HackerOne has today launched its 2018 Hacker-Powered Security Report, which is an annual study of the bug bounty and vulnerability disclosure ecosystem. The study analyses over 72,000 resolved security vulnerabilities, 1,000 customer bug bounty programs and more than $31 million in bounties awarded to hackers from over 100 countries.
The full study can be found here, however key findings include:
- Critical vulnerabilities are earning higher bounties. The average award for a critical vulnerability increased 33% to $20,000 for the top awarding programs. A total of 116 unique critical vulnerabilities earned over $10,000 each in the past year.
- Some of the most advanced organizations offer bounty awards in the six-figure range, with Intel and Microsoft offering up to $250,000, and Google and Apple offering up to $200,000,to name just a few.
- The highest bounty paid in 2017 was $75,000,paid by a Technology company for three unique vulnerabilities that when chained together produced a remote code execution (RCE). The exploit chain could have allowed an attacker to steal credit card information, deploy mass ransomware campaigns, take over user accounts, attack employee accounts and access infrastructure code.
- The total number of high or critical severity vulnerabilities increased by 22 percent in 2017. Furthermore, 24 percent of resolved vulnerabilities were classified as high to critical severity across industries.
- Hackers in the U.S. earned 17% of all bounties awarded, with India (13%), Russia (6%), K. (4%),and Germany (3%) rounding out the top 5 highest-earning countries. Hackers in Germany are on a roll, earning 157% more in 2017 versus 2016.
- Governments are leading the way with adoption internationally. In the government sector there was a 125 percent increase year over year with new program launchesincluding the European Commission and the Ministry of Defense Singapore, joining the U.S. Department of Defense on HackerOne
- Enterprise vulnerability disclosure policy adoption is on the rise. Organizations like Goldman Sachs, Toyota, and American Express adopted VDP’s representative of a broader trend of a 54% increase year over year. The Forbes Global 2000, however, only marginally improved, as 93% still do not have a policy in place.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.