector support for hacker-powered security.
More industries continue to adopt bug bounties
Industries beyond technology continued to increase share of the overall hacker-powered security markets. Consumer Goods, Financial Services & Insurance, Government, and Telecommunications account for 43 percent of today’s bug bounty programs. Automotive programs increased 50% in the past year and Telecommunications programs increased 71 percent.
Enterprises across industries saw a 54 percent increase in year over year VDP adoption. Still, leading organizations remain vastly underprepared for effective discovery, communication, remediation, and disclosure of vulnerabilities as 93% of the 2017 Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by third parties.
“The world is embracing the highly skilled and creative hacker community to help reduce cyber risk,” said Marten Mickos, CEO of HackerOne. “A model once reserved for the largest, tech-advanced companies in the world, is now being implemented by organizations of any size, industry and connected corner of the globe. Hacker-powered security is reaching critical mass, and everyone is benefitting from a more secure internet.”