SlideShare a Scribd company logo

118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report

HackerOne, profile picture
HackerOne

The 2018 Hacker-Powered Security Report analyzes over 1,000 hacker-powered security programs and vulnerability disclosures from major companies, providing key insights and statistics in application security. It highlights significant trends such as an increase in bug bounties, the predominant lack of vulnerability disclosure policies across many organizations, and the geographical distribution of hacker earnings. Overall, the report emphasizes the growing engagement of various industries in securing their systems through ethical hacking initiatives.

Internet
Related topics:
Information Security Cyber-SecurityApplication Security
1 of 132
Downloaded 47 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
Data from The 2018 Hacker-Powered Security Report 118 HACKER- POWERED FACTS
The Hacker-Powered Security Report examines the largest dataset of more than 1,000 hacker-powered security programs, compiles learnings from application security practitioners and the hackers who participate in bug bounty and vulnerability disclosure programs. The report also analyzed vulnerability disclosure data from the world’s 2,000 biggest publicly traded companies according to Forbes. Consider this your “cheat sheet” of the top findings. You can also download the full 46-page report packed with key learnings, graphs, and links to other helpful resources at https://www.hackerone.com/resources/hacker-powered-security-report. #hackerpoweredfacts INTRODUCTION
GENERAL FACTS
A total of 116 bug bounties over $10,000 were paid out in the past year, up 30% from the previous year. #hackerpoweredfacts FACT #1
The average bounty for critical issues rose to more than $2,000. #hackerpoweredfacts FACT #2
From HackerOne’s inception in 2012 through June 2018, organizations have awarded hackers over $31 million. #hackerpoweredfacts FACT #3
$11.7 million in bug bounties was awarded in 2017 alone. #hackerpoweredfacts FACT #4
FACT #5 93% of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world. #hackerpoweredfacts
FACT #6 25% of the hacker community is currently enrolled as a full-time student. #hackerpoweredfacts
FACT #7 Hackers from over 100 countries have been paid for their research through HackerOne programs. #hackerpoweredfacts
FACT #8 #hackerpoweredfacts Top earning hackers made 2.7x the median salary of a software engineer in their home country.
FACT #9 The U.S. Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy. #hackerpoweredfacts
FACT #10 In 2018 to date, HackerOne maintains a platform-wide signal of 80%, greatly reducing the human resources required to run a hacker-powered program. #hackerpoweredfacts
FACT #11 Goldman Sachs, Toyota, and American Express were a few of the enterprises to launch a VDP in 2018. #hackerpoweredfacts
FACT #12 #hackerpoweredfacts HackerOne saw a 54% year-over-year increase in new enterprise VDP program launches.
FACT #13 78,275 total reports were submitted in 2017 on HackerOne. #hackerpoweredfacts
GEOGRAPHY
FACT #14 Latin America saw the biggest regional increase in hacker-powered security programs, rising by 143% year-over-year. #hackerpoweredfacts
FACT #15 North America and the Asia Pacific region each saw hacker-powered security programs increase by 37%. #hackerpoweredfacts
FACT #16 #hackerpoweredfacts Europe, the Middle East, and Africa saw a combined 26% increase in the past year.
FACT #17 Organizations located in the U.S. pay 83% of all bounties to hackers around the globe, continuing their trend as the leading bounty-paying country. #hackerpoweredfacts
FACT #18 Canada-based organizations remain in the second spot for 2017, with $1.5 million in bounties paid. #hackerpoweredfacts
FACT #19 Organizations in the U.K. rose from sixth place in 2016 to third place this year for total value of bounties paid. #hackerpoweredfacts
FACT #20 18 countries have hackers earning a combined $500,000 or more. #hackerpoweredfacts
FACT #21 44 countries have hackers earning a combined $100,000 or more. #hackerpoweredfacts
FACT #22 Hackers in the U.S. earned 17% of all bounties awarded. #hackerpoweredfacts
FACT #23 Hackers in India were in second place, earning 13% of all bounties awarded. #hackerpoweredfacts
FACT #24 Hackers in Germany are on a roll, earning 157% more in 2017 versus 2016. #hackerpoweredfacts
PUBLIC VS. PRIVATE
FACT #25 On average, public programs engage 3.5 times the number of hackers reporting valid vulnerabilities than private programs. #hackerpoweredfacts
FACT #26 Private bug bounty programs currently make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 calendar years. #hackerpoweredfacts
FACT #27 The majority of public bug bounty programs, 63%, are run by Technology organizations. #hackerpoweredfacts
FACT #28 Financial Services & Banking and Media & Entertainment were tied for second as the industries with the most public bug bounty programs at 9%. #hackerpoweredfacts
FACT #29 Public programs made up about 19% of HackerOne bug bounty launches in the past 12 months, about double compared to the year before. #hackerpoweredfacts
INDUSTRY ADOPTION
FACT #30 For the fourth year in a row, industries beyond Technology increased their share of the overall bug bounty market. #hackerpoweredfacts
FACT #31 Government and Telecommunications account for 43% of today’s bug bounty programs. #hackerpoweredfacts
FACT #32 In the government sector there was 125% increase year-over-year globally with new program launches including the European Commission and the Ministry of Defense Singapore. #hackerpoweredfacts
FACT #33 Automotive bug bounty programs increased 50% in the past year. #hackerpoweredfacts
FACT #34 In the past year, Technology organizations launched 58% of all new hacker-powered security programs. #hackerpoweredfacts
FACT #35 Healthcare launched the second-most share of new hacker-powered security programs at 10%. #hackerpoweredfacts
FACT #36 Telecommunications bug bounty programs increased by 71% in the past year. #hackerpoweredfacts
FACT #37 Seven of the top 50 automotive vehicle manufacturers globally have a way for external researchers to report vulnerabilities. #hackerpoweredfacts
INDUSTRY VULNERABILITIES
FACT #38 More than 72,000 vulnerabilities have been resolved on HackerOne as of May 2018. #hackerpoweredfacts
FACT #39 More than 27,000 vulnerabilities, one-third of the overall total, were resolved in just the past year alone. #hackerpoweredfacts
FACT #40 Cross-site scripting (XSS, CWE-79) continued to be the most common vulnerability reported across all industries—with the exception of Healthcare and Technology. #hackerpoweredfacts
FACT #41 For Healthcare and Technology, the top reported vulnerability type, with nearly 8,000 reported in the past year, were related to Information Disclosure (CWE-200). #hackerpoweredfacts
FACT #42 For 2017 the total number of critical vulnerabilities reported increased by 26%. #hackerpoweredfacts
FACT #43 The share of the most impactful bugs—critical and high combined—increased from 22% in 2016 to 24% in 2017. #hackerpoweredfacts
FACT #44 XSS vulnerabilities represented 59% of the top 15 vulnerabilities reported to Transportation organizations. #hackerpoweredfacts
FACT #45 XSS vulnerabilities represented 37% of the top 15 vulnerabilities reported to Travel & Hospitality organizations. #hackerpoweredfacts
FACT #46 Government organizations saw the most cryptographic issues, at 18% of their total reported vulnerabilities, which is 6-times more than the second-place industry, Telecom, which saw just 3% of that category of reports. #hackerpoweredfacts
FACT #47 There were 38 times more “insecure storage” vulnerabilities reported in 2017 compared to 2016 on HackerOne. #hackerpoweredfacts
INDUSTRY RESPONSIVENESS
FACT #48 The fastest industry with respect to average resolution times is Consumer Goods at 14 days. #hackerpoweredfacts
FACT #49 Financial Services & Insurance has the second-best resolution times at 19 days. #hackerpoweredfacts
FACT #50 Government is the slowest at resolutions, with average resolution times of 68 days. #hackerpoweredfacts
FACT #51 However, Government is the second-fastest at average days to bounty payment at just 18 days. #hackerpoweredfacts
FACT #52 Healthcare is the overall fastest industry at paying hackers, with an average days to bounty payment at 15 days. #hackerpoweredfacts
FACT #53 Government, Transportation, Technology, Retail & Ecommerce, Media & Entertainment, Healthcare, and Financial Services & Insurance all have average days to bounty payments less than their average days to resolution. #hackerpoweredfacts
FACT #54 Telecom, Professional Services, Travel & Hospitality, and Consumer Goods all have average days to bounty payments more than their average days to resolution. #hackerpoweredfacts
BOUNTY TRENDS
FACT #55 About 60% of organizations on the platform pay an average of $1,500 for critical vulnerabilities, a 50% ($500) increase from 2016. #hackerpoweredfacts
FACT #56 The average bounty paid for critical vulnerabilities across all industries on the HackerOne platform rose to $2,041 in 2017. That’s a 6% year-over-year increase over the 2016 average of $1,923. #hackerpoweredfacts
FACT #57 Of all categorized vulnerabilities, 6% were critical, 18% were high, 39% were medium, 23% were low, and 13% did not register on the severity scale. #hackerpoweredfacts
FACT #58 Government has the highest average bounty payout for critical vulnerabilities at $3,892. #hackerpoweredfacts
FACT #59 Technology has the second-highest average bounty payout for critical vulnerabilities at $3,635. #hackerpoweredfacts
FACT #60 Travel & Hospitality has the lowest average bounty payout for critical vulnerabilities at $668. #hackerpoweredfacts
FACT #61 Only Consumer Goods and Travel & Hospitality organizations average critical vulnerability bounty values below $1,000. #hackerpoweredfacts
FACT #62 Bounty programs on the HackerOne platform that reward an average of $20,000 for critical vulnerabilities are in the top 1% of reward competitiveness, a 33% or $5,000 increase from last year’s average bounties paid for critical vulnerabilities. #hackerpoweredfacts
FACT #63 Bounty programs on the HackerOne platform that reward an average of $10,000 for high vulnerabilities are in the top 1% of reward competitiveness. #hackerpoweredfacts
FACT #64 Intel and Microsoft offer top bounties of up to $250,000. #hackerpoweredfacts
FACT #65 Google and Apple offer top bounties of up to $200,000. #hackerpoweredfacts
FACT #66 The highest bounty paid on HackerOne in 2017 was $75,000, paid by a Technology company. #hackerpoweredfacts
FACT #67 Media & Entertainment organizations pay the lowest top bounty awards, with their top award being just $1,767 in 2017. #hackerpoweredfacts
FACT #68 In just the past year, organizations in the Transportation, Telecommunications, Professional Services, and Technology industries all awarded top bounty awards of $20,000 or more. #hackerpoweredfacts
FACT #69 Technology organizations paid the most bounties all time at more than $20.2 million. #hackerpoweredfacts
FACT #70 Media & Entertainment paid the second-most amount of bounties all time at just over $2 million, more than 90% less than Technology organizations. #hackerpoweredfacts
FACT #71 Consumer Goods was the industry paying the least amount of bounties all time with just under $200,000 awarded. #hackerpoweredfacts
FACT #72 Technology organizations paid 55% of the total value of all bounties paid. #hackerpoweredfacts
SIGNAL-TO-NOISE
FACT #73 Do it yourself bug bounty programs that don’t benefit from noise reducing platform features can experience signal-to-noise ratios as low as 4%. #hackerpoweredfacts
FACT #74 HackerOne consistently maintains 80% Signal platform wide. #hackerpoweredfacts
FACT #75 Managed programs on HackerOne consistently garner a Clear Signal of 40%, while unmanaged programs achieve just 33% in Clear Signal. #hackerpoweredfacts
Vulnerability Disclosure Policies
FACT #76 Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it. #hackerpoweredfacts
FACT #77 61% of startups valued at over $1 billion have a VDP. #hackerpoweredfacts
FACT #78 47% of Technology companies on the Forbes Global 2000 list have a channel for responsible vulnerability disclosure. #hackerpoweredfacts
FACT #79 24% of Telecommunications companies have a known vulnerability disclosure program. #hackerpoweredfacts
FACT #80 5% of Transportation companies have vulnerability disclosure policies. #hackerpoweredfacts
FACT #81 20% of conglomerates have vulnerability disclosure or bug bounty programs, up from 14% in 2017. #hackerpoweredfacts
FACT #82 4% of Financial Services companies have vulnerability disclosure policies. #hackerpoweredfacts
HACKERS
FACT #83 HackerOne’s community of ethical hackers is more than 200,000 strong. #hackerpoweredfacts
FACT #84 Over 90% of hackers are under the age of 35. #hackerpoweredfacts
FACT #85 Nearly identical fractions of hackers are under 13 years old (0.4%) and over 50 years old (0.5%). #hackerpoweredfacts
FACT #86 44% of hackers are IT professionals. #hackerpoweredfacts
FACT #87 The number one reason hackers hack is their motivation to learn tips and techniques. #hackerpoweredfacts
FACT #88 Money fell from first in 2016 to fourth on the list of reasons hackers hack. #hackerpoweredfacts
FACT #89 10% of hackers do it “to do good in the world”. #hackerpoweredfacts
FACT #90 Nearly 58% of hackers are self-taught. #hackerpoweredfacts
FACT #91 Less than 5% of hackers learned their hacking skills in a classroom. #hackerpoweredfacts
FACT #92 50% of hackers studied computer science at an undergraduate or graduate level. #hackerpoweredfacts
FACT #93 26% of hackers studied computer science in high school or before. #hackerpoweredfacts
FACT #94 44% of hackers are just dabbling, spending 10 hours or less per week hacking. #hackerpoweredfacts
FACT #95 20% of hackers are full-time, spending 30 hours or more per week hacking. #hackerpoweredfacts
FACT #96 Top-performing hackers living in India make 16-times the median salary of a local software engineer. #hackerpoweredfacts
FACT #97 Top-performing hackers living in the U.S. make 2.5-times the median salary of a local software engineer. #hackerpoweredfacts
FACT #98 Top-performing hackers living in the Egypt make 8.1-times the median salary of a local software engineer. #hackerpoweredfacts
FACT #99 Top-performing hackers living across a global sample of 40 countries make an average of 2.7-times the median salary of a local software engineer. #hackerpoweredfacts
FACT #100 At a HackerOne live hacking event, Oath paid hackers more than $400,000 in just a single day. #hackerpoweredfacts
HISTORY
FACT #101 Hunter & Ready, Inc. announced a “bug” bounty program for their products in 1983. #hackerpoweredfacts
FACT #102 Netscape launched the first “modern-day” bug bounty program in 1995. #hackerpoweredfacts
FACT #103 Mozilla Foundation started offering bug bounties up to $500 for critical vulnerabilities in 2004. #hackerpoweredfacts
FACT #104 The first PWN20WN contest kicked off in 2007. #hackerpoweredfacts
FACT #105 Google announced a bug bounty program for web applications in 2010. #hackerpoweredfacts
FACT #106 Facebook announced their bug bounty program in 2011. #hackerpoweredfacts
FACT #107 Microsoft and Facebook sponsored the creation of Internet Bug Bounty (IBB) in 2013. #hackerpoweredfacts
FACT #108 Hack the Pentagon, the U.S. Department of Defense’s, launched on HackerOne’s platform in April 2016. #hackerpoweredfacts
FACT #109 The manifesto on coordinated cybersecurity disclosure was signed by 29 companies in May 2016. #hackerpoweredfacts
FACT #110 HackerOne kicked off its first live hacking event in Las Vegas, H1-702, paying out over $150,000 in bounties in just 3 days in August 2016. #hackerpoweredfacts
FACT #111 The U.S. Department of Defense kicked off the first government VDP in November 2016. #hackerpoweredfacts
FACT #112 The NTIA Safety Working Group published v1.1 of the Coordinated Vulnerability Disclosure Template in December 2016. #hackerpoweredfacts
FACT #113 The Hack the DHS bill passed the U.S. Senate in May 2017. #hackerpoweredfacts
FACT #114 The CERT Guide to Coordinated Vulnerability Disclosure was published in August 2017. #hackerpoweredfacts
FACT #115 U.S. Deputy Attorney General Rod J. Rosenstein recommended all companies consider promulgating a vulnerability disclosure policy in October 2017. #hackerpoweredfacts
FACT #116 HackerOne and others were invited to testify in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security in February 2018. #hackerpoweredfacts
FACT #117 U.S. House of Representatives bill H.R. 5433: Hack Your State Department Act was proposed by Representative Ted Liu in April 2018. #hackerpoweredfacts
FACT #118 HackerOne exceeded $30,000,000 in bounties paid out to hackers in June 2018. #hackerpoweredfacts
#hackerpoweredfacts https://www.hackerone.com/contact DOWNLOAD REPORT

More Related Content

PDF
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
PDF
Voices of Vulnerability Disclosure Policy
HackerOne
 
PDF
Estado del ransomware en 2020
iDric Soluciones de TI y Seguridad Informática
 
PDF
Ey giss-under-cyber-attack
Комсс Файквэе
 
PDF
Symantec Intelligence Report
Symantec
 
PPTX
ISACA and RSA CSX Presentation from the RSA 2015 Conference
Robert Stroud
 
PDF
Cost of Cybercrime Study in Financial Services: 2019 Report
accenture
 
PDF
Mobile threat report_q3_2013
Комсс Файквэе
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
Voices of Vulnerability Disclosure Policy
HackerOne
 
Estado del ransomware en 2020
iDric Soluciones de TI y Seguridad Informática
 
Ey giss-under-cyber-attack
Комсс Файквэе
 
Symantec Intelligence Report
Symantec
 
ISACA and RSA CSX Presentation from the RSA 2015 Conference
Robert Stroud
 
Cost of Cybercrime Study in Financial Services: 2019 Report
accenture
 
Mobile threat report_q3_2013
Комсс Файквэе
 

What's hot (20)

PPTX
Tackling the maze ransomware attack with security testing
Cigniti Technologies Ltd
 
PDF
Enhanced threat intelligene for s ps v3
Neil King
 
PDF
Infographic: Fortinet Q1 2017 Threat Landscape Report
Fortinet
 
PPTX
Year of pawnage - Ian trump
MAXfocus
 
PDF
Digital Threat Landscape
Quick Heal Technologies Ltd.
 
PDF
2016 trustwave global security report
Marco Antonio Agnese
 
PDF
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec
 
PDF
Adjusting Your Security Controls: It’s the New Normal
Priyanka Aash
 
PDF
Istr number 23 internet security threat repor 2018 symantec
Soluciona Facil
 
PDF
20 million cyber attacks per day
Rob Wilson
 
PDF
Security Incident Response Readiness Survey
Rahul Neel Mani
 
PDF
2015 Global Threat Intelligence Report Executive Summary | NTT i3
NTT Innovation Institute Inc.
 
PDF
Enabling a Zero Trust strategy for SMS
Paul Walsh
 
PDF
Symantec Intelligence Report: May 2015
Symantec
 
PPTX
Threat Check for Struts Released, Equifax Breach Dominates News
Black Duck by Synopsys
 
PPTX
Cyber-Attack and Security: Putting the Audit Committee on High Alert
Symptai Consulting Limited
 
PDF
1530 track1 ulinski
Rising Media, Inc.
 
PDF
Cybercrime and Corporate Reputation
Ipsos UK
 
PDF
Malwarebytes labs 2019 - state of malware report 2
Felipe Prado
 
PDF
Better Security Through Big Data Analytics
Symantec
 
Tackling the maze ransomware attack with security testing
Cigniti Technologies Ltd
 
Enhanced threat intelligene for s ps v3
Neil King
 
Infographic: Fortinet Q1 2017 Threat Landscape Report
Fortinet
 
Year of pawnage - Ian trump
MAXfocus
 
Digital Threat Landscape
Quick Heal Technologies Ltd.
 
2016 trustwave global security report
Marco Antonio Agnese
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec
 
Adjusting Your Security Controls: It’s the New Normal
Priyanka Aash
 
Istr number 23 internet security threat repor 2018 symantec
Soluciona Facil
 
20 million cyber attacks per day
Rob Wilson
 
Security Incident Response Readiness Survey
Rahul Neel Mani
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
NTT Innovation Institute Inc.
 
Enabling a Zero Trust strategy for SMS
Paul Walsh
 
Symantec Intelligence Report: May 2015
Symantec
 
Threat Check for Struts Released, Equifax Breach Dominates News
Black Duck by Synopsys
 
Cyber-Attack and Security: Putting the Audit Committee on High Alert
Symptai Consulting Limited
 
1530 track1 ulinski
Rising Media, Inc.
 
Cybercrime and Corporate Reputation
Ipsos UK
 
Malwarebytes labs 2019 - state of malware report 2
Felipe Prado
 
Better Security Through Big Data Analytics
Symantec
 

Similar to 118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report (20)

PDF
The Hackerpowered Security Report 2019 Coll
janukakibok
 
PDF
HACKER-POWERED SECURITY REPORT
E.S.G. JR. Consulting, Inc.
 
PPTX
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
accenture
 
PDF
ISTR Internet Security Threat Report 2019
- Mark - Fullbright
 
PDF
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
PDF
CYBER-THREAT-LANDSCAPE-2021.pdf
Krishna N
 
PDF
Hall of Hacks Q3 - July, August, September - 2024
Cybermaterial
 
PDF
2017 Scalar Security Study Summary
Scalar Decisions
 
PDF
Scalar security study2017_slideshare_rev[1]
Tracey Ong
 
PDF
Hall of Hacks Q3 Report 2024 - July, August, September
Cybermaterial
 
PDF
IMC 618 - Public Relations Campaign
Stephanie Holman
 
PDF
Must Know Cyber Security Stats of 2016
DWP Information Architects Inc.
 
PDF
Get Prepared
Hewlett Packard Enterprise Business Value Exchange
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PDF
The 10 Fastest Growing Cyber Security Companies of 2017
Insights success media and technology pvt ltd
 
PDF
Global Cyber Attacks report 2018 - 2019 | HaltDos
Haltdos
 
PDF
2019 Hiscox Cyber Readiness Report
Δρ. Γιώργος K. Κασάπης
 
PDF
Security troubles in e commerce website
Dr. Raghavendra GS
 
PPTX
How to Gather Global Mobile Threat Intelligence
Zimperium
 
PDF
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
The Hackerpowered Security Report 2019 Coll
janukakibok
 
HACKER-POWERED SECURITY REPORT
E.S.G. JR. Consulting, Inc.
 
Ninth Annual Cost of Cybercrime Study in Financial Services – 2019 Report
accenture
 
ISTR Internet Security Threat Report 2019
- Mark - Fullbright
 
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
CYBER-THREAT-LANDSCAPE-2021.pdf
Krishna N
 
Hall of Hacks Q3 - July, August, September - 2024
Cybermaterial
 
2017 Scalar Security Study Summary
Scalar Decisions
 
Scalar security study2017_slideshare_rev[1]
Tracey Ong
 
Hall of Hacks Q3 Report 2024 - July, August, September
Cybermaterial
 
IMC 618 - Public Relations Campaign
Stephanie Holman
 
Must Know Cyber Security Stats of 2016
DWP Information Architects Inc.
 
Get Prepared
Hewlett Packard Enterprise Business Value Exchange
 
A New Year’s Ransomware Resolution
DevOps.com
 
The 10 Fastest Growing Cyber Security Companies of 2017
Insights success media and technology pvt ltd
 
Global Cyber Attacks report 2018 - 2019 | HaltDos
Haltdos
 
2019 Hiscox Cyber Readiness Report
Δρ. Γιώργος K. Κασάπης
 
Security troubles in e commerce website
Dr. Raghavendra GS
 
How to Gather Global Mobile Threat Intelligence
Zimperium
 
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 

More from HackerOne (16)

PDF
Top 20 Public Bug Bounty Programs
HackerOne
 
PDF
Federal Trade Commission's Start With Security Guide
HackerOne
 
PDF
Understanding Information Security Assessment Types
HackerOne
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PDF
9 Top Bug Bounty Programs
HackerOne
 
PDF
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
PDF
Why Executives Underinvest In Cybersecurity
HackerOne
 
PDF
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
PDF
Bug Bounty Basics
HackerOne
 
PDF
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
HackerOne
 
PDF
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
PDF
HackerOne Presents in China - COO Ning Wang
HackerOne
 
PPTX
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
HackerOne
 
PPTX
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
PDF
Meet the hackers powering the world's best bug bounty programs
HackerOne
 
Top 20 Public Bug Bounty Programs
HackerOne
 
Federal Trade Commission's Start With Security Guide
HackerOne
 
Understanding Information Security Assessment Types
HackerOne
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
OWASP Top 10 - 2017
HackerOne
 
9 Top Bug Bounty Programs
HackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
Why Executives Underinvest In Cybersecurity
HackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Bug Bounty Basics
HackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
HackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
HackerOne
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Meet the hackers powering the world's best bug bounty programs
HackerOne
 

Recently uploaded (20)

PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Funds Management Learning Material for Beg
NKKumar16
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Internet___Basics___Styled_ presentation
poonam62133
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 

118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report

  • 1. Data from The 2018 Hacker-Powered Security Report 118 HACKER- POWERED FACTS
  • 2. The Hacker-Powered Security Report examines the largest dataset of more than 1,000 hacker-powered security programs, compiles learnings from application security practitioners and the hackers who participate in bug bounty and vulnerability disclosure programs. The report also analyzed vulnerability disclosure data from the world’s 2,000 biggest publicly traded companies according to Forbes. Consider this your “cheat sheet” of the top findings. You can also download the full 46-page report packed with key learnings, graphs, and links to other helpful resources at https://www.hackerone.com/resources/hacker-powered-security-report. #hackerpoweredfacts INTRODUCTION
  • 4. A total of 116 bug bounties over $10,000 were paid out in the past year, up 30% from the previous year. #hackerpoweredfacts FACT #1
  • 5. The average bounty for critical issues rose to more than $2,000. #hackerpoweredfacts FACT #2
  • 6. From HackerOne’s inception in 2012 through June 2018, organizations have awarded hackers over $31 million. #hackerpoweredfacts FACT #3
  • 7. $11.7 million in bug bounties was awarded in 2017 alone. #hackerpoweredfacts FACT #4
  • 8. FACT #5 93% of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world. #hackerpoweredfacts
  • 9. FACT #6 25% of the hacker community is currently enrolled as a full-time student. #hackerpoweredfacts
  • 10. FACT #7 Hackers from over 100 countries have been paid for their research through HackerOne programs. #hackerpoweredfacts
  • 11. FACT #8 #hackerpoweredfacts Top earning hackers made 2.7x the median salary of a software engineer in their home country.
  • 12. FACT #9 The U.S. Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy. #hackerpoweredfacts
  • 13. FACT #10 In 2018 to date, HackerOne maintains a platform-wide signal of 80%, greatly reducing the human resources required to run a hacker-powered program. #hackerpoweredfacts
  • 14. FACT #11 Goldman Sachs, Toyota, and American Express were a few of the enterprises to launch a VDP in 2018. #hackerpoweredfacts
  • 15. FACT #12 #hackerpoweredfacts HackerOne saw a 54% year-over-year increase in new enterprise VDP program launches.
  • 16. FACT #13 78,275 total reports were submitted in 2017 on HackerOne. #hackerpoweredfacts
  • 18. FACT #14 Latin America saw the biggest regional increase in hacker-powered security programs, rising by 143% year-over-year. #hackerpoweredfacts
  • 19. FACT #15 North America and the Asia Pacific region each saw hacker-powered security programs increase by 37%. #hackerpoweredfacts
  • 20. FACT #16 #hackerpoweredfacts Europe, the Middle East, and Africa saw a combined 26% increase in the past year.
  • 21. FACT #17 Organizations located in the U.S. pay 83% of all bounties to hackers around the globe, continuing their trend as the leading bounty-paying country. #hackerpoweredfacts
  • 22. FACT #18 Canada-based organizations remain in the second spot for 2017, with $1.5 million in bounties paid. #hackerpoweredfacts
  • 23. FACT #19 Organizations in the U.K. rose from sixth place in 2016 to third place this year for total value of bounties paid. #hackerpoweredfacts
  • 24. FACT #20 18 countries have hackers earning a combined $500,000 or more. #hackerpoweredfacts
  • 25. FACT #21 44 countries have hackers earning a combined $100,000 or more. #hackerpoweredfacts
  • 26. FACT #22 Hackers in the U.S. earned 17% of all bounties awarded. #hackerpoweredfacts
  • 27. FACT #23 Hackers in India were in second place, earning 13% of all bounties awarded. #hackerpoweredfacts
  • 28. FACT #24 Hackers in Germany are on a roll, earning 157% more in 2017 versus 2016. #hackerpoweredfacts
  • 30. FACT #25 On average, public programs engage 3.5 times the number of hackers reporting valid vulnerabilities than private programs. #hackerpoweredfacts
  • 31. FACT #26 Private bug bounty programs currently make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 calendar years. #hackerpoweredfacts
  • 32. FACT #27 The majority of public bug bounty programs, 63%, are run by Technology organizations. #hackerpoweredfacts
  • 33. FACT #28 Financial Services & Banking and Media & Entertainment were tied for second as the industries with the most public bug bounty programs at 9%. #hackerpoweredfacts
  • 34. FACT #29 Public programs made up about 19% of HackerOne bug bounty launches in the past 12 months, about double compared to the year before. #hackerpoweredfacts
  • 36. FACT #30 For the fourth year in a row, industries beyond Technology increased their share of the overall bug bounty market. #hackerpoweredfacts
  • 37. FACT #31 Government and Telecommunications account for 43% of today’s bug bounty programs. #hackerpoweredfacts
  • 38. FACT #32 In the government sector there was 125% increase year-over-year globally with new program launches including the European Commission and the Ministry of Defense Singapore. #hackerpoweredfacts
  • 39. FACT #33 Automotive bug bounty programs increased 50% in the past year. #hackerpoweredfacts
  • 40. FACT #34 In the past year, Technology organizations launched 58% of all new hacker-powered security programs. #hackerpoweredfacts
  • 41. FACT #35 Healthcare launched the second-most share of new hacker-powered security programs at 10%. #hackerpoweredfacts
  • 42. FACT #36 Telecommunications bug bounty programs increased by 71% in the past year. #hackerpoweredfacts
  • 43. FACT #37 Seven of the top 50 automotive vehicle manufacturers globally have a way for external researchers to report vulnerabilities. #hackerpoweredfacts
  • 45. FACT #38 More than 72,000 vulnerabilities have been resolved on HackerOne as of May 2018. #hackerpoweredfacts
  • 46. FACT #39 More than 27,000 vulnerabilities, one-third of the overall total, were resolved in just the past year alone. #hackerpoweredfacts
  • 47. FACT #40 Cross-site scripting (XSS, CWE-79) continued to be the most common vulnerability reported across all industries—with the exception of Healthcare and Technology. #hackerpoweredfacts
  • 48. FACT #41 For Healthcare and Technology, the top reported vulnerability type, with nearly 8,000 reported in the past year, were related to Information Disclosure (CWE-200). #hackerpoweredfacts
  • 49. FACT #42 For 2017 the total number of critical vulnerabilities reported increased by 26%. #hackerpoweredfacts
  • 50. FACT #43 The share of the most impactful bugs—critical and high combined—increased from 22% in 2016 to 24% in 2017. #hackerpoweredfacts
  • 51. FACT #44 XSS vulnerabilities represented 59% of the top 15 vulnerabilities reported to Transportation organizations. #hackerpoweredfacts
  • 52. FACT #45 XSS vulnerabilities represented 37% of the top 15 vulnerabilities reported to Travel & Hospitality organizations. #hackerpoweredfacts
  • 53. FACT #46 Government organizations saw the most cryptographic issues, at 18% of their total reported vulnerabilities, which is 6-times more than the second-place industry, Telecom, which saw just 3% of that category of reports. #hackerpoweredfacts
  • 54. FACT #47 There were 38 times more “insecure storage” vulnerabilities reported in 2017 compared to 2016 on HackerOne. #hackerpoweredfacts
  • 56. FACT #48 The fastest industry with respect to average resolution times is Consumer Goods at 14 days. #hackerpoweredfacts
  • 57. FACT #49 Financial Services & Insurance has the second-best resolution times at 19 days. #hackerpoweredfacts
  • 58. FACT #50 Government is the slowest at resolutions, with average resolution times of 68 days. #hackerpoweredfacts
  • 59. FACT #51 However, Government is the second-fastest at average days to bounty payment at just 18 days. #hackerpoweredfacts
  • 60. FACT #52 Healthcare is the overall fastest industry at paying hackers, with an average days to bounty payment at 15 days. #hackerpoweredfacts
  • 61. FACT #53 Government, Transportation, Technology, Retail & Ecommerce, Media & Entertainment, Healthcare, and Financial Services & Insurance all have average days to bounty payments less than their average days to resolution. #hackerpoweredfacts
  • 62. FACT #54 Telecom, Professional Services, Travel & Hospitality, and Consumer Goods all have average days to bounty payments more than their average days to resolution. #hackerpoweredfacts
  • 64. FACT #55 About 60% of organizations on the platform pay an average of $1,500 for critical vulnerabilities, a 50% ($500) increase from 2016. #hackerpoweredfacts
  • 65. FACT #56 The average bounty paid for critical vulnerabilities across all industries on the HackerOne platform rose to $2,041 in 2017. That’s a 6% year-over-year increase over the 2016 average of $1,923. #hackerpoweredfacts
  • 66. FACT #57 Of all categorized vulnerabilities, 6% were critical, 18% were high, 39% were medium, 23% were low, and 13% did not register on the severity scale. #hackerpoweredfacts
  • 67. FACT #58 Government has the highest average bounty payout for critical vulnerabilities at $3,892. #hackerpoweredfacts
  • 68. FACT #59 Technology has the second-highest average bounty payout for critical vulnerabilities at $3,635. #hackerpoweredfacts
  • 69. FACT #60 Travel & Hospitality has the lowest average bounty payout for critical vulnerabilities at $668. #hackerpoweredfacts
  • 70. FACT #61 Only Consumer Goods and Travel & Hospitality organizations average critical vulnerability bounty values below $1,000. #hackerpoweredfacts
  • 71. FACT #62 Bounty programs on the HackerOne platform that reward an average of $20,000 for critical vulnerabilities are in the top 1% of reward competitiveness, a 33% or $5,000 increase from last year’s average bounties paid for critical vulnerabilities. #hackerpoweredfacts
  • 72. FACT #63 Bounty programs on the HackerOne platform that reward an average of $10,000 for high vulnerabilities are in the top 1% of reward competitiveness. #hackerpoweredfacts
  • 73. FACT #64 Intel and Microsoft offer top bounties of up to $250,000. #hackerpoweredfacts
  • 74. FACT #65 Google and Apple offer top bounties of up to $200,000. #hackerpoweredfacts
  • 75. FACT #66 The highest bounty paid on HackerOne in 2017 was $75,000, paid by a Technology company. #hackerpoweredfacts
  • 76. FACT #67 Media & Entertainment organizations pay the lowest top bounty awards, with their top award being just $1,767 in 2017. #hackerpoweredfacts
  • 77. FACT #68 In just the past year, organizations in the Transportation, Telecommunications, Professional Services, and Technology industries all awarded top bounty awards of $20,000 or more. #hackerpoweredfacts
  • 78. FACT #69 Technology organizations paid the most bounties all time at more than $20.2 million. #hackerpoweredfacts
  • 79. FACT #70 Media & Entertainment paid the second-most amount of bounties all time at just over $2 million, more than 90% less than Technology organizations. #hackerpoweredfacts
  • 80. FACT #71 Consumer Goods was the industry paying the least amount of bounties all time with just under $200,000 awarded. #hackerpoweredfacts
  • 81. FACT #72 Technology organizations paid 55% of the total value of all bounties paid. #hackerpoweredfacts
  • 83. FACT #73 Do it yourself bug bounty programs that don’t benefit from noise reducing platform features can experience signal-to-noise ratios as low as 4%. #hackerpoweredfacts
  • 84. FACT #74 HackerOne consistently maintains 80% Signal platform wide. #hackerpoweredfacts
  • 85. FACT #75 Managed programs on HackerOne consistently garner a Clear Signal of 40%, while unmanaged programs achieve just 33% in Clear Signal. #hackerpoweredfacts
  • 87. FACT #76 Nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it. #hackerpoweredfacts
  • 88. FACT #77 61% of startups valued at over $1 billion have a VDP. #hackerpoweredfacts
  • 89. FACT #78 47% of Technology companies on the Forbes Global 2000 list have a channel for responsible vulnerability disclosure. #hackerpoweredfacts
  • 90. FACT #79 24% of Telecommunications companies have a known vulnerability disclosure program. #hackerpoweredfacts
  • 91. FACT #80 5% of Transportation companies have vulnerability disclosure policies. #hackerpoweredfacts
  • 92. FACT #81 20% of conglomerates have vulnerability disclosure or bug bounty programs, up from 14% in 2017. #hackerpoweredfacts
  • 93. FACT #82 4% of Financial Services companies have vulnerability disclosure policies. #hackerpoweredfacts
  • 95. FACT #83 HackerOne’s community of ethical hackers is more than 200,000 strong. #hackerpoweredfacts
  • 96. FACT #84 Over 90% of hackers are under the age of 35. #hackerpoweredfacts
  • 97. FACT #85 Nearly identical fractions of hackers are under 13 years old (0.4%) and over 50 years old (0.5%). #hackerpoweredfacts
  • 98. FACT #86 44% of hackers are IT professionals. #hackerpoweredfacts
  • 99. FACT #87 The number one reason hackers hack is their motivation to learn tips and techniques. #hackerpoweredfacts
  • 100. FACT #88 Money fell from first in 2016 to fourth on the list of reasons hackers hack. #hackerpoweredfacts
  • 101. FACT #89 10% of hackers do it “to do good in the world”. #hackerpoweredfacts
  • 102. FACT #90 Nearly 58% of hackers are self-taught. #hackerpoweredfacts
  • 103. FACT #91 Less than 5% of hackers learned their hacking skills in a classroom. #hackerpoweredfacts
  • 104. FACT #92 50% of hackers studied computer science at an undergraduate or graduate level. #hackerpoweredfacts
  • 105. FACT #93 26% of hackers studied computer science in high school or before. #hackerpoweredfacts
  • 106. FACT #94 44% of hackers are just dabbling, spending 10 hours or less per week hacking. #hackerpoweredfacts
  • 107. FACT #95 20% of hackers are full-time, spending 30 hours or more per week hacking. #hackerpoweredfacts
  • 108. FACT #96 Top-performing hackers living in India make 16-times the median salary of a local software engineer. #hackerpoweredfacts
  • 109. FACT #97 Top-performing hackers living in the U.S. make 2.5-times the median salary of a local software engineer. #hackerpoweredfacts
  • 110. FACT #98 Top-performing hackers living in the Egypt make 8.1-times the median salary of a local software engineer. #hackerpoweredfacts
  • 111. FACT #99 Top-performing hackers living across a global sample of 40 countries make an average of 2.7-times the median salary of a local software engineer. #hackerpoweredfacts
  • 112. FACT #100 At a HackerOne live hacking event, Oath paid hackers more than $400,000 in just a single day. #hackerpoweredfacts
  • 114. FACT #101 Hunter & Ready, Inc. announced a “bug” bounty program for their products in 1983. #hackerpoweredfacts
  • 115. FACT #102 Netscape launched the first “modern-day” bug bounty program in 1995. #hackerpoweredfacts
  • 116. FACT #103 Mozilla Foundation started offering bug bounties up to $500 for critical vulnerabilities in 2004. #hackerpoweredfacts
  • 117. FACT #104 The first PWN20WN contest kicked off in 2007. #hackerpoweredfacts
  • 118. FACT #105 Google announced a bug bounty program for web applications in 2010. #hackerpoweredfacts
  • 119. FACT #106 Facebook announced their bug bounty program in 2011. #hackerpoweredfacts
  • 120. FACT #107 Microsoft and Facebook sponsored the creation of Internet Bug Bounty (IBB) in 2013. #hackerpoweredfacts
  • 121. FACT #108 Hack the Pentagon, the U.S. Department of Defense’s, launched on HackerOne’s platform in April 2016. #hackerpoweredfacts
  • 122. FACT #109 The manifesto on coordinated cybersecurity disclosure was signed by 29 companies in May 2016. #hackerpoweredfacts
  • 123. FACT #110 HackerOne kicked off its first live hacking event in Las Vegas, H1-702, paying out over $150,000 in bounties in just 3 days in August 2016. #hackerpoweredfacts
  • 124. FACT #111 The U.S. Department of Defense kicked off the first government VDP in November 2016. #hackerpoweredfacts
  • 125. FACT #112 The NTIA Safety Working Group published v1.1 of the Coordinated Vulnerability Disclosure Template in December 2016. #hackerpoweredfacts
  • 126. FACT #113 The Hack the DHS bill passed the U.S. Senate in May 2017. #hackerpoweredfacts
  • 127. FACT #114 The CERT Guide to Coordinated Vulnerability Disclosure was published in August 2017. #hackerpoweredfacts
  • 128. FACT #115 U.S. Deputy Attorney General Rod J. Rosenstein recommended all companies consider promulgating a vulnerability disclosure policy in October 2017. #hackerpoweredfacts
  • 129. FACT #116 HackerOne and others were invited to testify in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security in February 2018. #hackerpoweredfacts
  • 130. FACT #117 U.S. House of Representatives bill H.R. 5433: Hack Your State Department Act was proposed by Representative Ted Liu in April 2018. #hackerpoweredfacts
  • 131. FACT #118 HackerOne exceeded $30,000,000 in bounties paid out to hackers in June 2018. #hackerpoweredfacts