HackerOne’s 2018 Hacker-Powered Security Report showed that the average award for critical vulnerabilities has increased.
The average payout price for critical vulnerabilities are up six percent and now average $2,041 compared to the prior year.
The numbers are from HackerOne’s 2018 Hacker-Powered Security Report, published Wednesday. The study looked at data derived from the HackerOne community between May 2017 and April 2018. In the report the company also revealed a total of 116 bug reports were filed across all sectors of its program and worth over $10,000 each last year – a 30 percent jump from 2016. HackerOne said bounty program run by government agencies had the largest average bounty payout for critical vulnerabilities at $3,492. The travel and hospitality sectors paid out the least for a critical vulnerability, at $668.
Medium severity vulnerabilities are still the most commonly reported as part of bug bounty programs, with 39 percent of all reported bugs in 2018 being medium (only 6 percent were rated critical).
Here are some other big takeaways from the report:
- Hackers globally have taken home $31 million from bug bounty payouts overall. According to HackerOne, the top earning hackers made almost three times the median salary of a software engineer in their home country – with some making up to 16 times.
- Valid reports hit an all-time high as program signal becomes a primary program performance metric. The fear of program noise (ie, informative or duplicate submissions) is a relic of the past across hacker-powered programs. With a platform-wide signal of 80%, the human resources required to run a hacker-powered program were greatly reduced in 2018.
The thief also had a second dataset, including the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course and documentation on improvised explosive device (IED) mitigation tactics.
The newly-discovered Spectre variants can be exploited to uncover confidential data via microarchitectural side channels in CPUs.
More companies are looking to adopt “safe harbor” language in their bug bounty programs to build trust with participants.
Join thousands of people who receive the latest breaking cybersecurity news every day.