ThreatList: Bug Bounty Payouts Increase Six Percent for Critical Vulnerabilities

ThreatList: Bug Bounty Payouts Increase Six Percent for Critical Vulnerabilities

HackerOne’s 2018 Hacker-Powered Security Report showed that the average award for critical vulnerabilities has increased.

The average payout price for critical vulnerabilities are up six percent and now average $2,041 compared to the prior year.

The numbers are from HackerOne’s 2018 Hacker-Powered Security Report, published Wednesday. The study looked at data derived from the HackerOne community between May 2017 and April 2018. In the report the company also revealed a total of 116 bug reports were filed across all sectors of its program and worth over $10,000 each last year – a 30 percent jump from 2016.  HackerOne said bounty program run by government agencies had the largest average bounty payout for critical vulnerabilities at $3,492. The travel and hospitality sectors paid out the least for a critical vulnerability, at $668.

Medium severity vulnerabilities are still the most commonly reported as part of bug bounty programs, with 39 percent of all reported bugs in 2018 being medium (only 6 percent were rated critical).

Here are some other big takeaways from the report:

  • Hackers globally have taken home $31 million from bug bounty payouts overall. According to HackerOne, the top earning hackers made almost three times the median salary of a software engineer in their home country – with some making up to 16 times.
  • Valid reports hit an all-time high as program signal becomes a primary program performance metric. The fear of program noise (ie, informative or duplicate submissions) is a relic of the past across hacker-powered programs. With a platform-wide signal of 80%, the human resources required to run a hacker-powered program were greatly reduced in 2018.

Fresh Spectre Variants Come to Light

The newly-discovered Spectre variants can be exploited to uncover confidential data via microarchitectural side channels in CPUs.

Join thousands of people who receive the latest breaking cybersecurity news every day.