About Techcelerate Ventures
Tech Investment and Growth Advisory for Series A in the UK, operating in £150k to £5m investment market, working with #SaaS #FinTech #HealthTech #MarketPlaces and #PropTech companies.
the study on the hacker-
powered security ecosystem
hack for good // JESSET H E 4 T H A N N U A L
HACKER
POWERED
SECURITY
REPORT
2
T H E 4 T H A N N U A L h a c k e r p o w e r e d s e c u r i t y r e p o r t
3
B
ut what does that path look like? In the physical
world, COVID-19 is ravaging the international
community. Negative externalities are flowing
into the digital space, as well. This year, organizations
across the globe have made unexpected changes
to their operations. Businesses are figuring out how
to contend with accelerated digital transformation
and a surge in digital transaction volume. Many have
had to expedite their decision to move to the cloud.
Companies are hurrying to support hundreds or
thousands of employees who are suddenly working
remotely. To adapt to changing spending patterns,
companies have launched new digital products and
revenue streams, fighting to keep revenue flowing
during a global recession.
EXECUTIVE SUMMARY
This is a time of unprecedented challenges. We face never-before-
seen threats in the digital and physical worlds. If this past year has
taught us anything, it is this: we need to leave behind our old tools,
mindsets, and methods to create a path ahead.
In doing so, organizations are opening up new attack
surfaces they are unprepared to protect. Protection
efforts are left in the hands of security teams who
are not staffed to cope. The result? Losses that can
be measured in data, revenue, reputational damage,
operational disruption, and churn.
For organizations that operate in the digital space,
there’s no such thing as business-as-usual anymore—
which means that business-as-usual security can no
longer suffice. Security leaders are starting to ask some
tough questions. If you’re facing resource constraints,
how do you design software that’s secure from the
start? How can you protect software applications as
they move to the cloud? How do you scale security on
a constantly-evolving attack surface? Is there a way to
maintain brand trust and mitigate risk of a breach with
such a sharp increase in digital transactions? And with
everything else on fire, what about the nuts-and-bolts
of compliance and regulations?
4
hackers aren’t just for tech
companies: they are
a critical part
of any mature security
strategy.
THE ANSWER IS HACKERS.
For years, organizations have turned to hackers to
look for vulnerabilities before bad actors can exploit
them. Quite simply, hackers are people who enjoy the
challenge of creatively overcoming limitations. But
they’re much more than that.
Hacker-powered security has become a best practice
for many organizations, embraced by risk-conscious
entities like the U.S. Department of Defense and
Goldman Sachs. Security and business leaders are
learning that hackers aren’t just for tech companies:
they are a critical part of any mature security strategy.
Today’s challenges demand scalability, creativity, and
adaptability on an unprecedented scale, and hackers
are prepared to meet those demands.
The Fourth Annual Hacker-Powered Security Report
offers an incisive look at today’s security landscape and
the hackers who are pushing the envelope.
This report tells a story that’s happening every day:
security leaders are partnering with hackers to make
the internet a safer place. CISOs are augmenting
security frameworks with hackers’ human creativity and
always-on security efforts. New options and continued
deployment have propelled all global regions to double
digit year-over-year program growth, with Asia-Pacific
(APAC) adding 93% more programs and Latin and South
America (LATAM) adding 29%. Combined, all global
programs awarded 87% more bounties year-over-year.
Around the world, the hacker community has grown
in size and sophistication. 9 hackers (from 7 different
countries!) surpassed the $1 million / €850,000 / ¥7
million mark in the past year. Hundreds of thousands
more use hacking to build valuable skills, advance their
career, earn extra money, challenge their curiosity, and
hang out with like-minded individuals.
5
Against a backdrop of unparalleled obstacles, security
leaders have gained newfound appreciation for hacker-
powered security as a nimble, scalable, and cost-
effective solution. During global lockdowns, hackers
reported 28% more vulnerabilities per month than
immediately before the pandemic took hold. For many
researchers, hacking has become a reliable source of
supplemental income during the pandemic.
Even before the pandemic, hackers were devoting
their time and skills to make the world a better place.
The altruistic attitude sparked Hack for Good, a
HackerOne program that provides an easy way to
donate bounty earnings to a worthy cause. The World
Health Organization, the first cause chosen by the
hacker community this past spring, received $30,000
in donations from hackers to help fight the COVID-19
pandemic.
In this report, we’ll explore these trends and their
ramifications for businesses and consumers worldwide.
The short version: security has become synonymous
with hacking. The future belongs to hackers and the
organizations that embrace them. And that future
starts right here.
6
CONTENTSEXECUTIVE SUMMARY _____________________________________________ 3
Important Concepts _________________________________________________ 8
INTRODUCTION _________________________________________________ 10
Key Findings ________________________________________________________12
GLOBAL IMPACT _________________________________________________ 14
Who’s Paying Bounties _____________________________________________ 18
How COVID-19 is Impacting Security ________________________________ 20
Who’s Earning Bounties ____________________________________________ 22
Nations Across the Globe Are Getting Involved _____________________ 26
Bounty Flow _______________________________________________________ 28
Market Spotlight ___________________________________________________ 30
INDUSTRY SCORE-CARDS ________________________________________ 34
How Each Industry Stacks Up _______________________________________ 36
The Biggest Brands Still Lag: Forbes Global 2000 Breakdown ________ 38
Creating A Vulnerability Disclosure Policy ___________________________ 40
Industry Adoption ___________________________________________________41
The Pace of Resolution Varies by Industry ___________________________ 42
Continuous Development Needs Continuous Security_______________ 44
7
BOUNTY TRENDS ________________________________________________ 46
Region Spotlight ___________________________________________________ 52
Average Bounty Payout Per Industry for Critical Vulnerabilities ______ 56
Average Bounty Payout by Severity _________________________________ 57
Reported Vulnerabilities by Type ____________________________________ 58
Virtual Live Hacking Events _________________________________________ 60
Customer Spotlight: AT&T __________________________________________ 64
Go Beyond Compliance with Hacker- Powered Pentests _____________ 66
The Validated ROI of Hacker-Powered Pentests _____________________ 68
Customer Spotlight: PayPal ________________________________________ 70
HACKERS ________________________________________________________ 72
Customer Spotlight: Costa Coffee __________________________________ 76
Who are the Hackers and Why Do They Hack? _______________________ 78
Customer Spotlight: LINE Corporation ______________________________ 82
Hacker Spotlight ___________________________________________________ 84
How Tomorrow’s Hackers Learn ____________________________________ 86
The Largest Hacker-Powered Security Conference __________________ 88
Million Dollar Hackers ______________________________________________ 90
Security Leaders Seeing Outbreak of Cybercrime During Pandemic __ 92
CLOSING THOUGHTS ____________________________________________ 94
METHODOLOGY & SOURCES _____________________________________ 96
ABOUT HACKERONE _____________________________________________ 98
IMPORTANT CONCEPTSHACKER: One who enjoys the intellectual challenge
of creatively overcoming limitations.
HACKER-POWERED SECURITY: Any security-
enhancing activity resulting from voluntary work
performed by external experts, i.e. hackers. Common
examples include private bug bounty programs,
public bug bounty programs, time-bound bug bounty
programs, hacker-powered penetration testing for
compliance, and vulnerability disclosure policies.
With hacker-powered security testing, organizations
can identify high-value bugs faster with help from the
results-driven ethical hacker community.
VULNERABILITY: A weakness in software, business
logic, hardware, internal rules, or online services that
can be exploited.
HACKTIVITY: Hacker activity published on the
HackerOne platform.
VULNERABILITY DISCLOSURE POLICY (VDP):
An organization’s formalized method for receiving
vulnerability submissions from the outside world,
sometimes referred to as “Responsible Disclosure.”
This often takes the form of a “security@” email
address. The practice is outlined in the NIST
Cybersecurity Framework and defined in ISO
standard 29147.
BUG BOUNTY PROGRAM: Encourages hackers,
through the use of incentives, to identify and report
potential security vulnerabilities before they can be
exploited. A public program allows any hacker to
participate for a chance at a bounty reward. A private
program limits access to select hackers who are
invited to participate. Focused programs can also be
time-bound, or run as virtual or in-person live events.
HACKER-POWERED PENTEST: A bespoke program
where select hackers apply a structured testing
methodology and are rewarded for completing
security checks, and security teams receive instant
results and compliance-ready reports.
8
/// OVERVIEW
9
Total registered
hackers
Reports resolved
in 2019
Bounties paid over the past
12 months
Total valid
vulnerabilities submitted
Total bounties
paid
$ per
resolved report
181K+
$107M+
$979
830K+
37,259
$44,754,742
EMEA
Latin
america
APAC
business IMPACT
north
america
10
INTRODUCTIONIn the face of global changes, hackers are bringing
ever-increasing scale to organizations’ security efforts.
There are more hackers, with more skills, from more
countries than ever before, offering continuous
coverage for continuous development.
Hackers have reported over 181,000 valid vulnerabilities
and have earned over $100 million / €85 million / ¥696
million in the process. These trusted hackers, 53% of
whom have been hacking for over 3 years and 43% of
whom are self-taught, are augmenting and supporting
security teams for organizations large and small. They
bring talent, creativity, and diverse skill sets to the
table.
Security vulnerabilities are a fact of life. You can’t opt
out. That’s why organizations are on the hunt for cost-
effective solutions. The business value placed on each
found vulnerability is, on average, $979 / €835 / ¥6,820.
That’s a small price to pay compared with the legal,
brand, and engineering impact of a security breach,
which the Ponemon Institute and IBM Security estimate
to be $3.86 million / €3.29 million / ¥26.87 million.
Hackers are the future of cybersecurity. As we face
unprecedented changes, business and security leaders
are leaving behind old methods and ideas to search for
new solutions. It’s our mission to empower the world
to build a safer internet. This report is a glimpse into
how hackers and organizations are doing just that.
EVERY ONE HUNDRED AND EIGHTY SECONDS,
A HACKER REPORTS A VULNERABILITY.
11
Average cost of a valid
vulnerability
Global average total cost of a
data breach in 2020
$979
$3.86M
12
The average bounty paid for critical vulnerabilities increased to $3,650
/ €3,100 / ¥25,460 in the past year, up 8% year-over-year. The average
amount paid per vulnerability of any severity level is $979 / €831 / ¥6,834,
up 9% from last year’s average.
More than $44.75 million / €38.2 million / ¥313.3 million in bounties were
awarded to hackers across the globe over the past year. That’s a year-over-
year increase of 87% in total bounties paid, and helped drive total bounties
past $100 million / €85 million / ¥696 million in May 2020.
The United States remains the top payer of bounties, with over 87% of the
total, but that share is decreasing as every global region increased awards
by at least 68%. Individual countries saw massive growth. Spain increased
year-over-year bounty awards by 4,324%, Brazil by 1,843%, China by
1,429%, and 4 countries paid bounties for the very first time.
100 countries saw an increase in year-over-year hacker earnings, with the
biggest increases seen in China (582%), Spain (307%), France (297%), and
Turkey (214%). In a dozen countries, hackers started earning awards for the
first time.
1
2
3
4
KEY FINDINGS
13
9 individual hackers have now earned $1 million / €850,000 / ¥7 million
in bounties on the HackerOne platform. And, in a reflection of the global
reach of hacker-powered security, these 9 reside in 7 different countries.
Hackers now hail from 226 countries and territories. Guinea-Bissau,
Central African Republic, Montserrat, Comoros, Holy See, and San Marino
have all been added to this list in the past year.
Through Hack for Good, hackers donated $30,000 to The World Health
Organization (WHO) COVID-19 Solidarity Response Fund, the program’s
first recipient.
The global coronavirus outbreak was followed by a surge in hacktivity.
New hacker signups increased 59%, submitted bug reports increased 28%,
and organizations paid 29% more bounties in the months immediately
following the start of the pandemic.
Bounties paid for Improper Access Control, the most awarded weakness
type, increased by 130%. Information Disclosure fell to second place this
year from first last year, yet still saw a 60% increase in bounties awarded.
5
6
7
8
9
14
H
acker-powered security is a global
phenomenon regardless of how you
measure it. The sheer growth in global
security programs is stunning, with 34% of all
programs on the HackerOne platform launched in
the past year.
North America remains the largest region, with
69% of all programs, but it’s being challenged
by all other regions. EMEA alone accounted
for 20% of all new programs launched in the
past year, and year-over-year growth in APAC
was 93%—nearly doubling in total number of
programs in that region. Regions within APAC
showing particularly strong program growth, and
reflecting the diversity of this rapidly maturing
market, include Singapore, with program growth
of 164%, China (67%), and New Zealand (40%).
New programs were also added in Japan, South
Korea, and Thailand.
GLOBAL
IMPACT
CHAPTER 1 //
15
Number of
vulnerabilities reported
Amount paid to hackers
in the past year
$44.75 MILLION
180,000+
16
Bounties paid and earned have also shown
extraordinary global growth. In May 2020, total
bounties paid reached $100 million / €85 million /
¥696 million. In the past year alone, more than $44.75
million / €38.2 million / ¥313.3 million has been paid
by security-conscious organizations to creative, skillful
hackers across the globe. That’s a year-over-year
increase of 87% in total bounties to hackers.
NEW PROGRAMS BY REGION
TOTAL PROGRAMS BY REGION
But the number of programs is just one measure of the global impact of hacker-powered
security. Overall, hackers have reported more than 180,000 valid vulnerabilities, with one-
third of those reported in just the past year alone.
GLOBAL IMPACT
LATAM
APAC
EMEA
N. America
Figure 1: New and total programs by region.69%
24%
6%
6%
20%
72%
1.5%
2%
17
PROGRAM GROWTH
YOY GROWTH BY REGION
APAC
N. AMERICA
EMEA
LATAM
02
55
07
5
100
93%
72%
41%
29%
Total Bounties to hackers has
Increased 87% Year over Year
Figure 2: Year-over-year program growth, all by global region.
U.S. amount paid to
hackers over past year
$39.1 MILLION
Of public bug bounty
programs receive their
first vulnerability report
within 24 hours
77%
united �
states
CANADA
RUSSIA
UK
singapore
1
2
3
4
5
Countries at the top maintained
their status as biggest payers,
with Russia ($887,000), the United
Kingdom ($559,000), Singapore
($506,000), and Canada ($497,000)
rounding out the top five. Russia
moved up from sixth place last year
to push Germany into sixth place
with $363,000 in bounties paid.
18
WHO’S PAYING BOUNTIES
THE UNITED STATES REMAINS THE TOP PAYER OF BOUNTIES, with over
$39.1 million / €33.4 million / ¥273.7 million, or 87% of the total, awarded
to hackers in the past year. However, other countries and regions are
adopting hacker-powered security at an impressive rate. Latin America
increased bounty awards by 371%, while all other regions increased awards
by at least 68%. Spain increased year-over-year bounty awards by 4,324%,
Brazil increased by 1,843%, China 1,429%, and Panama by 1,394%. That
growth is even more impressive considering the scale, as those three
countries combined paid out more than $380,000 / €324,000 / ¥2,660,000
in bounties in the past year.
Other countries had massive increases in bounties awarded, as well, like
Argentina (723%), the Netherlands (388%), and the United Arab Emirates
(318%). And four countries—Luxembourg, Dominican Republic, South
Africa, and Samoa—paid bounties for the very first time.
GLOBAL IMPACT
0%
100%
200%
300%
400%
Total
APAC
EMEA
North America
LATAM
371%
93%
86%
68%
87%
19
Figure 3: Year-over-year bounty award growth in respective regions.BOUNTY AWARDS
YOY GROWTH BY REGION
countries at the top maintained
their status as biggest payers,
with Canada, Russia, the United
Kingdom, and Singapore rounding
out the top five.
?@
COVID-19 has thrown the entire world into
chaos. We will feel the digital and physical
ramifications of the pandemic for decades.
Criminals thrive on chaos. Organizations worldwide
were forced to go digital with their product offerings
and services. Businesses scrambled to find new
revenue streams, creating digital offerings for
customers whose lifestyles had dramatically changed.
Tens of millions of workers had to work remotely. With
this accelerated pace of digital transformation, CISOs
had to quickly facilitate new needs—while ensuring
the security of existing systems and newly-acquired
collaboration tools. Security teams were pushed to
the limit. They struggled to maintain existing security
measures while working to close newly-opened gaps.
To better understand how COVID-19 has impacted
security, HackerOne surveyed security leaders about
their challenges during the pandemic. We found
that 64% of global security leaders believe their
organization is more likely to experience a data breach
due to COVID-19, and 30% have seen more attacks as a
result of COVID-19. Unfortunately, 30% have seen their
security teams reduced due to the pandemic, and a
quarter have seen their budgets reduced. The overall
chaos and uncertainty has stressed even the most
robust security teams.
SPOTLIGHT
20
HOW COVID-19
IS IMPACTING
SECURITY
To adapt to changing attack surfaces, many are turning to
hacker-powered security. And hackers are stepping up.
Even during the global recession, hacking has remained
a consistent and stable source of income. This past
year, new hackers have joined the community at an
accelerated rate. Compared with January and February
of 2020, as the pandemic took hold, the average
number of new hacker signups on the HackerOne
platform increased by 56% across April, May, and June.
Year over year, April, May, and June of 2020 saw 69%
more new hacker signups than the same period in 2019.
Hackers are also more prolific than ever with the
monthly average number of incoming bug reports in
April, May, and June of 2020 increasing by 28% over
January and February, and increasing 24% over the
previous year.
Organizations have responded to this much-needed
help by awarding 29% more bounties per month, on
average, during the April-June period than during
January and February.
To learn more, see how HackerOne can help address
quickly changing security needs.
THIS IS AN ENTIRELY
DIFFERENT BALLGAME.
“It suddenly thrust us into what some
people would say is just a healthcare issue,
but it’s not. It’s an everything issue, isn’t
it. It’s really just changing the way that
the world operates and even how hackers
operate as well, and I think that’s what
we’re starting to see more and more of.”
TERESA WALSH
Global Head of Intelligence, Financial
Services ISAC, During ISAC webinar 2020
21
WHO’S
EARNING
BOUNTIES
Anyone can hack, anytime, and from nearly anywhere. While they do it to earn money, they
also do it to learn in-demand skills, advance their career, or simply for the challenge. Many
also pursue hacking as a career. 40% of hackers surveyed for our 2020 Hacker Report hack as
their primary occupation. 53% earn more than half their total yearly earnings from hacking,
according to the HackerOne 2020 Hacker Report.
Hackers around the world increased their earnings this past year, with Asia Pacific realizing 131%
growth year-over-year. EMEA earnings nearly doubled, with 90% growth, and North America
and Latin America both increased earnings by more than 60%.
Of hackers hack as
their full-time job
Earn more than half their
total income from hacking
40%
53 %
22
GLOBAL IMPACT
B OU N T Y E A R N I NG S
YoY Growth by Region
Hacker earnings grew in
every region on earth.
Figure 4: Year-over-year bounty earnings growth in respective regions.
0%
50%
100%
150%
Total
N America
LATAM
EMEA
APAC
90%
131%
60%
60%
87%
23
B
y country, hackers in the U.S. remain the top
bounty earners, commanding $7.2 million / €6.1
million / ¥50.4 million over the past year. That’s
a 63% increase over the past year, but nowhere near
the growth of countries like China (582%), Spain (307%),
France (297%), and Turkey (214%). Across the globe,
100 countries with hackers had year-over-year earnings
growth.
The top five countries from which hackers earn their
awards, in addition to the U.S. are China, India, Russia,
and Germany. China’s huge growth pushed Canada
down into sixth place this year.
In a dozen countries, hackers earned awards for the
first time over the past year, including hackers from
Benin, Comoros, Costa Rica, Gambia, Luxembourg,
Malta, Oman, Paraguay, Senegal, the State of Palestine,
Uganda, and Venezuela. Hacking is giving people in
all corners of the globe opportunity to learn and earn
while helping improve the security of organizations in
faraway countries.
Amount hackers in the U.S. earned over
the past year
Number of countries where hackers
had YoY earnings growth
$7.2 MILLION
100
24
GLOBAL IMPACT
THE TOP FIVE COUNTRIES FROM WHICH
HACKERS EARNED THEIR AWARDS WERE THE
U.S., CHINA, INDIA, RUSSIA, AND GERMANY.
25
NATIONS ACROSS THE GLOBE
ARE GETTING INVOLVED
The DoD also resolved over 12,000 valid vulnerabilities
exclusively through the organization’s VDP this
past year. In July, 2020, the DoD processed 1,835
vulnerability reports via its VDP, nearly 500 more than
their previous monthly record.
Since the DoD became the first government
organization to leverage hacker-powered security,
governments and related agencies across the globe
have deployed hacker-powered security to identify and
resolve vulnerabilities in their systems.
Hack the Pentagon in 2016 was the first ever federal bug bounty program, pioneered by the
U.S. Department of Defense’s (DoD) Defense Digital Service (DDS) and HackerOne. In the
following two years, hackers worked with the Army, Air Force, Marines, and other U.S. DoD
agencies to find more than 5,000 valid vulnerabilities through HackerOne. In 2019 alone, the
U.S. federal government received 5,121 distinct vulnerability reports through their VDP and
focused, time-constrained HackerOne Challenge events. To date, the DoD has launched 10
hacker-powered Challenges, including “Hack the Proxy,” “Hack the Army 2.0,” and “Hack the
Air Force 4.0”. As a result, they have awarded a total of $672,610 to 625 hackers.
26
GLOBAL IMPACT
T
he European Commission
(EC), long a champion of free
and open source software,
launched the European Union Free
and Open Source Software Audit
(EU FOSSA) to find vulnerabilities
in its most used open source
apps. The initial program’s
success prompted the European
Commission to launch EU-FOSSA 2,
and the team subsequently worked
with hackers to reveal a 20-year
undiscovered vulnerability, fix 133
vulnerabilities, and pay out a total
of €87,990 in bounties to hackers.
In total, the E.U. has launched two
bug bounty programs for 15 open
source projects with HackerOne
since its first program in 2017.
In the U.K., the National Cyber
Security Centre uses HackerOne
to enable its VDP and the easy
reporting of vulnerabilities found
across all U.K. government
online services.
In the Asia-Pacific region, this past
year has seen impressive growth in
hacker-powered security programs.
The Ministry of Defence, Singapore
(MINDEF) has expanded its hacker-
powered security programs since
starting with a time-bound bug
bounty challenge in 2018. That
program resulted in 35 resolved
vulnerabilities and prompted a
second program, which invited 300
hackers (one-quarter of whom are
local to Singapore). That second
program resulted in 31 validated
vulnerabilities, which earned
hackers $25,950.
In late 2019, Singapore’s
Government Technology Agency
(GovTech), supported by the Cyber
Security Agency of Singapore (CSA),
ran a third program that resulted
in 33 valid security vulnerabilities
and $30,800 in earned bounties. All
together, 189 hackers have earned
$74,250 in exchange for reporting
625 distinct security weaknesses
across five Singaporean
government challenges.
This past year, the European
Commission announced the launch
of a new bug bounty initiative
involving open source software on
a much larger scale. The latest 2019
bug bounty program run by the
EU-Free and Open Source Software
Auditing (EU-FOSSA 2) project
aims to help E.U. institutions better
protect their critical software. Since
the program launched, EU-FOSSA 2
has worked with hackers to fix 133
vulnerabilities and pay out a total
of €87,990 in bounties to hackers.
This is on the heels of the U.K.’s
National Cyber Security Centre
(NCSC), which launched a VDP with
HackerOne in December 2018. In
total, the E.U. has launched two
bug bounty programs and 15 open
source projects with HackerOne
since its first program in 2017.
27
Figure 5: Visualization of the bounty flow of the top 10 countries
showing, on the left, where the organizations paying bounties
are located and, on the right, where hackers earning bounties are
located.
BOUNTY FLOW
BY COUNTRY
$44,754,742US A : $ 7,2 0 4 ,2 9 9
C H IN A : $ 5 , 3 5 5 ,68 3
INDI A : $4 ,4 0 1 , 2 51
RUS SI A : $ 3, 0 8 3, 9 7 3
G E R MAN Y: $ 1 , 9 2 0 , 4 5 2
C ANAD A : $ 1 , 6 5 3 , 3 13
UK : $ 1 , 4 30 , 886
F R A NC E : $ 1 ,223 ,23 1
HONG K ONG : $ 1, 0 4 0 , 3 4 7
A R G E N T IN A: $985 , 6 8 1
SWEDEN: $ 152 ,413
ISRAEL : $229,138
SWITZERLAND: $231,605
GERMANY: $363,404
NETHERLANDS: $414 ,8 17
CANADA : $497,495
SINGAPORE: $505,522
UK : $559,2 15
RUSSIA : $887,236
USA : $39,125,265
OTHER:
$ 1 ,788,632
OTHER:
$ 16,455,626
28
GLOBAL IMPACT
29
MARKET SPOTLIGHT
spotlight
NORTH AMERICA
TOTAL BOUNTIES AWARDED
$39,622,760
GROWTH YOY
93%
BOUNTIES EARNED
$8,859,363
GROWTH YOY
93%
REGIONAL SHARE OF NEW PROGRAMS
72%
REGIONAL PROGRAM GROWTH YOY
72%
EMEA
TOTAL BOUNTIES AWARDED
$3,724,385
GROWTH YOY
86%
BOUNTIES EARNED
$18,915,495
GROWTH YOY
86%
REGIONAL SHARE OF NEW PROGRAMS
20%
REGIONAL PROGRAM GROWTH YOY
41%
30
APAC
TOTAL BOUNTIES AWARDED
$881,586
GROWTH YOY
68%
BOUNTIES EARNED
$14,457,828
GROWTH YOY
66%
REGIONAL SHARE OF NEW PROGRAMS
6%
REGIONAL PROGRAM GROWTH YOY
93%
LATIN AMERICA
TOTAL BOUNTIES AWARDED
$418,323
GROWTH YOY
371%
BOUNTIES EARNED
$1,848,670
GROWTH YOY
371%
REGIONAL SHARE OF NEW PROGRAMS
2%
REGIONAL PROGRAM GROWTH YOY
29%
31
I
n many countries, hackers can earn several times
the median salary of a local software engineer.
These hackers are not just making the internet
safer, they’re also giving back to their local and global
communities.
In The 2020 Hacker Report, 27% of hackers said
they donated at least a portion of their earnings to
charitable organizations. The impact of COVID-19
prompted an unprecedented amount of support from
hackers who volunteered to help relief efforts across
the world. The community itself has created new
initiatives, for example Marc Rogers’ CTI League, which
combats hacks against medical facilities and other
frontline responders, and the US Digital Response,
which provides experienced technologists to help
governments deliver critical services. Individual hackers
even raised their hands to help healthcare providers
deal with incoming threats.
The dedication and genuine care shown by this
community has inspired HackerOne to create Hack for
Good. Launched during #h1-2004, a 13-day virtual bug
bounty event for Verizon Media, Hack for Good gives
hackers an easy way to donate their bounty earnings
to a worthy cause. The first recipient—receiving
$30,000 from generous hackers—was The World Health
Organization (WHO) COVID-19 Solidarity Response
Fund. Donations were used to support WHO and their
global partners in their pandemic fight.
With Hack for Good, hackers now have the ability to
easily donate full or partial amounts of their bounties to
community-selected charities that rotate each quarter.
HACK FOR GOOD DOES GOOD
spotlight
Hackers have earned $45 million /
€38 million / ¥314 million in the past
year from the nearly two thousand
organizations they’ve helped.
32
33
H
acker-powered security comes in many flavors,
from simply providing a clear path for anyone to
alert you to a potential risk, to integrating hacker-
powered methods directly into your security, testing,
and software development processes. Programs can
be open to anyone or limited to trusted, vetted hackers;
free or pay-for-results; customized or turnkey; run
internally or completely managed by experts. They can
even be used to assess security measures, retest bug
fixes, increase the security awareness of development,
and more. With this flexibility, hacker-powered security
can meet the security needs of any organization.
Public programs have
5x the number of
hackers reporting valid
vulnerabilities as private
programs
5X
INDUSTRY
SCORE-
CARDS
of programs started in
the past year were in
Computer Software and
Internet & Online Services
40%
34
Chapter 2 //
81%
19%
Private PROGRAMS
Public PROGRAMS
Bug bounty programs are dominated by
companies in Computer Software and
Internet & Online Services
Most organizations begin with a vulnerability disclosure
policy (VDP). It offers an easy, open process for
anyone who spots a potential vulnerability to report it
to an organization’s appropriate teams. Pentests put
continuous hacker talent and creativity to work for
compliance and other requirements. The bug bounty
program is the most advanced form of hacker-powered
security, and has a wide range of applications and
approaches. It gives hackers a monetary incentive—
the bounty—to search for and report vulnerabilities.
Bounty programs can be public or private, continuous
or time-bound, and even used during in-person
and virtual events.
Public bug bounty programs, like those of Starbucks,
AT&T, Hyatt, and Goldman Sachs, are open to
everyone, while private programs require that individual
hackers are invited or accepted via an application
process to participate. Public programs are open to the
widest range of hacker diversity and therefore produce
superior results. On average, public programs have
nearly five times the number of hackers reporting
valid vulnerabilities versus private programs. Similar to
past years, private programs make up 81% of all bug
bounty programs on HackerOne and public programs
make up the remaining 19%.
Figure 6: Percentage of public vs private programs.
35
HOW EACH INDUSTRY
STACKS UP
When you dig into industry-specific data, things get
a bit more interesting. Cryptocurrency & Blockchain
organizations, for example, have the highest share of
public programs when compared to other industries
at 43%. On the other end of the spectrum, Healthcare
and North American state and local governments run
only private programs. Other industries with few public
programs are Computer Hardware & Peripherals (7%)
and Travel & Hospitality (8%).
Bug bounty programs are extremely common in
Computer Software and Internet & Online Services,
with those industries accounting for nearly half of the
total programs and 40% of all new programs started
in the past year, and paying more than 72% of the
total bounties awarded in the past year. But others are
quickly adopting hacker-powered security. Industries
with year-over-year program growth of 200% or greater
include Computer Hardware (250%), Consumer Goods
(243%), Education (200%), and Healthcare (200%),
while Media & Entertainment grew by 164%, Retail
& eCommerce doubled, and Financial Services and
Computer Software each grew by more than 75%.
Other industries are paying more bounties to more
hackers, too. Industries paying more than $1 million
/ €850,000 / ¥7 million in bounties in the past year
include Telecommunications ($2,497,042), Financial
Services ($2,286,351), Media & Entertainment
($1,826,974), and Automotive ($1,048,090).
36
Industry Scorecards
PRIVATE
PUBLIC
SHARE
OF TOTAL
SHARE OF
NEW
2019
% OF
TOTAL
Computer Hardware &
Peripherals
93%
7%
3%
1%
$415,994
0.9%
Computer Software
82%
18%
20%
16%
$16,263,982
36.3%
Consumer Goods
98%
2%
2%
4%
$253,763
0.6%
Cryptocurrency &
Blockchain
57%
43%
4%
2%
$518,565
1.2%
Electronics &
Semiconductor
76%
24%
1%
0%
$381,250
0.9%
Financial Services &
Insurance
87%
13%
8%
9%
$2,286,351
5.1%
Government
International
65%
35%
1%
1%
$134,729
0.3%
Government NA Federal
90%
10%
1%
2%
$667,228
1.5%
Government NA Local
100%
0%
0%
0%
$19,583
0.0%
Healthcare
100%
0%
1%
1%
$104,050
0.2%
Internet & Online
Services
79%
21%
27%
24%
$16,079,195
35.9%
Media & Entertainment
80%
20%
7%
7%
$1,826,974
4.1%
OTHER
74%
26%
11%
19%
$1,525,877
0.5%
Professional Services
84%
16%
3%
3%
$256,229
0.6%
Retail & eCommerce
87%
13%
4%
3%
$1,004,045
2.2%
Telecommunications
88%
12%
1%
1%
$2,497,042
5.6%
Travel & Hospitality
93%
8%
2%
1%
$519,885
1.2%
Overall
81%
19%
$44,754,742
BOUNTY PROGRAMS
BOUNTY AWARDS
37
38
Industry Scorecards
THE BIGGEST BRANDS STILL LAG:
FORBES GLOBAL 2000
BREAKDOWNEach year, HackerOne analyzes the Forbes
Global 2000 list of the world’s most valuable
public companies as one benchmark for
public VDP adoption. Based on the 2020
Forbes Global list, 82% of the Forbes
Global 2000 do not have a known policy for
vulnerability disclosure as of July 2020. That’s
a huge improvement compared to 93% on
the 2017 list and 94% of the 2016 list, but
shows that less than 1 in 5 of the world’s most
valuable public companies are utilizing this
important security mechanism.
Figure 7: Share of Forbes Global 2000 companies in various
countries that have a known VDP.
Of Fortune Global
2000 companies do
not have VDPs
Of global
organizations require
IT suppliers to have
a VDP
82%
63%
united
states
28%
HAVE A
KNOWN VDP
25%
HAVE A KNOWN VDP
26%
HAVE A KNOWN VDP
19%
HAVE A
KNOWN VDP
22%
HAVE A KNOWN VDP
0%
HAVE A KNOWN VDP
GERMANY
australia
United
kingdom
singapore
FRANCE
39
VDP adoption varies widely across industries and
regions. Only 13% of Global 2000 Transportation
companies have VDPs, including Toyota, General
Motors, Lufthansa, Tesla, American Airlines.
Just 21% of Healthcare companies have a
known VDP. Approximately one-third of those in
Telecommunications & Media (35%) and Financial
Services (32%) have known VDPs, including AT&T,
Citigroup, JPMorgan Chase, and ING. Computer
Software leads in the deployment of VDPs
with 69% adoption.
The pace of adoption is extremely slow and
organizations continue to push for more progress. In
North America, the U.S. Department of Justice offers
a framework and the U.S. Department of Homeland
Security provides a template and issued a Binding
Operational Directive requiring agencies to establish
a VDP. In EMEA, the European Union Agency for
Cybersecurity (ENISA) has a “good practices guide”
and the National Cyber Security Centre in Netherlands
publishes guidelines. In APAC, the Singapore Infocomm
Media Development Authority acts as a central point
of disclosure for the country’s telecommunications
industry, and the “Standards for Handling Software
Vulnerability Information and Others” has been offered
by the Japan Ministry of Economy, Trade and Industry
since 2004.
Continued encouragement and guidance are vital to
reducing risk, as nearly 1 in 4 hackers have not reported
a vulnerability that they found because the company
didn’t have a channel to disclose it. Having a VDP in
place reduces the risk of a security incident and places
the organization in control of what would otherwise be
a chaotic workflow.
Promise
Demonstrate a clear, good faith commitment to
customers and other stakeholders potentially
impacted by security vulnerabilities.
Scope
Indicate what properties, products, and vulnerability
types are covered.
“Safe Harbor”
Assures that reporters of good faith will not be unduly
penalized.
Process
The process finders use to report vulnerabilities.
Preferences
A living document that sets expectations for
preferences and priorities regarding how reports will
be evaluated.
5 CRITICAL COMPONENTS
FOR EVERY VDP PROGRAM
40
Spotlight
CREATING A VULNERABILITY
DISCLOSURE POLICY
Relying only on your internal security team to
keep your company safe isn’t just unreasonable,
it’s impossible. Your team doesn’t have enough
hours in the year to possibly search for, detect,
and investigate every possible security risk across
your business. Sometimes, they don’t have the skill
sets or expertise. So, enlisting everyone’s help in
plugging security gaps isn’t just good for security,
it’s good for your brand, your reputation, and your
customers’ trust. It’s also a best practice and a
regulatory expectation.
A Vulnerability Disclosure Policy (VDP) is the first
step in helping protect your company from an attack
or premature vulnerability release to the public.
It gives hackers and security researchers clear
guidelines for reporting security vulnerabilities to
the proper person or team within your company.
VDPs are often referred to as the “see something,
say something” of the internet. When a skillful eye
spots a potential risk, you want to make it as easy
and straightforward as possible for them to make
you aware. Without it, those vulnerabilities remain
unknown, unfixed, and potentially unleashed to
people outside your organization, exposing your
business and your brand to unnecessary risk or
disastrous consequences.
But the VDP paradox is that, even though 63%
of global organizations say they require their IT
suppliers to have a VDP, more than 82% of the
Fortune Global 2000 companies do not have VDPs
of their own! Security is a business imperative,
and actively encouraging hackers to alert you to
vulnerabilities is good business.
HackerOne has revolutionized VDPs to make it easy
to work directly with trusted hackers to resolve
critical security vulnerabilities. Our VDP structure
is based on the recommended practice outlined in
the Cybersecurity Framework by the United States’
National Institute of Standards and Technology (NIST).
Since 2012, HackerOne has partnered with thousands
of organizations to unlock the security value of the
global hacking community. Now, HackerOne has
become the only hacker-powered security vendor to
receive FedRAMP authorization.
Figure 8: Industry adoption
early adopter
follower
Government-Federal
Automotive
Healthcare
Financial Services
Retail & Commerce
Telecommunications
Aerospace
business
value of
adoption
41
INDUSTRY ADOPTION
In 77% of cases, public bug bounty programs receive
their first vulnerability report within the first 24 hours.
For the U.S. Army, it only took five minutes. Once a
customer has confirmed the vulnerability is valid, they
have the opportunity to reward the hacker and fix the
issue.
HackerOne tracks the time-to-vulnerability resolution
for all programs. A speedy resolution significantly
reduces the risk of a breach. Speed is also important
to hackers, who prefer a fast first response to their
vulnerability report submissions. This lets hackers
know that their report was received and is being
investigated. Once a report is validated, hackers
prefer to be awarded their earned bounty as
quickly as possible.
Nearly all industries respond to hackers in less than
one day, with the fastest being Automotive and Media
& Entertainment companies. Both sectors have median
first response times of less than 4 business hours. Time
to resolution and time to bounty award vary widely
across the industries: Cryptocurrency & Blockchain (11.7
days) and Professional Services (16.0 days) are among
the fastest, while Telecommunications (40.3) and
Government Federal NA (39.0) are the slowest.
For time to bounty, the fastest industries are Financial
Services & Insurance (0.9), and Retail & eCommerce
(1.6). Government Federal NA is, by far, the slowest
to pay bounties, with a median time to bounty of 27.1
days. The next slowest is Telecommunications, which
pays nearly twice as fast, with a median time to bounty
of 13.6 days.
42
Industry Scorecards
THE PACE OF RESOLUTION VARIES BY INDUSTRY
APAC
0.53
18.3
3.7
North America
0.68
22.8
5.3
EMEA
0.73
18.0
3.1
LATAM
0.66
32.8
2.1
TIME TO RESPONSE, RESOLUTION, BOUNTY
(DAYS, MEDIAN)
TIME TO FIRST
RESPONSE
(HOURS)
TIME TO
RESOLUTION
(DAYS)
TIME TO
BOUNTY
(DAYS)
Computer Hardware & Peripherals
0.9
30.6
9.2
Computer Software
0.8
22
4.8
Consumer Goods
0.7
20.1
2
Cryptocurrency & Blockchain
0.8
11.7
3.1
Electronics & Semiconductor
0.4
17.2
4.3
Financial Services & Insurance
0.8
16.2
0.9
Government International
0.6
20.8
3.0
Government NA Federal
0.6
39
27.1
Government NA Local
1.5
7.6
0.2
Healthcare
0.9
24.8
2.3
Internet & Online Services
0.7
18.9
5.7
Media & Entertainment
0.4
25.1
6
OTHER
1.7
17.9
6.2
Professional Services
1.2
16
1.7
Retail & eCommerce
0.6
20.4
1.6
Telecommunications
0.9
40.3
13.6
Travel & Hospitality
0.6
19.6
1.6
Overall
5.4
21.8
4.8
Nearly all
industries respond
to hackers in less
than one day.
43
CONTINUOUS INTEGRATION AND CONTINUOUS
DELIVERY have become the new benchmark for
DevOps teams. Applications are delivered faster, code
changes are automatically pushed into production, and
teams are developing in-house apps without external
feedback. The speed of development now matches the
speed of innovation.
This fast pace and frequent release cycles, coupled
with emerging languages, has kept CISOs on their
toes as companies grow and corners are cut to get
releases out the door. It’s also pushed more teams to
“shift left” on their security efforts: improving coding
practices, identifying and eliminating vulnerabilities
during development, and reducing risk as code moves
into production.
THE BEST COMPLEMENT FOR CONTINUOUS
DEVELOPMENT IS CONTINUOUS SECURITY.
While building security into your software development
lifecycle (SDLC) without slowing down development
is a challenge, hacker-powered security can help. Bug
bounty programs empower companies to build a more
security-aware engineering team who can work to
close gaps before they’re released.
By pushing security and vulnerability intelligence to
the left in a SDLC, continuous security helps protect
future releases against threats. It prevents new
products and applications from going into production
with vulnerabilities. And it maximizes bounty program
value to the organization and reduces the risk of future
breaches. In other words, the same vulnerability
reports used to drive improvements in your software
production process can also ensure future code is
continuously more secure. Ship code, not bugs.
As organizations begin a bounty program, they
rightly focus on fine tuning the basic bugs in, bugs
out process. When welcoming outside hackers into
your security operations is still new, there is a lot to
get right—things like effective communications with
hackers, triage, reproducing reported vulnerabilities,
severity classification, bounty amounts, resolution
process, and more. HackerOne has multiple resources
available to help, from guides to our expert professional
services team.
Read how Verizon Media used a bug bounty program to
“shift left” in the SDLC.
44
Spotlight
CONTINUOUS DEVELOPMENT
NEEDS CONTINUOUS
SECURITY
SECURITY IS NOT A
ONE-TIME THING, BUT A
CONTINUOUS CYCLE.
“We know that there are always going
to be bugs in software development.
As we develop, and as we iterate,
we want to make sure security is
an active part of that process, and
never a roadblock to innovation. The
HackerOne bug bounty program
allows us to put another cog in the
wheel of security.”
PETE YAWORSKI
Senior Application Security
Engineer, Shopify
45
46
By studying the trends and statistics of
vulnerability reports, organizations can better
prepare security and engineering teams for
incoming report submissions. Benchmarking
against industry standards also helps improve
everyone’s vulnerability disclosure and bug
bounty programs. And, looking at trends on
severity classifications and vulnerability types
helps organizations, and the community as a
whole, understand shifting areas of risk and
prioritization.
BOUNTY
TRENDS
CHAPTER 3 //
BY VULNERABILITY SEVERITY AND TYPE
47
Median value paid
for critical vulnerabilities
on HackerOne
Average bounty paid
for critical vulnerabilities on
HackerOne
$2,500
$3,650
48
I
ncoming vulnerability reports are categorized by
the vulnerability type and severity. To determine
the type, HackerOne uses a vulnerability taxonomy
mapped to the industry standard Common Weakness
Enumeration (CWE). For severity, HackerOne uses
the Common Vulnerability Scoring System (CVSS), an
industry standard calculator used to determine bug
severity. The hacker can either choose a severity level
based on their own judgment, or they can use the
CVSS.
Although customers themselves set bounty tables,
HackerOne offers recommendations and insights,
similar to this report, to help organizations benchmark
their offered bounties against similar companies .
Severity is particularly useful for structuring bounty
ranges. When combined with the vulnerability type,
this information streamlines the resolution process,
allowing teams to integrate vulnerability reports with
existing bug tracking systems. It also helps set hacker
expectations on potential report resolution and bounty
payouts.
Bounty Trends // Severity
40%
34%
18%
8%
LOW
MEDIUM
HIGH
CRITICAL
Critical vulnerabilities make up just 8% of all reports.
Medium severity bugs account for 40%, while low
severity (34%) and high severity (18%) make up the
remainder.
The median value paid for critical vulnerabilities on
HackerOne was $2,500 / €2,120 / ¥17,400, which is up
25% from the 2019 median of $2,000, and double the
$1,250 median of 2017. Critical vulnerabilities carry the
most potential risk, so bounty values are generally
much higher. The median value of a critical bug bounty
is 2.5 -times that of a bug of high severity, and more
than 6-times that for a bug of medium severity. As
organizations fix more vulnerabilities and harden their
attack surface, bounty values naturally increase over
time, since vulnerabilities become more difficult to
identify, thus requiring more skill and effort to discover.
The average bounty paid for critical vulnerabilities
across all industries on HackerOne rose to $3,650 /
€3,100 / ¥25,460 in the past year, up from $3,384 in
2019, $2,281 in 2017, and $1,977 in 2016.
VULNERABILITIES BY SEVERITY
Figure 9: Percentage of vulnerabilities
categorized by critical, high, medium,
or low severity. Data from 2018-2019.
critical
high
Medium
Low
49
MEDIAN BOUNTY VALUE BY SEVERITY
AVERAGE BOUNTY FOR CRITICAL
VULNERABILITIES OVER TIME
Figure 11: Average bounty values for critical vulnerabilities over time.
Figure 10: Median bounty values by severity.
The median value
of a critical
bug bounty is
2.5X Higher
than a bug of
high severity,
and more than
6X Higher than
a bug of medium
severity.
0
$1,000
$2,000
$3,000
$2,500
Critical
high
Medium
low
$1,000
$400
$150
0
$2,000
$4,000
2016
2017
2018
2019
2020
50
Bounty Trends // Regional
MEDIAN BOUNTY PAID BY SEVERITY BY REGION
AVERAGE BOUNTY PAID BY SEVERITY BY REGION
Figure 12:
Median and
average bounty
values for
vulnerabilities,
by region and
severity type.
0
$1000
$2000
$3000
N. America
LATAM
EMEA
APAC
0
$1000
$2000
$3000
$4000
$5000
N. America
LATAM
EMEA
APAC
critical
high
Medium
Low
51
52
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
OPEN REDIRECT
VIOLATION OF SECURE DESIGN PRINCIPLES
PRIVILEGE ESCALATION
BUSINESS LOGIC ERRORS
INSECURE DIRECT OBJECT REFERENCE
CROSS-SITE REQUEST
4%
Note: The remaining percentage that is omitted consists of any additional types of vulnerabilities that did not make the top ten.
Region Spotlight
NORTH AMERICA
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$4,263
$3,000
Regional bug bounty values vary as well. The average
bounty paid for a critical bug in North America was
$4,263 over the past year. That average was $1,547 in
EMEA, $1,893 in APAC, and $2,567 in Latin America.
53
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
VIOLATION OF SECURE DESIGN PRINCIPLES
INSECURE DIRECT OBJECT REFERENCE
OPEN REDIRECT
BUSINESS LOGIC ERRORS
CROSS SITE REQUEST
BRUTE FORCE
EMEA
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$1,547
$1,000
54
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
CROSS-SITE REQUEST FORGERY (CSRF)
BUSINESS LOGIC ERRORS
OPEN REDIRECT
INSECURE DIRECT OBJECT REFERENCE (IDOR)
VIOLATION OF SECURE DESIGN PRINCIPLES
BRUTE FORCE
APAC
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$1,893
$2,000
Region Spotlight
55
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
INSECURE DIRECT OBJECT REFERENCE (IDOR)
VIOLATION OF SECURE DESIGN PRINCIPLES
CROSS-SITE REQUEST FORGERY (CSRF)
BUSINESS LOGIC ERRORS
OPEN REDIRECT
PRIVILEGE ESCALATION
SERVER-SIDE REQUEST
20%
15%
15%
7%
7%
7%
6%
5%
2%
2%
LATIN AMERICA
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$2,567
$1,800
56
The highest average bounty payments by industry for critical issues come
from Computer Software ($5,754), Electronics & Semiconductor ($4,663),
and Cryptocurrency & Blockchain ($4,481). Those are all significantly higher
than the platform average of $3,650. For all vulnerabilities reported of any
severity, the average bounty payout was $1,024, up 33% from $771 last
year, and up 119% from $467 in 2017.
AVERAGE BOUNTY PAYOUT PER INDUSTRY
FOR CRITICAL VULNERABILITIES
Bounty Trends // Payouts
0
$1000
$2000
$3000
$4000
$5000
$6000
PHARMACEUTICALS
GOVERNMENT NA FEDERAL
GOVERNMENT INTERNATIONAL
OTHER
CONSUMER GOODS
AVIATION & AEROSPACE
GOVERNMENT NA LOCAL
EDUCATION
COMPUTER HARDWARE & PERIPHERALS
RETAIL & ECOMMERCE
TRAVEL & HOSPITALITY
HEALTHCARE
FINANCIAL SERVICES & INSURANCE
MEDIA & ENTERTAINMENT
MEDICAL TECHNOLOGY
PROFESSIONAL SERVICES
TELECOMMUNICATIONS
INTERNET & ONLINE SERVICES
AUTOMOTIVE & GROUND TRANSPORTATION
CRYPTOCURRENCY & BLOCKCHAIN
ELECTRONICS & SEMICONDUCTOR
COMPUTER SOFTWARE
AVG $ BOUNTY
Figure 13: Average bounty paid for
critical vulnerabilities, by industry.
57
50TH PERCENTILE
60TH PERCENTILE
80TH PERCENTILE
90TH PERCENTILE
99TH PERCENTILE
The average amount paid per vulnerability of any
severity level is $979 / €831 / ¥6,834, which increased
by 9% from last year’s average. That’s a small price to
pay compared with the legal, brand, and engineering
impact of a security breach, which the Ponemon
Institute and IBM Security estimates at an average cost
of nearly $4 million.
AVERAGE BOUNTY PAYOUT
BY SEVERITY
Figure 14: Average bounty payout by severity.
LOW$25,000
SEVERITY
$20,000
$15,000
$10,000
$5,000
$0
MEDIUMHIGHCRITICAL
23%
18%
10%
7%
6%
6%
5%
5%
5%
4%
58
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
VIOLATION OF SECURE DESIGN PRINCIPLES
OPEN REDIRECT
BUSINESS LOGIC ERRORS
INSECURE DIRECT OBJECT REFERENCE (IDOR)
PRIVILEGE ESCALATION
CROSS-SITE REQUEST FORGERY (CSRF)
Bounty Trends // VUlnerabilities
REPORTED VULNERABILITIES BY TYPE
Figure 15: Top 10 reported vulnerability types.
59
Total reports from
live hacking events
Earned by
hackers at events
HackerOne live
hacking events
23
6,800
$9 MILLION
60
Spotlight
VIRTUAL LIVE HACKING EVENTSLive Hacking Events bring together hackers from across the globe
to participate in a single- or multi-day hacking challenge targeting a
specific set of customer assets. These events put hackers in the same
room as the target program’s security team, offering an opportunity
for unmatched focus, impact, and bounty earnings. As of this report,
HackerOne hosted 23 events, with 15 customers, in 12 different cities
around the world. Hackers have earned more than $9 million and
submitted over 6,800 reports at these events.
“The live hacking events are really
great. They give us the opportunity
to meet face to face with the hackers
who are active on our platform, it gets
them an opportunity to meet with
each other as well, and it facilitates
a fantastic ideas exchange. It’s a fun
and competitive atmosphere and it
pushes everyone together to be better
hackers, to be better defenders, and to
be smarter about how you approach
these problems. Now, obviously under
COVID we can’t do those virtual events
right now, so we’ve pivoted to doing
virtual events… In a way, we’re helping
create a more diverse environment
and we get the benefit of those diverse
experiences that those researchers
bring, and it might help us bring some
new ideas into the program that we
can all benefit from.”
SEAN ZADIG
VP & CISO, Verizon Media,
during a HackerOne Fireside Chat
Highest ever single-
day bounty payout
Reports over two
weeks of #h1-2004
$1 MILLION
286
61
When the COVID-19 pandemic
curtailed travel, HackerOne quickly
moved to a virtual format, which
has been lauded by both security
teams and hackers.
Verizon Media ran the first ever
Virtual Live Hacking Event on March
25, 2020, dubbed #h1-2004. Hackers
from all over the world submitted
286 reports over the course of two
weeks, earning them over $673,000
in bounties. The event included
a full schedule of hacking, plus
hacker panels and interviews, which
provided a great opportunity to
both learn and earn.
As the original event was intended
to be in Singapore, The Paranoids
(Verizon Media’s security team)
wanted to ensure that the local
hacker base was able to participate
in a big way.
We invited 50 hackers from across
the globe, with over 30% from the
APAC region, including Singapore,
Hong Kong, India, and New
Zealand.
“If someone were to ask me about
my favorite live hacking event,
#h1-2004 would be at the top of
my list,” said Sean Poris, Director of
Product Security at Verizon Media.
“It was amazing to see people come
together during this pandemic to
have deep conversations, to laugh
a little bit, and bring the community
together.”
#H1-2004
Hackers participated
in #h1-2006’s CTF
Of vulnerability reports from
live hacking events are high or
critical severity
4,282
45%
62
In May 2020, PayPal and HackerOne joined forces for
a “Capture the Flag” (CTF) event. The winners of the
CTF earned invitations to #h1-2006, the world’s second
Virtual Live Hacking Event. HackerOne got creative with
this CTF, with the premise based on a fictitious tweet
from HackerOne’s CEO claiming that he lost the login
details required to make bounty payments. It called
on hackers to help retrieve those account details and
put bounty payments back on track. The top 3 hackers
of the CTF, Nytr0gen, Zoczus, and bugra, were then
invited to the PayPal live hacking event.
Over the one week live event, 4,282 hackers
participated and 55 successfully accomplished the
task to process hacker payments. Judges then
reviewed vulnerability report submissions on creativity,
completeness, and story, and then announced the
winners. As seen in the recap video, hackers thoroughly
enjoy the collaboration, education, and competition of
these events.
#H1-2006
Spotlight
63
Virtual and in-person Live Hacking Events offer a
fun, dynamic, and educational environment that
encourages hackers to work in a focused and
collaborative manner. These events, some reaching
over 3,000 combined testing hours, target key assets
and areas of concern to quickly discover critical
vulnerabilities while offering security teams a clear
ROI. Hackers submit more than 200 reports during the
typical event, with 45% being high or critical severity,
on average.
HackerOne is preparing for more Live Hacking Events
in 2020 and 2021, both virtual and in-person as soon
as appropriate.
Customer Spotlight // U.S.
THE ROOTS OF AT&T STRETCH BACK NEARLY 150 YEARS
TO THE ORIGIN OF THE TELEPHONE ITSELF and across
its innovations in transistors, communication satellites,
and machine learning. The company has also expanded
far beyond telecommunications to become a modern
media company, a fiber and wireless connectivity
provider, and a software-based entertainment provider
with brands like WarnerMedia, HBO, and TBS.
The company continued their innovative ways in
July 2019 by becoming the first communications
company of its size to launch a bug bounty program on
HackerOne. After having run a self-managed program
since 2012, moving to HackerOne quickly increased
the number of bugs received and the quality incoming
reports. It also expanded the AT&T program by opening
it to a global network of skilled hackers and adding
all of the company’s public-facing online properties,
including websites, exposed APIs, mobile applications,
and devices.
In the first year of the public program on HackerOne,
AT&T resolved over 2,850 vulnerabilities and paid out
$1,129,075 in bounties based on input from 850 hackers
worldwide. The findings have helped AT&T understand
holes in their security and use those insights to ensure
they are patched across other essential products and
services.
Bug reports
resolved
Bounty awards
3,000+
$1,211,000+
AT&T
64
“Operating a bug bounty program is about getting
one step ahead of the game by being hands-on and
predictive,” explained Reynaldo Candelario, Principal
Technology Security at AT&T. “It’s another approach
to detect software and configuration errors that can
slip past developers and later lead to big problems.
Hacker-powered security has helped our technology
teams learn and resolve vulnerabilities that would not
have been revealed by any internal security discovery
methods.”
To date, AT&T has paid out more than $1,211,000 in
bounty awards and resolved more than 3,000 bug
reports. The company plans to continue expanding
its bug bounty program into other segments of the
business to increase the already tangible ROI and
further improve the company’s digital security.
“The program will always be in a constant evolution
of change to ensure a balance is given to everyone
that participates in the program,” concludes Reynaldo.
“We look forward to continuing our collaboration with
the hacker community to improve our program and
partnership.”
“HACKER-POWERED SECURITY HAS
HELPED OUR TECHNOLOGY TEAMS
LEARN AND RESOLVE VULNERABILITIES
THAT WOULD NOT HAVE BEEN
REVEALED BY ANY INTERNAL SECURITY
DISCOVERY METHODS.”
REYNALDO CANDELARIO
Principal Technology Security at AT&T
65
66
GO BEYOND COMPLIANCE WITH
HACKER- POWERED
PENTESTS
Bounty Trends
Penetration tests are a staple of nearly every security
program. They have been used for decades as a viable means
for evaluating the security of a specific scope of technology.
Pentesting remains a necessary exercise to identify
weaknesses and for compliance, but traditional pentests are
often delivered with limited transparency into the testing
process and they provide only an occasional, point-in-time
view of risk. They’re further limited by the traditional process,
which devotes a small pool of researchers at a specific scope
for just a few weeks.
“THIS IS VALUE THAT WE NEVER GOT FROM A PENTEST.
TRADITIONAL PENTESTS ARE NOT ENOUGH FOR MODERN
DAY SECURITY.”
GEORGE GERCHOW
Chief Security Officer, Sumo Logic
67
Crowdsourced pentests are becoming a common and
effective means for a continuous, proactive security
testing and broad investigation of a technology’s
security risks. Unlike traditional penetration tests,
which are one-off exercises designed for a compliance
checklist, hacker-powered pentests can be seamlessly
incorporated into your security strategy.
These hacker-powered pentests utilize the creative
diversity, varying skills, and broad approaches of
the hacker community, deployed continuously and
on varied applications. What’s more, the cost is tied
directly to validated results rather than effort. In fact,
a Total Economic Impact (TEI) report from Forrester
Consulting found that a HackerOne Challenge
eliminated $156,784 in total costs and reduced internal
security and application development efforts, saving an
additional $384,793 over three years.
HackerOne’s powerful platform allows security teams
to redefine the way they respond to vendor security
assessments and compliance needs. HackerOne
Pentests bring a creative, community-led approach to
pentests to offer more coverage, instant results, and
seamless remediation workflows all in one platform.
It provides the visibility to track progress and interact
with researchers from the kickoff, discovery, and
testing, through to the retesting and remediation
phases of a pentest. Those real-time insights empower
security teams to act on vulnerabilities as they are
found instead of waiting for them to come weeks later.
Many security leaders are drawing a false distinction
between compliance and security. According to our
research, more than two-thirds of security leaders
believe pentests strengthen software—but they are
making a grave error in believing that compliance
is more important than reducing risk and finding
vulnerabilities, or that the two are separable. Instead,
an overall security strategy should include strategies
that allow the compliance box to be checked at
the same time as finding bugs before they can be
exploited.
HackerOne Pentests, however, fulfill both regulatory
compliance and customer assessment needs with
compliance-ready reports to satisfy SOC 2 Type II, ISO
27001, and more. The findings are also summarized
in an actionable, methodology-based report to help
security teams better understand how to reduce risk.
To learn more, see how HackerOne Pentests improves
upon traditional pentests.
“WE TURNED TO HACKERONE FOR SCALABLE REAL-TIME TESTING THAT
WOULD LOOK IN THE PLACES WE WEREN’T LOOKING—NOT A SIMULATION OR
TEMPLATED TEST—FOR SOC 2 COMPLIANCE.”
STEVE SHEAD
Vice President InfoSec & IT, Grand Rounds
68
To find the gaps that can lead to security incidents, you need pentesters with the creativity to
think beyond a standard checklist. Pentests are opportunities to discover weak spots in your
defenses, bring a fresh set of eyes to engineering’s code, and add a virtual security team that
can be spun up or down as needed and without requiring onsite access.
Spotlight
Benefits
Costs
ROI
$541,577
$252,127
115%
THE VALIDATED ROI OF
HACKER-POWERED PENTESTS
Hacker-powered pentesting adds a broad array of specialized skills, experience,
and creativity to find security gaps unique to your business and technologies.
Where traditional pentests fall short—limited team of testers and approaches,
slow turnaround of results, and a lack of real-time visibility into findings—hacker-
powered pentests rise above. They also save money.
A Forrester Consulting Total Economic Impact™ (TEI) analysis used interviews
with HackerOne customers to gauge the financial and qualitative impact of
HackerOne Challenge over traditional security testing methods. Customers say
they eliminated costs “orders of magnitude higher than the HackerOne cost,”
received results faster, and consumed less effort from the internal security
team.
HackerOne Challenges also offer more robust testing methods, instant
feedback, and detailed vulnerability reports as compared with traditional
point-in-time testing such as pentests. This is a direct result of the creativity,
expertise, and experience of the hacker community. The increased detail in
vulnerability reports also helped inform upstream engineering and development
teams, which reduced application development times.
In total, Forrester’s interviews and financial analysis concluded that an
organization using hacker-powered pentests experienced benefits of $541,577
over three years versus costs of $252,127, adding up to a net present value (NPV)
of $289,450 and an ROI of 115%.
To learn more, download your copy of the Forrester TEI report today.
The key benefits found by
Forrester include:
A 50% REDUCTION IN SECURITY
TESTING DURATION.
A TOTAL COST OF OWNERSHIP (TCO)
PER PENTEST OF JUST $41,350.
A REDUCTION IN INTERNAL
PENTESTING EFFORT OF 66%.
“We tried pen testing before and found it very
expensive and practically useless. We paid many
thousands of dollars and they only found a few bugs.
The first week we launched HackerOne they found
several high priority bugs we fixed immediately.
Huge value at a fraction of the costs.”
AMOS ELLISTON
CTO, Flexport
69
Bug reports resolved
In bounties paid in
the 3 months prior to
the publishing of this
report
1,000
$1 MILLION +
70
Customer Spotlight
THE SECURITY TEAM AT PAYPAL, the popular digital
payments platform, is tasked with protecting the
personal and financial information of 325 million active
accounts, in more than 200 markets around the world.
The company has been running a bug bounty program
since 2012, transitioning to the HackerOne platform
in 2018. This move instantly opened the program to a
massive community of hackers and, as expected, an
increase in participation. In just the first six months of
moving to HackerOne, PayPal received reports from
890 researchers across 56 countries, compared to just
365 researchers in the prior six months.
“Security has always been a top priority for our
business, ingrained into the fabric of everything we
do,” says Ray Duran, Information Security Engineer
at PayPal. “In addition to being able to work with a
broader more diverse set of researchers, HackerOne
has enabled us to process bounty awards for qualifying
submissions faster and get direct feedback from
researchers on how to further improve our program.”
In the first 7 months of its program, the company
reached $1,000,000 in bounties paid. Over the
program’s first 2 years, PayPal has awarded nearly
$4,000,000 in bounties, with over $1,000,000 paid
in the 3 months prior to the publishing of this report.
The company is also closing in on 1,000 total reports
resolved.
PAYPAL
71
“SECURITY HAS ALWAYS BEEN A
TOP PRIORITY FOR OUR BUSINESS,
INGRAINED INTO THE FABRIC OF
EVERYTHING WE DO.”
RAY DURAN
Information Security Engineer at PayPal
72
H
ackers are the soul of the
cybersecurity community
and the immune system of
the internet. What started in the
dark underbelly of the internet has
turned into a global movement of
talented and creative people who
enjoy digging into the technology
that makes the internet work. There
are now more than 830,000 hackers
registered on the HackerOne
Platform. They’ve earned more than
$100 million / €85 million / ¥696
million through reports on more
than 181,000 vulnerabilities.
CHAPTER 4 //
HACKERS TODAY’S
HACKER
COMMUNITY
73
Total registered
hackers
Amount paid
to hackers
in the past year
$44.75 MILLION
830,000+
74
The 2020 Hacker Report, a benchmark study of the
bug bounty and vulnerability disclosure ecosystem,
details the efforts and motivations of hackers from
across the globe who are working to protect the
2,000+ companies and government agencies on the
HackerOne platform. These hackers are a force for
good. They earn money, learn valuable skills, or build a
career by hacking. In fact, the potential earnings power
of a hacking career is well above today’s global average
IT salary of $89,732.
HAckers
Countries represented in
the hacker community
Of the hacking
community hails
from India
226
19%
75
76
Costa Coffee
shops in Europe
4,000
Customer Spotlight // EMEA
Costa Coffee has been serving up coffees to Londoners
since 1971. In the past 50 years, they’ve added 4,000
Costa Coffee shops and 10,000 Smart Cafe machines
across Europe, Asia, and the Middle East. Now, as they
expand to the U.S., the company has launched a bug
bounty program to help protect its loyal customers’
data.
“We see bug bounty as a key addition to our existing
security testing capabilities, which also includes an
established pentesting program” said Matt Adams,
Global Security Architect at Costa Coffee, in an
interview. “However, the ability to access a wide variety
of hackers, each bringing their unique approach and
tactics to our program, will enable us to efficiently scale
our testing activities.”
The company has been preparing for this continued
global expansion, and the addition of a bounty program
is part of its multi-year security transformation
program. The hacker-powered security program also
helps accelerate their security efforts to maintain pace
with their agile software development lifecycles.
“The opportunity for continuous testing that a
bug bounty program provides also aligns with our
increasing adoption of agile development practices and
CI/CD pipelines,” said Matt. “Our vision for the program
is that it will enable our security testing processes
to move at the same rapid pace as our development
teams.”
COSTA COFFEE
77
It all combines to help Costa Coffee respond to the
changing global threat landscape, especially as more
personal data is collected via its customer loyalty
program. Keeping those customers happy is critical to
maintaining the company’s brand reputation, which is
why its security team chose to work with HackerOne.
“As this is a new initiative for Costa Coffee, it was
important for us to engage a trusted provider in order
to help to build confidence in the bug bounty concept,
and one that we were confident would deliver a
successful program,”Matt added . “As the leading bug
bounty platform, HackerOne was the obvious choice.”
“AS THE LEADING BUG BOUNTY
PLATFORM, HACKERONE WAS THE
OBVIOUS CHOICE.”
MATT ADAMS
Global Security Architect at Costa Coffee
78
WHO ARE THE
HACKERS AND
WHY DO THEY
HACK?
HOW MANY YEARS HAVE YOU BEEN HACKING?
HAckers
Figure 17: How long have you been hacking?
Hackers are young, curious, and creative. Most (87%)
hackers are under age 35 and 84% are self-taught.
Just over half (53%) get at least half of their income
from hacking, with 22% naming hacking as their only
source of income. Just 53% do it for the money, with
68% saying their main motivation is that they enjoy the
challenge of hacking. It’s also a good career booster;
44% say they hack to advance their career and 80%
say they’ve used, or plan to use, skills and experience
learned while hacking to land a job. There’s also an
altruistic angle to hacking: 29% hack to protect and
defend and 27% hack to do good in the world.
1-2 YEARS
3-5 YEARS
UNDER 1 YEAR
6-10 YEARS
11-15 YEARS
15+ YEARS
29%
30%
17%
14%
5%
5%
71%
hack websites
79
Hackers test your system in many more different
ways than any one security contractor could afford
to do. Every single model, every single tool, every
single scanner has slightly different strengths, but also
different blind spots. Every hacker brings a slightly
different methodology and a slightly different toolset to
the problem. Although automated tools for detection
have gotten very good at flagging things that might be
a problem, almost all of them are plagued with false
positives that still require a human to go through and
assess (if) it’s actually a vulnerability. While automation
can handle the grunt work, we still need skilled human
eyes to see problems and solutions that computers
can’t. And, the earlier in the process you have hackers
engaged, the better off you will be.
FAVORITE PLATFORM TO HACK
Figure 18: Favorite platforms to hack
To learn more about the
hacker community, why
they hack, how they learn,
and even what they do with
their earnings, download
The 2020 Hacker Report.
WEBSITES
APIS
ANDROID MOBILE
TECHNOLOGY THAT I’M A USER OF/THAT HAS MY DATA
OPERATING SYSTEMS
DOWNLOADABLE SOFTWARE
INTERNET OF THINGS
OTHER
FIRMWARE
1%
2%
2%
2%
4%
4%
4%
7%
71%
80
I HACK AS A HOBBY
59%
I AM A STUDENT
27%
I HACK FULL-TIME FOR MY EMPLOYER
22%
I HACK FULL-TIME
18%
I HACK SOMETIMES FOR MY EMPLOYER
14%
SELF-EMPLOYED
11%
OTHER
2%
RETIRED
.6%
WHAT BEST DESCRIBES YOU?
Figure 19: What best describes you?
HAckers
81
WHY DO YOU HACK?
Figure 20: Why do you hack?
TO BE CHALLENGED
68%
TO MAKE MONEY
53%
TO LEARN TIPS AND TECHNIQUES
51%
TO HAVE FUN
49%
TO ADVANCE MY CAREER
44%
TO PROTECT AND DEFEND
29%
TO DO GOOD IN THE WORLD
27%
TO HELP OTHERS
25%
TO SHOW OFF
8%
OTHER
1%
82
Awarded in bug
bounties
Reports resolved
$107,000 +
110 +
Customer Spotlight // APAC
LINE Corporation, based in Japan, develops and
operates a wide range of mobile-first services and
advertising, along with businesses in Fintech, Artificial
Intelligence, and other domains. The company’s
LINE messaging app is the fastest growing mobile
messenger app in the world, and incorporates voice,
video, games, payments, and more.
LINE moved their self-run bug bounty program to the
HackerOne platform in 2019 in a bid to enable greater
transparency into their security efforts and incoming
vulnerability reports. The company also wanted to
increase participation by global hackers, so moving
to a platform with a hacker community hundreds-of-
thousands strong would quickly bring more awareness
to its growing program.
LINE started with a private bug bounty program on
HackerOne, and within 2 weeks had already paid out
$5,000 for its first validated vulnerability report. In the
first four-and-a-half months of the private program,
LINE received 101 reports, 37 of which were valid and
resulted in bounty awards.
“This means that we rewarded over 36% of the reports
we received, which is quite impressive,” wrote Robin
Lunde, Security Engineer at LINE, in a blog post.
LINE CORPORATION
83
At that point, the LINE security team transitioned to a
public bug bounty program, which immediately ramped
up the program’s participation, as its team had hoped.
In the first week of their public program, LINE received
103 reports—two more than in its entire 18-week
private program!
“It confirmed that our effort in spreading awareness
and information had been a success,” Robin added.
Adding to the program’s success was the growth in
hacker participation and expanded coverage of the
company’s diverse scope.
“Moving to HackerOne allowed for an increase in
participating reporters, as well as valid reports,”
Robin concluded. “It also resulted in a wider array of
our services being inspected and tested. This closely
aligned with our goals for moving to HackerOne
indicating that it was a success, as well as a step
towards achieving our future goals.”
Since LINE began its public bug bounty program on
HackerOne, the company has awarded over $107,000 in
bug bounties and resolved more than 110 reports.
“MOVING TO HACKERONE ALLOWED
FOR AN INCREASE IN PARTICIPATING
REPORTERS, AS WELL AS VALID
REPORTS.”
ROBIN LUNDE
Security Engineer at LINE
84
Hacker Spotlight
EUGENE
@spaceracoon
“I am motivated by the thrill of finding a bug and learning
something new. Every time I read an article on new
exploitations or discovery techniques, I’m itching to try it
out. I love thinking of clever ways to bypass a defense or
apply a novel attack.”
TOM
@Tomnomnom
“It’s a lifelong obsession with how things work. There’s
this great Richard Feinman quote, which is: ‘What I cannot
create, I do not understand.’ And I think, for software,
you’ve got to apply an additional layer of ‘What I cannot
break, I do not understand.’”
KATIE
@insider_PHD
“The community is super encouraging. The community
is super willing to help out. It’s, as far as I’m
concerned, my home.”
85
BEN
@nahamsec
“The one skill hackers must inherently have is the ability to
problem solve and a strong sense of curiosity around how
technology works and how it could possibly fail us.”
ALEX
@ajxchapman
“I like the challenge. I like the variety that hacking gives and
the opportunity for continued learning. It’s a really good
way of proving yourself and extending your knowledge
every day.”
ALYSSA
@alyssa_herrera
“What motivates me is wanting to help out security
companies protect against breaches and improve their
general security. Another motivation is being a role
model for other women who also might want to get
into this field of work.”
C
ybersecurity skills are in high demand. Since
most hackers are self-taught, they need access
to resources to help them build their skills. To
train future cybersecurity leaders, the broader security
community has to invest in education. HackerOne
is committed to preparing students for success as
ethical hackers through community programs such as
Hacker101, a free, video-based web security training
series for the next generation of ethical hackers.
One of the greatest sources of education for new
hackers is through Hacktivity, which showcases select
activity on disclosed vulnerabilities, hackers, programs,
and bounty awards. Anyone can access Hacktivity to
review detailed reports, understand how hackers work,
and learn the many different techniques, tools, and
approaches used by hackers and security teams.
HackerOne also offers Hacker101 CTF (Capture The
Flag), a series of free hacking games based on real-
world environments that challenge learners to hack and
find the flags. Experienced and aspiring hackers can
put their skills into practice with levels inspired by real-
world security vulnerabilities. HackerOne also invests in
university-based initiatives, such as those at Singapore
Management University and the National University of
Singapore, which introduce students to ethical hacking
through training and competitions.
86
HOW TOMORROW’S
HACKERS LEARN
HAckers
87
Live Hacking Events provide a unique joint learning
experience and bug bounty engagement. For in-
person live hacking events, hackers from all over the
globe fly in to participate in a dynamic, social event,
with focused testing on a targeted set of assets. This
traditionally includes two weeks leading up to the
event culminating in 2-3 days in a particular city. During
the event, the programs’ security teams and hackers
mingle together for social activities, sightseeing,
knowledge-sharing, and of course, plenty of hacking.
Events also include hacking workshops for local student
groups, structured hacking mentorship sessions, and
job recruitment workshops.
To expand the diversity and inclusion of the hacking
community, HackerOne includes community days with
Live Hacking Events. These bring local cybersecurity
focused organizations (that prioritize diversity) like
preparatory schools, groups like Cyber Patriots, Hack
the Hood, Black Girls Code, and WiSP together with top
hackers and educators. Community days give aspiring
hackers a chance to learn Hacker101 content directly
from seasoned hackers.
Security@ is the largest hacker-powered
security conference. It brings together
hundreds of security leaders, influencers,
and hackers from around the world to
share lessons, learnings, and insights with
those who are leading this modern era
of cybersecurity. Past speakers include
security leaders and experts from the U.S.
Defense Digital Service, Verizon Media, the
U.S. Department of Justice, Yelp, The New
York Times, Sumo Logic, Goldman Sachs,
Facebook, Paypal, Salesforce, Bloomberg,
Slack, Shopify, and many more.
Learn more about Security@ 2020
conference, which will be held virtually on
October 20-22, 2020.
88
Spotlight
THE LARGEST
HACKER-POWERED
SECURITY
CONFERENCE
89
90
Spotlight
MILLION
DOLLAR
HACKERS
Nine individual hackers have reached $1 million /
€850,000 / ¥7 million in bounty earnings on the
HackerOne platform. That’s an incredible milestone
for anyone in any profession, but these hackers have
reached this pinnacle in well under a decade. It shows
the earnings potential of hacking and also highlights
the global diversity: these 9 hackers hail from 7
different countries.
But it doesn’t take a million dollars to increase a
hacker’s quality of life. It could be a full-time job, or
it could add some extra money to cover rent, a car, a
vacation, or anything. Only 53% of hackers do it for the
money. Yet, over 200 hackers have earned more than
$100,000.
Many more hackers—just under 9,000—have earned
at least something on HackerOne. Of all hackers who
have found at least one vulnerability, 47% have earned
$1000 or more.
Hackers have
earned more
than $100,000.
of Hackers have
earned $1,000
or more.
200
47%
Nine individual hackers have reached $1 million in bounty earnings on the HackerOne platform. 91
92
Spotlight
I
n early 2020, as the global
pandemic took hold, the
Internet Complaint Center
at the U.S. Federal Bureau of
Investigation reported seeing
three- to four-times their typical
number of reports. The spike in
cybercrime also prompted the U.S.
National Counterintelligence and
Security Center to issue a warning
about “threat actors” increasing
their attacks on medical research
organizations. A related study
revealed that large-scale breaches
increased 273% in early 2020,
compared with 2019.
In the summer of 2020, HackerOne
surveyed 1,400 global security
leaders at large companies across
North America, Europe, and Asia-
Pacific, to learn more about their
challenges during the pandemic.
Unfortunately, what many are
dealing with in reality reflects the
warnings offered earlier in the year.
The impact of both challenges
are forcing security teams to face
more threats while dealing with
diminished resources.
Nearly two-thirds (64%) of global
security leaders believe their
organization is more likely to
experience a data breach due to
COVID-19, and 30% have seen
more attacks since the start of
the pandemic. Unfortunately, 30%
have seen their security teams
reduced and one-quarter have seen
their budgets reduced since the
pandemic began.
But as the pandemic has increased
threats and decreased resources,
it has also increased distractions.
More than a third (36%) of
security leaders say that digital
transformation initiatives have
accelerated as a result of COVID-19,
and 30% have had to switch
priorities from application security
to securing new work-from-home
and collaboration tools.
Many are now looking to hacker-
powered security to augment their
own resources and offer a pay-
for-results approach that’s more
justifiable under tightened budgets.
As a result of the challenges posed
by COVID-19, 30% of security
leaders say they are more open
to accepting vulnerability reports
from third party researchers about
information security issues.
Learn how HackerOne can help
you quickly add resources to your
security efforts.
SECURITY LEADERS
SEEING OUTBREAK OF
CYBERCRIME DURING
PANDEMIC
Seeing more attacks
30%
Reduced security teams
30%
Dealing with
budget cuts
25%
Security breach more
likely
64%
GLOBAL HEADLINE
UKFRANCEGERMANYAUSTRALIASINGAPOREUSACANADA36% of security leaders say that digital
transformation initiatives have accelerated as a
result of COVID-19
39%
32%
34%
36%
37%
35%
37%
31% of security leaders say they have had to go
through a digital transformation ahead of the
planned roadmap as a result of COVID-19
34%
28%
29%
22%
39%
32%
33%
30% of security leaders have had to switch
priorities during the pandemic from application
security to securing the use of working from
home and collaboration tools
34%
26%
41%
28%
29%
30%
27%
30% of security leaders have seen more attacks
on their IT systems as a result of COVID-19
31%
36%
28%
33%
21%
34%
30%
30% of security leaders say their security teams
have been reduced during the pandemic
37%
28%
28%
35%
30%
24%
30%
30% of security leaders say that as a result of
the challenges posed by COVID-19, they are
more open to accepting reports from third party
researchers about information security issues
30%
33%
34%
32%
21%
34%
26%
A quarter of security leaders say that information
security budgets have been negatively impacted
as a result of COVID-19
29%
30%
23%
26%
24%
27%
27%
64% of global security leaders believe their
organisation is more likely to experience a data
breach due to COVID-19
69%
70%
70%
55%
58%
57%
68%
66% of global security leaders feel under scrutiny
to prove the business takes information security
seriously
72%
62%
61%
53%
76%
61%
75%
93
Figure 21: Cybersecurity trends during COVID-19
94
CLOSING
THOUGHTS
HACKER-POWERED SECURITY IS THE FUTURE OF
CYBERSECURITY — AND THAT FUTURE IS HERE.
In an era of increasing uncertainty and unprecedented
challenges, hackers are empowering organizations to
keep their customers safe: in more areas of the world,
on more attack surfaces, in new ways, using new tools
and methods. Security leaders are partnering with
hackers to supplement their security teams, reduce
risk across the software development lifecycle, achieve
compliance, and reinforce brand trust.
And hackers — these creative individuals who enjoy
overcoming limitations -- are using this partnership
to support themselves and enrich their communities.
Hackers have already received over $100 million / €85
million / ¥696 million in bounties. And we estimate that
total to grow by 1,000% within the next 5 years. Many
hackers are donating their bounties
to charitable causes.
The COVID-19 pandemic has shown us how small
and interconnected our world is. Technology is
fundamentally global, and yet the systems upon
which we have built our digital lives can be upended
in seconds. We rely on these systems for everything:
to work, live, learn, travel, to buy and sell things, to
experience art and entertainment. To threaten these
systems is to threaten our way of life.
But this interconnectedness is a positive thing,
too. Keeping the internet safe is a global effort.
Finding the hundreds of millions of vulnerabilities
in our technology would be impossible without an
international pool of talent.
Hackers know that. Security leaders know that. Boards
are starting to mandate it; government agencies are
recommending it as a best practice. And HackerOne is
here to lead the charge.
// exit
TOGETHER, WE
HIT HARDER
— AND AS
A GLOBAL
COMMUNITY,
WE HACK FOR
GOOD.
95
96
METHODOLOGY & SOURCES
Findings in this report were collected from the HackerOne
platform using HackerOne’s proprietary data based on over
2,000 collective bug bounty and vulnerability disclosure
programs. The 2020 data in this report spans from May 2019
through April 2020.
FORBES GLOBAL 2000 VULNERABILITY DISCLOSURE
RESEARCH: Our research team searched the internet
looking for ways a friendly hacker could contact these
2,000 companies to disclose a vulnerability. The team
looked for web pages detailing vulnerability disclosure
programs as well as email addresses or any direction
that would help a researcher disclose a bug. If they
could not find a way for researchers to contact the
company to disclose a potential security vulnerability,
they were classified as not having a known disclosure
program.
Any companies that do have programs but are not
listed as having one in the Disclosure Directory are
encouraged to update their profile in the Disclosure
Directory on their company’s page. See ISO 29147 for
additional guidance or contact us.
COVID CONFESSIONS OF A CISO: Research conducted by
Opinion Matters on behalf of HackerOne. The survey
includes responses from 1,400 security professionals in
companies employing 1,000 or more, and located in the
U.K., France, Germany, Australia, Singapore, the U.S.A.
and Canada. Research was conducted in July 2020.
97
THE 2020 HACKER REPORT: Data was collected from
a proprietary HackerOne survey in December 2019
and January 2020, totaling over 3,150 respondents
from over 120 countries and territories. The surveyed
individuals have all successfully reported one or more
valid security vulnerabilities on HackerOne, as indicated
by the organization that received the vulnerability
report.
ABOUT
HACKERONE
HACKERONE EMPOWERS THE WORLD TO BUILD
A SAFER INTERNET. As the world’s trusted hacker-
powered security platform, HackerOne gives
organizations access to the largest community
of hackers on the planet. Armed with the most
robust database of vulnerability trends and industry
benchmarks, the hacker community mitigates cyber
risk by searching, finding, and safely reporting real-
world security weaknesses for organizations across all
industries and attack surfaces.
Customers include The U.S. Department of Defense,
Dropbox, General Motors, GitHub, Goldman Sachs,
Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF
Singapore, Nintendo, PayPal, Qualcomm, Slack,
Starbucks, Twitter, and Verizon Media. HackerOne
was ranked fifth on the Fast Company World’s Most
Innovative Companies list for 2020. Headquartered in
San Francisco, HackerOne has a presence in London,
New York, the Netherlands, France, Singapore, and
over 70 other locations across the globe.
98
99
TRUSTED BY
More Fortune 500 and Forbes Global 1000 companies than
any other hacker-powered security alternative.
the world’s most trusted hacker-powered security platformwww.HackerOne.com
powered security ecosystem
hack for good // JESSET H E 4 T H A N N U A L
HACKER
POWERED
SECURITY
REPORT
2
T H E 4 T H A N N U A L h a c k e r p o w e r e d s e c u r i t y r e p o r t
3
B
ut what does that path look like? In the physical
world, COVID-19 is ravaging the international
community. Negative externalities are flowing
into the digital space, as well. This year, organizations
across the globe have made unexpected changes
to their operations. Businesses are figuring out how
to contend with accelerated digital transformation
and a surge in digital transaction volume. Many have
had to expedite their decision to move to the cloud.
Companies are hurrying to support hundreds or
thousands of employees who are suddenly working
remotely. To adapt to changing spending patterns,
companies have launched new digital products and
revenue streams, fighting to keep revenue flowing
during a global recession.
EXECUTIVE SUMMARY
This is a time of unprecedented challenges. We face never-before-
seen threats in the digital and physical worlds. If this past year has
taught us anything, it is this: we need to leave behind our old tools,
mindsets, and methods to create a path ahead.
In doing so, organizations are opening up new attack
surfaces they are unprepared to protect. Protection
efforts are left in the hands of security teams who
are not staffed to cope. The result? Losses that can
be measured in data, revenue, reputational damage,
operational disruption, and churn.
For organizations that operate in the digital space,
there’s no such thing as business-as-usual anymore—
which means that business-as-usual security can no
longer suffice. Security leaders are starting to ask some
tough questions. If you’re facing resource constraints,
how do you design software that’s secure from the
start? How can you protect software applications as
they move to the cloud? How do you scale security on
a constantly-evolving attack surface? Is there a way to
maintain brand trust and mitigate risk of a breach with
such a sharp increase in digital transactions? And with
everything else on fire, what about the nuts-and-bolts
of compliance and regulations?
4
hackers aren’t just for tech
companies: they are
a critical part
of any mature security
strategy.
THE ANSWER IS HACKERS.
For years, organizations have turned to hackers to
look for vulnerabilities before bad actors can exploit
them. Quite simply, hackers are people who enjoy the
challenge of creatively overcoming limitations. But
they’re much more than that.
Hacker-powered security has become a best practice
for many organizations, embraced by risk-conscious
entities like the U.S. Department of Defense and
Goldman Sachs. Security and business leaders are
learning that hackers aren’t just for tech companies:
they are a critical part of any mature security strategy.
Today’s challenges demand scalability, creativity, and
adaptability on an unprecedented scale, and hackers
are prepared to meet those demands.
The Fourth Annual Hacker-Powered Security Report
offers an incisive look at today’s security landscape and
the hackers who are pushing the envelope.
This report tells a story that’s happening every day:
security leaders are partnering with hackers to make
the internet a safer place. CISOs are augmenting
security frameworks with hackers’ human creativity and
always-on security efforts. New options and continued
deployment have propelled all global regions to double
digit year-over-year program growth, with Asia-Pacific
(APAC) adding 93% more programs and Latin and South
America (LATAM) adding 29%. Combined, all global
programs awarded 87% more bounties year-over-year.
Around the world, the hacker community has grown
in size and sophistication. 9 hackers (from 7 different
countries!) surpassed the $1 million / €850,000 / ¥7
million mark in the past year. Hundreds of thousands
more use hacking to build valuable skills, advance their
career, earn extra money, challenge their curiosity, and
hang out with like-minded individuals.
5
Against a backdrop of unparalleled obstacles, security
leaders have gained newfound appreciation for hacker-
powered security as a nimble, scalable, and cost-
effective solution. During global lockdowns, hackers
reported 28% more vulnerabilities per month than
immediately before the pandemic took hold. For many
researchers, hacking has become a reliable source of
supplemental income during the pandemic.
Even before the pandemic, hackers were devoting
their time and skills to make the world a better place.
The altruistic attitude sparked Hack for Good, a
HackerOne program that provides an easy way to
donate bounty earnings to a worthy cause. The World
Health Organization, the first cause chosen by the
hacker community this past spring, received $30,000
in donations from hackers to help fight the COVID-19
pandemic.
In this report, we’ll explore these trends and their
ramifications for businesses and consumers worldwide.
The short version: security has become synonymous
with hacking. The future belongs to hackers and the
organizations that embrace them. And that future
starts right here.
6
CONTENTSEXECUTIVE SUMMARY _____________________________________________ 3
Important Concepts _________________________________________________ 8
INTRODUCTION _________________________________________________ 10
Key Findings ________________________________________________________12
GLOBAL IMPACT _________________________________________________ 14
Who’s Paying Bounties _____________________________________________ 18
How COVID-19 is Impacting Security ________________________________ 20
Who’s Earning Bounties ____________________________________________ 22
Nations Across the Globe Are Getting Involved _____________________ 26
Bounty Flow _______________________________________________________ 28
Market Spotlight ___________________________________________________ 30
INDUSTRY SCORE-CARDS ________________________________________ 34
How Each Industry Stacks Up _______________________________________ 36
The Biggest Brands Still Lag: Forbes Global 2000 Breakdown ________ 38
Creating A Vulnerability Disclosure Policy ___________________________ 40
Industry Adoption ___________________________________________________41
The Pace of Resolution Varies by Industry ___________________________ 42
Continuous Development Needs Continuous Security_______________ 44
7
BOUNTY TRENDS ________________________________________________ 46
Region Spotlight ___________________________________________________ 52
Average Bounty Payout Per Industry for Critical Vulnerabilities ______ 56
Average Bounty Payout by Severity _________________________________ 57
Reported Vulnerabilities by Type ____________________________________ 58
Virtual Live Hacking Events _________________________________________ 60
Customer Spotlight: AT&T __________________________________________ 64
Go Beyond Compliance with Hacker- Powered Pentests _____________ 66
The Validated ROI of Hacker-Powered Pentests _____________________ 68
Customer Spotlight: PayPal ________________________________________ 70
HACKERS ________________________________________________________ 72
Customer Spotlight: Costa Coffee __________________________________ 76
Who are the Hackers and Why Do They Hack? _______________________ 78
Customer Spotlight: LINE Corporation ______________________________ 82
Hacker Spotlight ___________________________________________________ 84
How Tomorrow’s Hackers Learn ____________________________________ 86
The Largest Hacker-Powered Security Conference __________________ 88
Million Dollar Hackers ______________________________________________ 90
Security Leaders Seeing Outbreak of Cybercrime During Pandemic __ 92
CLOSING THOUGHTS ____________________________________________ 94
METHODOLOGY & SOURCES _____________________________________ 96
ABOUT HACKERONE _____________________________________________ 98
IMPORTANT CONCEPTSHACKER: One who enjoys the intellectual challenge
of creatively overcoming limitations.
HACKER-POWERED SECURITY: Any security-
enhancing activity resulting from voluntary work
performed by external experts, i.e. hackers. Common
examples include private bug bounty programs,
public bug bounty programs, time-bound bug bounty
programs, hacker-powered penetration testing for
compliance, and vulnerability disclosure policies.
With hacker-powered security testing, organizations
can identify high-value bugs faster with help from the
results-driven ethical hacker community.
VULNERABILITY: A weakness in software, business
logic, hardware, internal rules, or online services that
can be exploited.
HACKTIVITY: Hacker activity published on the
HackerOne platform.
VULNERABILITY DISCLOSURE POLICY (VDP):
An organization’s formalized method for receiving
vulnerability submissions from the outside world,
sometimes referred to as “Responsible Disclosure.”
This often takes the form of a “security@” email
address. The practice is outlined in the NIST
Cybersecurity Framework and defined in ISO
standard 29147.
BUG BOUNTY PROGRAM: Encourages hackers,
through the use of incentives, to identify and report
potential security vulnerabilities before they can be
exploited. A public program allows any hacker to
participate for a chance at a bounty reward. A private
program limits access to select hackers who are
invited to participate. Focused programs can also be
time-bound, or run as virtual or in-person live events.
HACKER-POWERED PENTEST: A bespoke program
where select hackers apply a structured testing
methodology and are rewarded for completing
security checks, and security teams receive instant
results and compliance-ready reports.
8
/// OVERVIEW
9
Total registered
hackers
Reports resolved
in 2019
Bounties paid over the past
12 months
Total valid
vulnerabilities submitted
Total bounties
paid
$ per
resolved report
181K+
$107M+
$979
830K+
37,259
$44,754,742
EMEA
Latin
america
APAC
business IMPACT
north
america
10
INTRODUCTIONIn the face of global changes, hackers are bringing
ever-increasing scale to organizations’ security efforts.
There are more hackers, with more skills, from more
countries than ever before, offering continuous
coverage for continuous development.
Hackers have reported over 181,000 valid vulnerabilities
and have earned over $100 million / €85 million / ¥696
million in the process. These trusted hackers, 53% of
whom have been hacking for over 3 years and 43% of
whom are self-taught, are augmenting and supporting
security teams for organizations large and small. They
bring talent, creativity, and diverse skill sets to the
table.
Security vulnerabilities are a fact of life. You can’t opt
out. That’s why organizations are on the hunt for cost-
effective solutions. The business value placed on each
found vulnerability is, on average, $979 / €835 / ¥6,820.
That’s a small price to pay compared with the legal,
brand, and engineering impact of a security breach,
which the Ponemon Institute and IBM Security estimate
to be $3.86 million / €3.29 million / ¥26.87 million.
Hackers are the future of cybersecurity. As we face
unprecedented changes, business and security leaders
are leaving behind old methods and ideas to search for
new solutions. It’s our mission to empower the world
to build a safer internet. This report is a glimpse into
how hackers and organizations are doing just that.
EVERY ONE HUNDRED AND EIGHTY SECONDS,
A HACKER REPORTS A VULNERABILITY.
11
Average cost of a valid
vulnerability
Global average total cost of a
data breach in 2020
$979
$3.86M
12
The average bounty paid for critical vulnerabilities increased to $3,650
/ €3,100 / ¥25,460 in the past year, up 8% year-over-year. The average
amount paid per vulnerability of any severity level is $979 / €831 / ¥6,834,
up 9% from last year’s average.
More than $44.75 million / €38.2 million / ¥313.3 million in bounties were
awarded to hackers across the globe over the past year. That’s a year-over-
year increase of 87% in total bounties paid, and helped drive total bounties
past $100 million / €85 million / ¥696 million in May 2020.
The United States remains the top payer of bounties, with over 87% of the
total, but that share is decreasing as every global region increased awards
by at least 68%. Individual countries saw massive growth. Spain increased
year-over-year bounty awards by 4,324%, Brazil by 1,843%, China by
1,429%, and 4 countries paid bounties for the very first time.
100 countries saw an increase in year-over-year hacker earnings, with the
biggest increases seen in China (582%), Spain (307%), France (297%), and
Turkey (214%). In a dozen countries, hackers started earning awards for the
first time.
1
2
3
4
KEY FINDINGS
13
9 individual hackers have now earned $1 million / €850,000 / ¥7 million
in bounties on the HackerOne platform. And, in a reflection of the global
reach of hacker-powered security, these 9 reside in 7 different countries.
Hackers now hail from 226 countries and territories. Guinea-Bissau,
Central African Republic, Montserrat, Comoros, Holy See, and San Marino
have all been added to this list in the past year.
Through Hack for Good, hackers donated $30,000 to The World Health
Organization (WHO) COVID-19 Solidarity Response Fund, the program’s
first recipient.
The global coronavirus outbreak was followed by a surge in hacktivity.
New hacker signups increased 59%, submitted bug reports increased 28%,
and organizations paid 29% more bounties in the months immediately
following the start of the pandemic.
Bounties paid for Improper Access Control, the most awarded weakness
type, increased by 130%. Information Disclosure fell to second place this
year from first last year, yet still saw a 60% increase in bounties awarded.
5
6
7
8
9
14
H
acker-powered security is a global
phenomenon regardless of how you
measure it. The sheer growth in global
security programs is stunning, with 34% of all
programs on the HackerOne platform launched in
the past year.
North America remains the largest region, with
69% of all programs, but it’s being challenged
by all other regions. EMEA alone accounted
for 20% of all new programs launched in the
past year, and year-over-year growth in APAC
was 93%—nearly doubling in total number of
programs in that region. Regions within APAC
showing particularly strong program growth, and
reflecting the diversity of this rapidly maturing
market, include Singapore, with program growth
of 164%, China (67%), and New Zealand (40%).
New programs were also added in Japan, South
Korea, and Thailand.
GLOBAL
IMPACT
CHAPTER 1 //
15
Number of
vulnerabilities reported
Amount paid to hackers
in the past year
$44.75 MILLION
180,000+
16
Bounties paid and earned have also shown
extraordinary global growth. In May 2020, total
bounties paid reached $100 million / €85 million /
¥696 million. In the past year alone, more than $44.75
million / €38.2 million / ¥313.3 million has been paid
by security-conscious organizations to creative, skillful
hackers across the globe. That’s a year-over-year
increase of 87% in total bounties to hackers.
NEW PROGRAMS BY REGION
TOTAL PROGRAMS BY REGION
But the number of programs is just one measure of the global impact of hacker-powered
security. Overall, hackers have reported more than 180,000 valid vulnerabilities, with one-
third of those reported in just the past year alone.
GLOBAL IMPACT
LATAM
APAC
EMEA
N. America
Figure 1: New and total programs by region.69%
24%
6%
6%
20%
72%
1.5%
2%
17
PROGRAM GROWTH
YOY GROWTH BY REGION
APAC
N. AMERICA
EMEA
LATAM
02
55
07
5
100
93%
72%
41%
29%
Total Bounties to hackers has
Increased 87% Year over Year
Figure 2: Year-over-year program growth, all by global region.
U.S. amount paid to
hackers over past year
$39.1 MILLION
Of public bug bounty
programs receive their
first vulnerability report
within 24 hours
77%
united �
states
CANADA
RUSSIA
UK
singapore
1
2
3
4
5
Countries at the top maintained
their status as biggest payers,
with Russia ($887,000), the United
Kingdom ($559,000), Singapore
($506,000), and Canada ($497,000)
rounding out the top five. Russia
moved up from sixth place last year
to push Germany into sixth place
with $363,000 in bounties paid.
18
WHO’S PAYING BOUNTIES
THE UNITED STATES REMAINS THE TOP PAYER OF BOUNTIES, with over
$39.1 million / €33.4 million / ¥273.7 million, or 87% of the total, awarded
to hackers in the past year. However, other countries and regions are
adopting hacker-powered security at an impressive rate. Latin America
increased bounty awards by 371%, while all other regions increased awards
by at least 68%. Spain increased year-over-year bounty awards by 4,324%,
Brazil increased by 1,843%, China 1,429%, and Panama by 1,394%. That
growth is even more impressive considering the scale, as those three
countries combined paid out more than $380,000 / €324,000 / ¥2,660,000
in bounties in the past year.
Other countries had massive increases in bounties awarded, as well, like
Argentina (723%), the Netherlands (388%), and the United Arab Emirates
(318%). And four countries—Luxembourg, Dominican Republic, South
Africa, and Samoa—paid bounties for the very first time.
GLOBAL IMPACT
0%
100%
200%
300%
400%
Total
APAC
EMEA
North America
LATAM
371%
93%
86%
68%
87%
19
Figure 3: Year-over-year bounty award growth in respective regions.BOUNTY AWARDS
YOY GROWTH BY REGION
countries at the top maintained
their status as biggest payers,
with Canada, Russia, the United
Kingdom, and Singapore rounding
out the top five.
?@
COVID-19 has thrown the entire world into
chaos. We will feel the digital and physical
ramifications of the pandemic for decades.
Criminals thrive on chaos. Organizations worldwide
were forced to go digital with their product offerings
and services. Businesses scrambled to find new
revenue streams, creating digital offerings for
customers whose lifestyles had dramatically changed.
Tens of millions of workers had to work remotely. With
this accelerated pace of digital transformation, CISOs
had to quickly facilitate new needs—while ensuring
the security of existing systems and newly-acquired
collaboration tools. Security teams were pushed to
the limit. They struggled to maintain existing security
measures while working to close newly-opened gaps.
To better understand how COVID-19 has impacted
security, HackerOne surveyed security leaders about
their challenges during the pandemic. We found
that 64% of global security leaders believe their
organization is more likely to experience a data breach
due to COVID-19, and 30% have seen more attacks as a
result of COVID-19. Unfortunately, 30% have seen their
security teams reduced due to the pandemic, and a
quarter have seen their budgets reduced. The overall
chaos and uncertainty has stressed even the most
robust security teams.
SPOTLIGHT
20
HOW COVID-19
IS IMPACTING
SECURITY
To adapt to changing attack surfaces, many are turning to
hacker-powered security. And hackers are stepping up.
Even during the global recession, hacking has remained
a consistent and stable source of income. This past
year, new hackers have joined the community at an
accelerated rate. Compared with January and February
of 2020, as the pandemic took hold, the average
number of new hacker signups on the HackerOne
platform increased by 56% across April, May, and June.
Year over year, April, May, and June of 2020 saw 69%
more new hacker signups than the same period in 2019.
Hackers are also more prolific than ever with the
monthly average number of incoming bug reports in
April, May, and June of 2020 increasing by 28% over
January and February, and increasing 24% over the
previous year.
Organizations have responded to this much-needed
help by awarding 29% more bounties per month, on
average, during the April-June period than during
January and February.
To learn more, see how HackerOne can help address
quickly changing security needs.
THIS IS AN ENTIRELY
DIFFERENT BALLGAME.
“It suddenly thrust us into what some
people would say is just a healthcare issue,
but it’s not. It’s an everything issue, isn’t
it. It’s really just changing the way that
the world operates and even how hackers
operate as well, and I think that’s what
we’re starting to see more and more of.”
TERESA WALSH
Global Head of Intelligence, Financial
Services ISAC, During ISAC webinar 2020
21
WHO’S
EARNING
BOUNTIES
Anyone can hack, anytime, and from nearly anywhere. While they do it to earn money, they
also do it to learn in-demand skills, advance their career, or simply for the challenge. Many
also pursue hacking as a career. 40% of hackers surveyed for our 2020 Hacker Report hack as
their primary occupation. 53% earn more than half their total yearly earnings from hacking,
according to the HackerOne 2020 Hacker Report.
Hackers around the world increased their earnings this past year, with Asia Pacific realizing 131%
growth year-over-year. EMEA earnings nearly doubled, with 90% growth, and North America
and Latin America both increased earnings by more than 60%.
Of hackers hack as
their full-time job
Earn more than half their
total income from hacking
40%
53 %
22
GLOBAL IMPACT
B OU N T Y E A R N I NG S
YoY Growth by Region
Hacker earnings grew in
every region on earth.
Figure 4: Year-over-year bounty earnings growth in respective regions.
0%
50%
100%
150%
Total
N America
LATAM
EMEA
APAC
90%
131%
60%
60%
87%
23
B
y country, hackers in the U.S. remain the top
bounty earners, commanding $7.2 million / €6.1
million / ¥50.4 million over the past year. That’s
a 63% increase over the past year, but nowhere near
the growth of countries like China (582%), Spain (307%),
France (297%), and Turkey (214%). Across the globe,
100 countries with hackers had year-over-year earnings
growth.
The top five countries from which hackers earn their
awards, in addition to the U.S. are China, India, Russia,
and Germany. China’s huge growth pushed Canada
down into sixth place this year.
In a dozen countries, hackers earned awards for the
first time over the past year, including hackers from
Benin, Comoros, Costa Rica, Gambia, Luxembourg,
Malta, Oman, Paraguay, Senegal, the State of Palestine,
Uganda, and Venezuela. Hacking is giving people in
all corners of the globe opportunity to learn and earn
while helping improve the security of organizations in
faraway countries.
Amount hackers in the U.S. earned over
the past year
Number of countries where hackers
had YoY earnings growth
$7.2 MILLION
100
24
GLOBAL IMPACT
THE TOP FIVE COUNTRIES FROM WHICH
HACKERS EARNED THEIR AWARDS WERE THE
U.S., CHINA, INDIA, RUSSIA, AND GERMANY.
25
NATIONS ACROSS THE GLOBE
ARE GETTING INVOLVED
The DoD also resolved over 12,000 valid vulnerabilities
exclusively through the organization’s VDP this
past year. In July, 2020, the DoD processed 1,835
vulnerability reports via its VDP, nearly 500 more than
their previous monthly record.
Since the DoD became the first government
organization to leverage hacker-powered security,
governments and related agencies across the globe
have deployed hacker-powered security to identify and
resolve vulnerabilities in their systems.
Hack the Pentagon in 2016 was the first ever federal bug bounty program, pioneered by the
U.S. Department of Defense’s (DoD) Defense Digital Service (DDS) and HackerOne. In the
following two years, hackers worked with the Army, Air Force, Marines, and other U.S. DoD
agencies to find more than 5,000 valid vulnerabilities through HackerOne. In 2019 alone, the
U.S. federal government received 5,121 distinct vulnerability reports through their VDP and
focused, time-constrained HackerOne Challenge events. To date, the DoD has launched 10
hacker-powered Challenges, including “Hack the Proxy,” “Hack the Army 2.0,” and “Hack the
Air Force 4.0”. As a result, they have awarded a total of $672,610 to 625 hackers.
26
GLOBAL IMPACT
T
he European Commission
(EC), long a champion of free
and open source software,
launched the European Union Free
and Open Source Software Audit
(EU FOSSA) to find vulnerabilities
in its most used open source
apps. The initial program’s
success prompted the European
Commission to launch EU-FOSSA 2,
and the team subsequently worked
with hackers to reveal a 20-year
undiscovered vulnerability, fix 133
vulnerabilities, and pay out a total
of €87,990 in bounties to hackers.
In total, the E.U. has launched two
bug bounty programs for 15 open
source projects with HackerOne
since its first program in 2017.
In the U.K., the National Cyber
Security Centre uses HackerOne
to enable its VDP and the easy
reporting of vulnerabilities found
across all U.K. government
online services.
In the Asia-Pacific region, this past
year has seen impressive growth in
hacker-powered security programs.
The Ministry of Defence, Singapore
(MINDEF) has expanded its hacker-
powered security programs since
starting with a time-bound bug
bounty challenge in 2018. That
program resulted in 35 resolved
vulnerabilities and prompted a
second program, which invited 300
hackers (one-quarter of whom are
local to Singapore). That second
program resulted in 31 validated
vulnerabilities, which earned
hackers $25,950.
In late 2019, Singapore’s
Government Technology Agency
(GovTech), supported by the Cyber
Security Agency of Singapore (CSA),
ran a third program that resulted
in 33 valid security vulnerabilities
and $30,800 in earned bounties. All
together, 189 hackers have earned
$74,250 in exchange for reporting
625 distinct security weaknesses
across five Singaporean
government challenges.
This past year, the European
Commission announced the launch
of a new bug bounty initiative
involving open source software on
a much larger scale. The latest 2019
bug bounty program run by the
EU-Free and Open Source Software
Auditing (EU-FOSSA 2) project
aims to help E.U. institutions better
protect their critical software. Since
the program launched, EU-FOSSA 2
has worked with hackers to fix 133
vulnerabilities and pay out a total
of €87,990 in bounties to hackers.
This is on the heels of the U.K.’s
National Cyber Security Centre
(NCSC), which launched a VDP with
HackerOne in December 2018. In
total, the E.U. has launched two
bug bounty programs and 15 open
source projects with HackerOne
since its first program in 2017.
27
Figure 5: Visualization of the bounty flow of the top 10 countries
showing, on the left, where the organizations paying bounties
are located and, on the right, where hackers earning bounties are
located.
BOUNTY FLOW
BY COUNTRY
$44,754,742US A : $ 7,2 0 4 ,2 9 9
C H IN A : $ 5 , 3 5 5 ,68 3
INDI A : $4 ,4 0 1 , 2 51
RUS SI A : $ 3, 0 8 3, 9 7 3
G E R MAN Y: $ 1 , 9 2 0 , 4 5 2
C ANAD A : $ 1 , 6 5 3 , 3 13
UK : $ 1 , 4 30 , 886
F R A NC E : $ 1 ,223 ,23 1
HONG K ONG : $ 1, 0 4 0 , 3 4 7
A R G E N T IN A: $985 , 6 8 1
SWEDEN: $ 152 ,413
ISRAEL : $229,138
SWITZERLAND: $231,605
GERMANY: $363,404
NETHERLANDS: $414 ,8 17
CANADA : $497,495
SINGAPORE: $505,522
UK : $559,2 15
RUSSIA : $887,236
USA : $39,125,265
OTHER:
$ 1 ,788,632
OTHER:
$ 16,455,626
28
GLOBAL IMPACT
29
MARKET SPOTLIGHT
spotlight
NORTH AMERICA
TOTAL BOUNTIES AWARDED
$39,622,760
GROWTH YOY
93%
BOUNTIES EARNED
$8,859,363
GROWTH YOY
93%
REGIONAL SHARE OF NEW PROGRAMS
72%
REGIONAL PROGRAM GROWTH YOY
72%
EMEA
TOTAL BOUNTIES AWARDED
$3,724,385
GROWTH YOY
86%
BOUNTIES EARNED
$18,915,495
GROWTH YOY
86%
REGIONAL SHARE OF NEW PROGRAMS
20%
REGIONAL PROGRAM GROWTH YOY
41%
30
APAC
TOTAL BOUNTIES AWARDED
$881,586
GROWTH YOY
68%
BOUNTIES EARNED
$14,457,828
GROWTH YOY
66%
REGIONAL SHARE OF NEW PROGRAMS
6%
REGIONAL PROGRAM GROWTH YOY
93%
LATIN AMERICA
TOTAL BOUNTIES AWARDED
$418,323
GROWTH YOY
371%
BOUNTIES EARNED
$1,848,670
GROWTH YOY
371%
REGIONAL SHARE OF NEW PROGRAMS
2%
REGIONAL PROGRAM GROWTH YOY
29%
31
I
n many countries, hackers can earn several times
the median salary of a local software engineer.
These hackers are not just making the internet
safer, they’re also giving back to their local and global
communities.
In The 2020 Hacker Report, 27% of hackers said
they donated at least a portion of their earnings to
charitable organizations. The impact of COVID-19
prompted an unprecedented amount of support from
hackers who volunteered to help relief efforts across
the world. The community itself has created new
initiatives, for example Marc Rogers’ CTI League, which
combats hacks against medical facilities and other
frontline responders, and the US Digital Response,
which provides experienced technologists to help
governments deliver critical services. Individual hackers
even raised their hands to help healthcare providers
deal with incoming threats.
The dedication and genuine care shown by this
community has inspired HackerOne to create Hack for
Good. Launched during #h1-2004, a 13-day virtual bug
bounty event for Verizon Media, Hack for Good gives
hackers an easy way to donate their bounty earnings
to a worthy cause. The first recipient—receiving
$30,000 from generous hackers—was The World Health
Organization (WHO) COVID-19 Solidarity Response
Fund. Donations were used to support WHO and their
global partners in their pandemic fight.
With Hack for Good, hackers now have the ability to
easily donate full or partial amounts of their bounties to
community-selected charities that rotate each quarter.
HACK FOR GOOD DOES GOOD
spotlight
Hackers have earned $45 million /
€38 million / ¥314 million in the past
year from the nearly two thousand
organizations they’ve helped.
32
33
H
acker-powered security comes in many flavors,
from simply providing a clear path for anyone to
alert you to a potential risk, to integrating hacker-
powered methods directly into your security, testing,
and software development processes. Programs can
be open to anyone or limited to trusted, vetted hackers;
free or pay-for-results; customized or turnkey; run
internally or completely managed by experts. They can
even be used to assess security measures, retest bug
fixes, increase the security awareness of development,
and more. With this flexibility, hacker-powered security
can meet the security needs of any organization.
Public programs have
5x the number of
hackers reporting valid
vulnerabilities as private
programs
5X
INDUSTRY
SCORE-
CARDS
of programs started in
the past year were in
Computer Software and
Internet & Online Services
40%
34
Chapter 2 //
81%
19%
Private PROGRAMS
Public PROGRAMS
Bug bounty programs are dominated by
companies in Computer Software and
Internet & Online Services
Most organizations begin with a vulnerability disclosure
policy (VDP). It offers an easy, open process for
anyone who spots a potential vulnerability to report it
to an organization’s appropriate teams. Pentests put
continuous hacker talent and creativity to work for
compliance and other requirements. The bug bounty
program is the most advanced form of hacker-powered
security, and has a wide range of applications and
approaches. It gives hackers a monetary incentive—
the bounty—to search for and report vulnerabilities.
Bounty programs can be public or private, continuous
or time-bound, and even used during in-person
and virtual events.
Public bug bounty programs, like those of Starbucks,
AT&T, Hyatt, and Goldman Sachs, are open to
everyone, while private programs require that individual
hackers are invited or accepted via an application
process to participate. Public programs are open to the
widest range of hacker diversity and therefore produce
superior results. On average, public programs have
nearly five times the number of hackers reporting
valid vulnerabilities versus private programs. Similar to
past years, private programs make up 81% of all bug
bounty programs on HackerOne and public programs
make up the remaining 19%.
Figure 6: Percentage of public vs private programs.
35
HOW EACH INDUSTRY
STACKS UP
When you dig into industry-specific data, things get
a bit more interesting. Cryptocurrency & Blockchain
organizations, for example, have the highest share of
public programs when compared to other industries
at 43%. On the other end of the spectrum, Healthcare
and North American state and local governments run
only private programs. Other industries with few public
programs are Computer Hardware & Peripherals (7%)
and Travel & Hospitality (8%).
Bug bounty programs are extremely common in
Computer Software and Internet & Online Services,
with those industries accounting for nearly half of the
total programs and 40% of all new programs started
in the past year, and paying more than 72% of the
total bounties awarded in the past year. But others are
quickly adopting hacker-powered security. Industries
with year-over-year program growth of 200% or greater
include Computer Hardware (250%), Consumer Goods
(243%), Education (200%), and Healthcare (200%),
while Media & Entertainment grew by 164%, Retail
& eCommerce doubled, and Financial Services and
Computer Software each grew by more than 75%.
Other industries are paying more bounties to more
hackers, too. Industries paying more than $1 million
/ €850,000 / ¥7 million in bounties in the past year
include Telecommunications ($2,497,042), Financial
Services ($2,286,351), Media & Entertainment
($1,826,974), and Automotive ($1,048,090).
36
Industry Scorecards
PRIVATE
PUBLIC
SHARE
OF TOTAL
SHARE OF
NEW
2019
% OF
TOTAL
Computer Hardware &
Peripherals
93%
7%
3%
1%
$415,994
0.9%
Computer Software
82%
18%
20%
16%
$16,263,982
36.3%
Consumer Goods
98%
2%
2%
4%
$253,763
0.6%
Cryptocurrency &
Blockchain
57%
43%
4%
2%
$518,565
1.2%
Electronics &
Semiconductor
76%
24%
1%
0%
$381,250
0.9%
Financial Services &
Insurance
87%
13%
8%
9%
$2,286,351
5.1%
Government
International
65%
35%
1%
1%
$134,729
0.3%
Government NA Federal
90%
10%
1%
2%
$667,228
1.5%
Government NA Local
100%
0%
0%
0%
$19,583
0.0%
Healthcare
100%
0%
1%
1%
$104,050
0.2%
Internet & Online
Services
79%
21%
27%
24%
$16,079,195
35.9%
Media & Entertainment
80%
20%
7%
7%
$1,826,974
4.1%
OTHER
74%
26%
11%
19%
$1,525,877
0.5%
Professional Services
84%
16%
3%
3%
$256,229
0.6%
Retail & eCommerce
87%
13%
4%
3%
$1,004,045
2.2%
Telecommunications
88%
12%
1%
1%
$2,497,042
5.6%
Travel & Hospitality
93%
8%
2%
1%
$519,885
1.2%
Overall
81%
19%
$44,754,742
BOUNTY PROGRAMS
BOUNTY AWARDS
37
38
Industry Scorecards
THE BIGGEST BRANDS STILL LAG:
FORBES GLOBAL 2000
BREAKDOWNEach year, HackerOne analyzes the Forbes
Global 2000 list of the world’s most valuable
public companies as one benchmark for
public VDP adoption. Based on the 2020
Forbes Global list, 82% of the Forbes
Global 2000 do not have a known policy for
vulnerability disclosure as of July 2020. That’s
a huge improvement compared to 93% on
the 2017 list and 94% of the 2016 list, but
shows that less than 1 in 5 of the world’s most
valuable public companies are utilizing this
important security mechanism.
Figure 7: Share of Forbes Global 2000 companies in various
countries that have a known VDP.
Of Fortune Global
2000 companies do
not have VDPs
Of global
organizations require
IT suppliers to have
a VDP
82%
63%
united
states
28%
HAVE A
KNOWN VDP
25%
HAVE A KNOWN VDP
26%
HAVE A KNOWN VDP
19%
HAVE A
KNOWN VDP
22%
HAVE A KNOWN VDP
0%
HAVE A KNOWN VDP
GERMANY
australia
United
kingdom
singapore
FRANCE
39
VDP adoption varies widely across industries and
regions. Only 13% of Global 2000 Transportation
companies have VDPs, including Toyota, General
Motors, Lufthansa, Tesla, American Airlines.
Just 21% of Healthcare companies have a
known VDP. Approximately one-third of those in
Telecommunications & Media (35%) and Financial
Services (32%) have known VDPs, including AT&T,
Citigroup, JPMorgan Chase, and ING. Computer
Software leads in the deployment of VDPs
with 69% adoption.
The pace of adoption is extremely slow and
organizations continue to push for more progress. In
North America, the U.S. Department of Justice offers
a framework and the U.S. Department of Homeland
Security provides a template and issued a Binding
Operational Directive requiring agencies to establish
a VDP. In EMEA, the European Union Agency for
Cybersecurity (ENISA) has a “good practices guide”
and the National Cyber Security Centre in Netherlands
publishes guidelines. In APAC, the Singapore Infocomm
Media Development Authority acts as a central point
of disclosure for the country’s telecommunications
industry, and the “Standards for Handling Software
Vulnerability Information and Others” has been offered
by the Japan Ministry of Economy, Trade and Industry
since 2004.
Continued encouragement and guidance are vital to
reducing risk, as nearly 1 in 4 hackers have not reported
a vulnerability that they found because the company
didn’t have a channel to disclose it. Having a VDP in
place reduces the risk of a security incident and places
the organization in control of what would otherwise be
a chaotic workflow.
Promise
Demonstrate a clear, good faith commitment to
customers and other stakeholders potentially
impacted by security vulnerabilities.
Scope
Indicate what properties, products, and vulnerability
types are covered.
“Safe Harbor”
Assures that reporters of good faith will not be unduly
penalized.
Process
The process finders use to report vulnerabilities.
Preferences
A living document that sets expectations for
preferences and priorities regarding how reports will
be evaluated.
5 CRITICAL COMPONENTS
FOR EVERY VDP PROGRAM
40
Spotlight
CREATING A VULNERABILITY
DISCLOSURE POLICY
Relying only on your internal security team to
keep your company safe isn’t just unreasonable,
it’s impossible. Your team doesn’t have enough
hours in the year to possibly search for, detect,
and investigate every possible security risk across
your business. Sometimes, they don’t have the skill
sets or expertise. So, enlisting everyone’s help in
plugging security gaps isn’t just good for security,
it’s good for your brand, your reputation, and your
customers’ trust. It’s also a best practice and a
regulatory expectation.
A Vulnerability Disclosure Policy (VDP) is the first
step in helping protect your company from an attack
or premature vulnerability release to the public.
It gives hackers and security researchers clear
guidelines for reporting security vulnerabilities to
the proper person or team within your company.
VDPs are often referred to as the “see something,
say something” of the internet. When a skillful eye
spots a potential risk, you want to make it as easy
and straightforward as possible for them to make
you aware. Without it, those vulnerabilities remain
unknown, unfixed, and potentially unleashed to
people outside your organization, exposing your
business and your brand to unnecessary risk or
disastrous consequences.
But the VDP paradox is that, even though 63%
of global organizations say they require their IT
suppliers to have a VDP, more than 82% of the
Fortune Global 2000 companies do not have VDPs
of their own! Security is a business imperative,
and actively encouraging hackers to alert you to
vulnerabilities is good business.
HackerOne has revolutionized VDPs to make it easy
to work directly with trusted hackers to resolve
critical security vulnerabilities. Our VDP structure
is based on the recommended practice outlined in
the Cybersecurity Framework by the United States’
National Institute of Standards and Technology (NIST).
Since 2012, HackerOne has partnered with thousands
of organizations to unlock the security value of the
global hacking community. Now, HackerOne has
become the only hacker-powered security vendor to
receive FedRAMP authorization.
Figure 8: Industry adoption
early adopter
follower
Government-Federal
Automotive
Healthcare
Financial Services
Retail & Commerce
Telecommunications
Aerospace
business
value of
adoption
41
INDUSTRY ADOPTION
In 77% of cases, public bug bounty programs receive
their first vulnerability report within the first 24 hours.
For the U.S. Army, it only took five minutes. Once a
customer has confirmed the vulnerability is valid, they
have the opportunity to reward the hacker and fix the
issue.
HackerOne tracks the time-to-vulnerability resolution
for all programs. A speedy resolution significantly
reduces the risk of a breach. Speed is also important
to hackers, who prefer a fast first response to their
vulnerability report submissions. This lets hackers
know that their report was received and is being
investigated. Once a report is validated, hackers
prefer to be awarded their earned bounty as
quickly as possible.
Nearly all industries respond to hackers in less than
one day, with the fastest being Automotive and Media
& Entertainment companies. Both sectors have median
first response times of less than 4 business hours. Time
to resolution and time to bounty award vary widely
across the industries: Cryptocurrency & Blockchain (11.7
days) and Professional Services (16.0 days) are among
the fastest, while Telecommunications (40.3) and
Government Federal NA (39.0) are the slowest.
For time to bounty, the fastest industries are Financial
Services & Insurance (0.9), and Retail & eCommerce
(1.6). Government Federal NA is, by far, the slowest
to pay bounties, with a median time to bounty of 27.1
days. The next slowest is Telecommunications, which
pays nearly twice as fast, with a median time to bounty
of 13.6 days.
42
Industry Scorecards
THE PACE OF RESOLUTION VARIES BY INDUSTRY
APAC
0.53
18.3
3.7
North America
0.68
22.8
5.3
EMEA
0.73
18.0
3.1
LATAM
0.66
32.8
2.1
TIME TO RESPONSE, RESOLUTION, BOUNTY
(DAYS, MEDIAN)
TIME TO FIRST
RESPONSE
(HOURS)
TIME TO
RESOLUTION
(DAYS)
TIME TO
BOUNTY
(DAYS)
Computer Hardware & Peripherals
0.9
30.6
9.2
Computer Software
0.8
22
4.8
Consumer Goods
0.7
20.1
2
Cryptocurrency & Blockchain
0.8
11.7
3.1
Electronics & Semiconductor
0.4
17.2
4.3
Financial Services & Insurance
0.8
16.2
0.9
Government International
0.6
20.8
3.0
Government NA Federal
0.6
39
27.1
Government NA Local
1.5
7.6
0.2
Healthcare
0.9
24.8
2.3
Internet & Online Services
0.7
18.9
5.7
Media & Entertainment
0.4
25.1
6
OTHER
1.7
17.9
6.2
Professional Services
1.2
16
1.7
Retail & eCommerce
0.6
20.4
1.6
Telecommunications
0.9
40.3
13.6
Travel & Hospitality
0.6
19.6
1.6
Overall
5.4
21.8
4.8
Nearly all
industries respond
to hackers in less
than one day.
43
CONTINUOUS INTEGRATION AND CONTINUOUS
DELIVERY have become the new benchmark for
DevOps teams. Applications are delivered faster, code
changes are automatically pushed into production, and
teams are developing in-house apps without external
feedback. The speed of development now matches the
speed of innovation.
This fast pace and frequent release cycles, coupled
with emerging languages, has kept CISOs on their
toes as companies grow and corners are cut to get
releases out the door. It’s also pushed more teams to
“shift left” on their security efforts: improving coding
practices, identifying and eliminating vulnerabilities
during development, and reducing risk as code moves
into production.
THE BEST COMPLEMENT FOR CONTINUOUS
DEVELOPMENT IS CONTINUOUS SECURITY.
While building security into your software development
lifecycle (SDLC) without slowing down development
is a challenge, hacker-powered security can help. Bug
bounty programs empower companies to build a more
security-aware engineering team who can work to
close gaps before they’re released.
By pushing security and vulnerability intelligence to
the left in a SDLC, continuous security helps protect
future releases against threats. It prevents new
products and applications from going into production
with vulnerabilities. And it maximizes bounty program
value to the organization and reduces the risk of future
breaches. In other words, the same vulnerability
reports used to drive improvements in your software
production process can also ensure future code is
continuously more secure. Ship code, not bugs.
As organizations begin a bounty program, they
rightly focus on fine tuning the basic bugs in, bugs
out process. When welcoming outside hackers into
your security operations is still new, there is a lot to
get right—things like effective communications with
hackers, triage, reproducing reported vulnerabilities,
severity classification, bounty amounts, resolution
process, and more. HackerOne has multiple resources
available to help, from guides to our expert professional
services team.
Read how Verizon Media used a bug bounty program to
“shift left” in the SDLC.
44
Spotlight
CONTINUOUS DEVELOPMENT
NEEDS CONTINUOUS
SECURITY
SECURITY IS NOT A
ONE-TIME THING, BUT A
CONTINUOUS CYCLE.
“We know that there are always going
to be bugs in software development.
As we develop, and as we iterate,
we want to make sure security is
an active part of that process, and
never a roadblock to innovation. The
HackerOne bug bounty program
allows us to put another cog in the
wheel of security.”
PETE YAWORSKI
Senior Application Security
Engineer, Shopify
45
46
By studying the trends and statistics of
vulnerability reports, organizations can better
prepare security and engineering teams for
incoming report submissions. Benchmarking
against industry standards also helps improve
everyone’s vulnerability disclosure and bug
bounty programs. And, looking at trends on
severity classifications and vulnerability types
helps organizations, and the community as a
whole, understand shifting areas of risk and
prioritization.
BOUNTY
TRENDS
CHAPTER 3 //
BY VULNERABILITY SEVERITY AND TYPE
47
Median value paid
for critical vulnerabilities
on HackerOne
Average bounty paid
for critical vulnerabilities on
HackerOne
$2,500
$3,650
48
I
ncoming vulnerability reports are categorized by
the vulnerability type and severity. To determine
the type, HackerOne uses a vulnerability taxonomy
mapped to the industry standard Common Weakness
Enumeration (CWE). For severity, HackerOne uses
the Common Vulnerability Scoring System (CVSS), an
industry standard calculator used to determine bug
severity. The hacker can either choose a severity level
based on their own judgment, or they can use the
CVSS.
Although customers themselves set bounty tables,
HackerOne offers recommendations and insights,
similar to this report, to help organizations benchmark
their offered bounties against similar companies .
Severity is particularly useful for structuring bounty
ranges. When combined with the vulnerability type,
this information streamlines the resolution process,
allowing teams to integrate vulnerability reports with
existing bug tracking systems. It also helps set hacker
expectations on potential report resolution and bounty
payouts.
Bounty Trends // Severity
40%
34%
18%
8%
LOW
MEDIUM
HIGH
CRITICAL
Critical vulnerabilities make up just 8% of all reports.
Medium severity bugs account for 40%, while low
severity (34%) and high severity (18%) make up the
remainder.
The median value paid for critical vulnerabilities on
HackerOne was $2,500 / €2,120 / ¥17,400, which is up
25% from the 2019 median of $2,000, and double the
$1,250 median of 2017. Critical vulnerabilities carry the
most potential risk, so bounty values are generally
much higher. The median value of a critical bug bounty
is 2.5 -times that of a bug of high severity, and more
than 6-times that for a bug of medium severity. As
organizations fix more vulnerabilities and harden their
attack surface, bounty values naturally increase over
time, since vulnerabilities become more difficult to
identify, thus requiring more skill and effort to discover.
The average bounty paid for critical vulnerabilities
across all industries on HackerOne rose to $3,650 /
€3,100 / ¥25,460 in the past year, up from $3,384 in
2019, $2,281 in 2017, and $1,977 in 2016.
VULNERABILITIES BY SEVERITY
Figure 9: Percentage of vulnerabilities
categorized by critical, high, medium,
or low severity. Data from 2018-2019.
critical
high
Medium
Low
49
MEDIAN BOUNTY VALUE BY SEVERITY
AVERAGE BOUNTY FOR CRITICAL
VULNERABILITIES OVER TIME
Figure 11: Average bounty values for critical vulnerabilities over time.
Figure 10: Median bounty values by severity.
The median value
of a critical
bug bounty is
2.5X Higher
than a bug of
high severity,
and more than
6X Higher than
a bug of medium
severity.
0
$1,000
$2,000
$3,000
$2,500
Critical
high
Medium
low
$1,000
$400
$150
0
$2,000
$4,000
2016
2017
2018
2019
2020
50
Bounty Trends // Regional
MEDIAN BOUNTY PAID BY SEVERITY BY REGION
AVERAGE BOUNTY PAID BY SEVERITY BY REGION
Figure 12:
Median and
average bounty
values for
vulnerabilities,
by region and
severity type.
0
$1000
$2000
$3000
N. America
LATAM
EMEA
APAC
0
$1000
$2000
$3000
$4000
$5000
N. America
LATAM
EMEA
APAC
critical
high
Medium
Low
51
52
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
OPEN REDIRECT
VIOLATION OF SECURE DESIGN PRINCIPLES
PRIVILEGE ESCALATION
BUSINESS LOGIC ERRORS
INSECURE DIRECT OBJECT REFERENCE
CROSS-SITE REQUEST
4%
Note: The remaining percentage that is omitted consists of any additional types of vulnerabilities that did not make the top ten.
Region Spotlight
NORTH AMERICA
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$4,263
$3,000
Regional bug bounty values vary as well. The average
bounty paid for a critical bug in North America was
$4,263 over the past year. That average was $1,547 in
EMEA, $1,893 in APAC, and $2,567 in Latin America.
53
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
VIOLATION OF SECURE DESIGN PRINCIPLES
INSECURE DIRECT OBJECT REFERENCE
OPEN REDIRECT
BUSINESS LOGIC ERRORS
CROSS SITE REQUEST
BRUTE FORCE
EMEA
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$1,547
$1,000
54
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
CROSS-SITE REQUEST FORGERY (CSRF)
BUSINESS LOGIC ERRORS
OPEN REDIRECT
INSECURE DIRECT OBJECT REFERENCE (IDOR)
VIOLATION OF SECURE DESIGN PRINCIPLES
BRUTE FORCE
APAC
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$1,893
$2,000
Region Spotlight
55
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
INSECURE DIRECT OBJECT REFERENCE (IDOR)
VIOLATION OF SECURE DESIGN PRINCIPLES
CROSS-SITE REQUEST FORGERY (CSRF)
BUSINESS LOGIC ERRORS
OPEN REDIRECT
PRIVILEGE ESCALATION
SERVER-SIDE REQUEST
20%
15%
15%
7%
7%
7%
6%
5%
2%
2%
LATIN AMERICA
TOP 10 VULNERABILITY TYPES
Critical bug bounty average
Critical bug bounty median
$2,567
$1,800
56
The highest average bounty payments by industry for critical issues come
from Computer Software ($5,754), Electronics & Semiconductor ($4,663),
and Cryptocurrency & Blockchain ($4,481). Those are all significantly higher
than the platform average of $3,650. For all vulnerabilities reported of any
severity, the average bounty payout was $1,024, up 33% from $771 last
year, and up 119% from $467 in 2017.
AVERAGE BOUNTY PAYOUT PER INDUSTRY
FOR CRITICAL VULNERABILITIES
Bounty Trends // Payouts
0
$1000
$2000
$3000
$4000
$5000
$6000
PHARMACEUTICALS
GOVERNMENT NA FEDERAL
GOVERNMENT INTERNATIONAL
OTHER
CONSUMER GOODS
AVIATION & AEROSPACE
GOVERNMENT NA LOCAL
EDUCATION
COMPUTER HARDWARE & PERIPHERALS
RETAIL & ECOMMERCE
TRAVEL & HOSPITALITY
HEALTHCARE
FINANCIAL SERVICES & INSURANCE
MEDIA & ENTERTAINMENT
MEDICAL TECHNOLOGY
PROFESSIONAL SERVICES
TELECOMMUNICATIONS
INTERNET & ONLINE SERVICES
AUTOMOTIVE & GROUND TRANSPORTATION
CRYPTOCURRENCY & BLOCKCHAIN
ELECTRONICS & SEMICONDUCTOR
COMPUTER SOFTWARE
AVG $ BOUNTY
Figure 13: Average bounty paid for
critical vulnerabilities, by industry.
57
50TH PERCENTILE
60TH PERCENTILE
80TH PERCENTILE
90TH PERCENTILE
99TH PERCENTILE
The average amount paid per vulnerability of any
severity level is $979 / €831 / ¥6,834, which increased
by 9% from last year’s average. That’s a small price to
pay compared with the legal, brand, and engineering
impact of a security breach, which the Ponemon
Institute and IBM Security estimates at an average cost
of nearly $4 million.
AVERAGE BOUNTY PAYOUT
BY SEVERITY
Figure 14: Average bounty payout by severity.
LOW$25,000
SEVERITY
$20,000
$15,000
$10,000
$5,000
$0
MEDIUMHIGHCRITICAL
23%
18%
10%
7%
6%
6%
5%
5%
5%
4%
58
XSS
INFORMATION DISCLOSURE
IMPROPER ACCESS CONTROL - GENERIC
IMPROPER AUTHENTICATION - GENERIC
VIOLATION OF SECURE DESIGN PRINCIPLES
OPEN REDIRECT
BUSINESS LOGIC ERRORS
INSECURE DIRECT OBJECT REFERENCE (IDOR)
PRIVILEGE ESCALATION
CROSS-SITE REQUEST FORGERY (CSRF)
Bounty Trends // VUlnerabilities
REPORTED VULNERABILITIES BY TYPE
Figure 15: Top 10 reported vulnerability types.
59
Total reports from
live hacking events
Earned by
hackers at events
HackerOne live
hacking events
23
6,800
$9 MILLION
60
Spotlight
VIRTUAL LIVE HACKING EVENTSLive Hacking Events bring together hackers from across the globe
to participate in a single- or multi-day hacking challenge targeting a
specific set of customer assets. These events put hackers in the same
room as the target program’s security team, offering an opportunity
for unmatched focus, impact, and bounty earnings. As of this report,
HackerOne hosted 23 events, with 15 customers, in 12 different cities
around the world. Hackers have earned more than $9 million and
submitted over 6,800 reports at these events.
“The live hacking events are really
great. They give us the opportunity
to meet face to face with the hackers
who are active on our platform, it gets
them an opportunity to meet with
each other as well, and it facilitates
a fantastic ideas exchange. It’s a fun
and competitive atmosphere and it
pushes everyone together to be better
hackers, to be better defenders, and to
be smarter about how you approach
these problems. Now, obviously under
COVID we can’t do those virtual events
right now, so we’ve pivoted to doing
virtual events… In a way, we’re helping
create a more diverse environment
and we get the benefit of those diverse
experiences that those researchers
bring, and it might help us bring some
new ideas into the program that we
can all benefit from.”
SEAN ZADIG
VP & CISO, Verizon Media,
during a HackerOne Fireside Chat
Highest ever single-
day bounty payout
Reports over two
weeks of #h1-2004
$1 MILLION
286
61
When the COVID-19 pandemic
curtailed travel, HackerOne quickly
moved to a virtual format, which
has been lauded by both security
teams and hackers.
Verizon Media ran the first ever
Virtual Live Hacking Event on March
25, 2020, dubbed #h1-2004. Hackers
from all over the world submitted
286 reports over the course of two
weeks, earning them over $673,000
in bounties. The event included
a full schedule of hacking, plus
hacker panels and interviews, which
provided a great opportunity to
both learn and earn.
As the original event was intended
to be in Singapore, The Paranoids
(Verizon Media’s security team)
wanted to ensure that the local
hacker base was able to participate
in a big way.
We invited 50 hackers from across
the globe, with over 30% from the
APAC region, including Singapore,
Hong Kong, India, and New
Zealand.
“If someone were to ask me about
my favorite live hacking event,
#h1-2004 would be at the top of
my list,” said Sean Poris, Director of
Product Security at Verizon Media.
“It was amazing to see people come
together during this pandemic to
have deep conversations, to laugh
a little bit, and bring the community
together.”
#H1-2004
Hackers participated
in #h1-2006’s CTF
Of vulnerability reports from
live hacking events are high or
critical severity
4,282
45%
62
In May 2020, PayPal and HackerOne joined forces for
a “Capture the Flag” (CTF) event. The winners of the
CTF earned invitations to #h1-2006, the world’s second
Virtual Live Hacking Event. HackerOne got creative with
this CTF, with the premise based on a fictitious tweet
from HackerOne’s CEO claiming that he lost the login
details required to make bounty payments. It called
on hackers to help retrieve those account details and
put bounty payments back on track. The top 3 hackers
of the CTF, Nytr0gen, Zoczus, and bugra, were then
invited to the PayPal live hacking event.
Over the one week live event, 4,282 hackers
participated and 55 successfully accomplished the
task to process hacker payments. Judges then
reviewed vulnerability report submissions on creativity,
completeness, and story, and then announced the
winners. As seen in the recap video, hackers thoroughly
enjoy the collaboration, education, and competition of
these events.
#H1-2006
Spotlight
63
Virtual and in-person Live Hacking Events offer a
fun, dynamic, and educational environment that
encourages hackers to work in a focused and
collaborative manner. These events, some reaching
over 3,000 combined testing hours, target key assets
and areas of concern to quickly discover critical
vulnerabilities while offering security teams a clear
ROI. Hackers submit more than 200 reports during the
typical event, with 45% being high or critical severity,
on average.
HackerOne is preparing for more Live Hacking Events
in 2020 and 2021, both virtual and in-person as soon
as appropriate.
Customer Spotlight // U.S.
THE ROOTS OF AT&T STRETCH BACK NEARLY 150 YEARS
TO THE ORIGIN OF THE TELEPHONE ITSELF and across
its innovations in transistors, communication satellites,
and machine learning. The company has also expanded
far beyond telecommunications to become a modern
media company, a fiber and wireless connectivity
provider, and a software-based entertainment provider
with brands like WarnerMedia, HBO, and TBS.
The company continued their innovative ways in
July 2019 by becoming the first communications
company of its size to launch a bug bounty program on
HackerOne. After having run a self-managed program
since 2012, moving to HackerOne quickly increased
the number of bugs received and the quality incoming
reports. It also expanded the AT&T program by opening
it to a global network of skilled hackers and adding
all of the company’s public-facing online properties,
including websites, exposed APIs, mobile applications,
and devices.
In the first year of the public program on HackerOne,
AT&T resolved over 2,850 vulnerabilities and paid out
$1,129,075 in bounties based on input from 850 hackers
worldwide. The findings have helped AT&T understand
holes in their security and use those insights to ensure
they are patched across other essential products and
services.
Bug reports
resolved
Bounty awards
3,000+
$1,211,000+
AT&T
64
“Operating a bug bounty program is about getting
one step ahead of the game by being hands-on and
predictive,” explained Reynaldo Candelario, Principal
Technology Security at AT&T. “It’s another approach
to detect software and configuration errors that can
slip past developers and later lead to big problems.
Hacker-powered security has helped our technology
teams learn and resolve vulnerabilities that would not
have been revealed by any internal security discovery
methods.”
To date, AT&T has paid out more than $1,211,000 in
bounty awards and resolved more than 3,000 bug
reports. The company plans to continue expanding
its bug bounty program into other segments of the
business to increase the already tangible ROI and
further improve the company’s digital security.
“The program will always be in a constant evolution
of change to ensure a balance is given to everyone
that participates in the program,” concludes Reynaldo.
“We look forward to continuing our collaboration with
the hacker community to improve our program and
partnership.”
“HACKER-POWERED SECURITY HAS
HELPED OUR TECHNOLOGY TEAMS
LEARN AND RESOLVE VULNERABILITIES
THAT WOULD NOT HAVE BEEN
REVEALED BY ANY INTERNAL SECURITY
DISCOVERY METHODS.”
REYNALDO CANDELARIO
Principal Technology Security at AT&T
65
66
GO BEYOND COMPLIANCE WITH
HACKER- POWERED
PENTESTS
Bounty Trends
Penetration tests are a staple of nearly every security
program. They have been used for decades as a viable means
for evaluating the security of a specific scope of technology.
Pentesting remains a necessary exercise to identify
weaknesses and for compliance, but traditional pentests are
often delivered with limited transparency into the testing
process and they provide only an occasional, point-in-time
view of risk. They’re further limited by the traditional process,
which devotes a small pool of researchers at a specific scope
for just a few weeks.
“THIS IS VALUE THAT WE NEVER GOT FROM A PENTEST.
TRADITIONAL PENTESTS ARE NOT ENOUGH FOR MODERN
DAY SECURITY.”
GEORGE GERCHOW
Chief Security Officer, Sumo Logic
67
Crowdsourced pentests are becoming a common and
effective means for a continuous, proactive security
testing and broad investigation of a technology’s
security risks. Unlike traditional penetration tests,
which are one-off exercises designed for a compliance
checklist, hacker-powered pentests can be seamlessly
incorporated into your security strategy.
These hacker-powered pentests utilize the creative
diversity, varying skills, and broad approaches of
the hacker community, deployed continuously and
on varied applications. What’s more, the cost is tied
directly to validated results rather than effort. In fact,
a Total Economic Impact (TEI) report from Forrester
Consulting found that a HackerOne Challenge
eliminated $156,784 in total costs and reduced internal
security and application development efforts, saving an
additional $384,793 over three years.
HackerOne’s powerful platform allows security teams
to redefine the way they respond to vendor security
assessments and compliance needs. HackerOne
Pentests bring a creative, community-led approach to
pentests to offer more coverage, instant results, and
seamless remediation workflows all in one platform.
It provides the visibility to track progress and interact
with researchers from the kickoff, discovery, and
testing, through to the retesting and remediation
phases of a pentest. Those real-time insights empower
security teams to act on vulnerabilities as they are
found instead of waiting for them to come weeks later.
Many security leaders are drawing a false distinction
between compliance and security. According to our
research, more than two-thirds of security leaders
believe pentests strengthen software—but they are
making a grave error in believing that compliance
is more important than reducing risk and finding
vulnerabilities, or that the two are separable. Instead,
an overall security strategy should include strategies
that allow the compliance box to be checked at
the same time as finding bugs before they can be
exploited.
HackerOne Pentests, however, fulfill both regulatory
compliance and customer assessment needs with
compliance-ready reports to satisfy SOC 2 Type II, ISO
27001, and more. The findings are also summarized
in an actionable, methodology-based report to help
security teams better understand how to reduce risk.
To learn more, see how HackerOne Pentests improves
upon traditional pentests.
“WE TURNED TO HACKERONE FOR SCALABLE REAL-TIME TESTING THAT
WOULD LOOK IN THE PLACES WE WEREN’T LOOKING—NOT A SIMULATION OR
TEMPLATED TEST—FOR SOC 2 COMPLIANCE.”
STEVE SHEAD
Vice President InfoSec & IT, Grand Rounds
68
To find the gaps that can lead to security incidents, you need pentesters with the creativity to
think beyond a standard checklist. Pentests are opportunities to discover weak spots in your
defenses, bring a fresh set of eyes to engineering’s code, and add a virtual security team that
can be spun up or down as needed and without requiring onsite access.
Spotlight
Benefits
Costs
ROI
$541,577
$252,127
115%
THE VALIDATED ROI OF
HACKER-POWERED PENTESTS
Hacker-powered pentesting adds a broad array of specialized skills, experience,
and creativity to find security gaps unique to your business and technologies.
Where traditional pentests fall short—limited team of testers and approaches,
slow turnaround of results, and a lack of real-time visibility into findings—hacker-
powered pentests rise above. They also save money.
A Forrester Consulting Total Economic Impact™ (TEI) analysis used interviews
with HackerOne customers to gauge the financial and qualitative impact of
HackerOne Challenge over traditional security testing methods. Customers say
they eliminated costs “orders of magnitude higher than the HackerOne cost,”
received results faster, and consumed less effort from the internal security
team.
HackerOne Challenges also offer more robust testing methods, instant
feedback, and detailed vulnerability reports as compared with traditional
point-in-time testing such as pentests. This is a direct result of the creativity,
expertise, and experience of the hacker community. The increased detail in
vulnerability reports also helped inform upstream engineering and development
teams, which reduced application development times.
In total, Forrester’s interviews and financial analysis concluded that an
organization using hacker-powered pentests experienced benefits of $541,577
over three years versus costs of $252,127, adding up to a net present value (NPV)
of $289,450 and an ROI of 115%.
To learn more, download your copy of the Forrester TEI report today.
The key benefits found by
Forrester include:
A 50% REDUCTION IN SECURITY
TESTING DURATION.
A TOTAL COST OF OWNERSHIP (TCO)
PER PENTEST OF JUST $41,350.
A REDUCTION IN INTERNAL
PENTESTING EFFORT OF 66%.
“We tried pen testing before and found it very
expensive and practically useless. We paid many
thousands of dollars and they only found a few bugs.
The first week we launched HackerOne they found
several high priority bugs we fixed immediately.
Huge value at a fraction of the costs.”
AMOS ELLISTON
CTO, Flexport
69
Bug reports resolved
In bounties paid in
the 3 months prior to
the publishing of this
report
1,000
$1 MILLION +
70
Customer Spotlight
THE SECURITY TEAM AT PAYPAL, the popular digital
payments platform, is tasked with protecting the
personal and financial information of 325 million active
accounts, in more than 200 markets around the world.
The company has been running a bug bounty program
since 2012, transitioning to the HackerOne platform
in 2018. This move instantly opened the program to a
massive community of hackers and, as expected, an
increase in participation. In just the first six months of
moving to HackerOne, PayPal received reports from
890 researchers across 56 countries, compared to just
365 researchers in the prior six months.
“Security has always been a top priority for our
business, ingrained into the fabric of everything we
do,” says Ray Duran, Information Security Engineer
at PayPal. “In addition to being able to work with a
broader more diverse set of researchers, HackerOne
has enabled us to process bounty awards for qualifying
submissions faster and get direct feedback from
researchers on how to further improve our program.”
In the first 7 months of its program, the company
reached $1,000,000 in bounties paid. Over the
program’s first 2 years, PayPal has awarded nearly
$4,000,000 in bounties, with over $1,000,000 paid
in the 3 months prior to the publishing of this report.
The company is also closing in on 1,000 total reports
resolved.
PAYPAL
71
“SECURITY HAS ALWAYS BEEN A
TOP PRIORITY FOR OUR BUSINESS,
INGRAINED INTO THE FABRIC OF
EVERYTHING WE DO.”
RAY DURAN
Information Security Engineer at PayPal
72
H
ackers are the soul of the
cybersecurity community
and the immune system of
the internet. What started in the
dark underbelly of the internet has
turned into a global movement of
talented and creative people who
enjoy digging into the technology
that makes the internet work. There
are now more than 830,000 hackers
registered on the HackerOne
Platform. They’ve earned more than
$100 million / €85 million / ¥696
million through reports on more
than 181,000 vulnerabilities.
CHAPTER 4 //
HACKERS TODAY’S
HACKER
COMMUNITY
73
Total registered
hackers
Amount paid
to hackers
in the past year
$44.75 MILLION
830,000+
74
The 2020 Hacker Report, a benchmark study of the
bug bounty and vulnerability disclosure ecosystem,
details the efforts and motivations of hackers from
across the globe who are working to protect the
2,000+ companies and government agencies on the
HackerOne platform. These hackers are a force for
good. They earn money, learn valuable skills, or build a
career by hacking. In fact, the potential earnings power
of a hacking career is well above today’s global average
IT salary of $89,732.
HAckers
Countries represented in
the hacker community
Of the hacking
community hails
from India
226
19%
75
76
Costa Coffee
shops in Europe
4,000
Customer Spotlight // EMEA
Costa Coffee has been serving up coffees to Londoners
since 1971. In the past 50 years, they’ve added 4,000
Costa Coffee shops and 10,000 Smart Cafe machines
across Europe, Asia, and the Middle East. Now, as they
expand to the U.S., the company has launched a bug
bounty program to help protect its loyal customers’
data.
“We see bug bounty as a key addition to our existing
security testing capabilities, which also includes an
established pentesting program” said Matt Adams,
Global Security Architect at Costa Coffee, in an
interview. “However, the ability to access a wide variety
of hackers, each bringing their unique approach and
tactics to our program, will enable us to efficiently scale
our testing activities.”
The company has been preparing for this continued
global expansion, and the addition of a bounty program
is part of its multi-year security transformation
program. The hacker-powered security program also
helps accelerate their security efforts to maintain pace
with their agile software development lifecycles.
“The opportunity for continuous testing that a
bug bounty program provides also aligns with our
increasing adoption of agile development practices and
CI/CD pipelines,” said Matt. “Our vision for the program
is that it will enable our security testing processes
to move at the same rapid pace as our development
teams.”
COSTA COFFEE
77
It all combines to help Costa Coffee respond to the
changing global threat landscape, especially as more
personal data is collected via its customer loyalty
program. Keeping those customers happy is critical to
maintaining the company’s brand reputation, which is
why its security team chose to work with HackerOne.
“As this is a new initiative for Costa Coffee, it was
important for us to engage a trusted provider in order
to help to build confidence in the bug bounty concept,
and one that we were confident would deliver a
successful program,”Matt added . “As the leading bug
bounty platform, HackerOne was the obvious choice.”
“AS THE LEADING BUG BOUNTY
PLATFORM, HACKERONE WAS THE
OBVIOUS CHOICE.”
MATT ADAMS
Global Security Architect at Costa Coffee
78
WHO ARE THE
HACKERS AND
WHY DO THEY
HACK?
HOW MANY YEARS HAVE YOU BEEN HACKING?
HAckers
Figure 17: How long have you been hacking?
Hackers are young, curious, and creative. Most (87%)
hackers are under age 35 and 84% are self-taught.
Just over half (53%) get at least half of their income
from hacking, with 22% naming hacking as their only
source of income. Just 53% do it for the money, with
68% saying their main motivation is that they enjoy the
challenge of hacking. It’s also a good career booster;
44% say they hack to advance their career and 80%
say they’ve used, or plan to use, skills and experience
learned while hacking to land a job. There’s also an
altruistic angle to hacking: 29% hack to protect and
defend and 27% hack to do good in the world.
1-2 YEARS
3-5 YEARS
UNDER 1 YEAR
6-10 YEARS
11-15 YEARS
15+ YEARS
29%
30%
17%
14%
5%
5%
71%
hack websites
79
Hackers test your system in many more different
ways than any one security contractor could afford
to do. Every single model, every single tool, every
single scanner has slightly different strengths, but also
different blind spots. Every hacker brings a slightly
different methodology and a slightly different toolset to
the problem. Although automated tools for detection
have gotten very good at flagging things that might be
a problem, almost all of them are plagued with false
positives that still require a human to go through and
assess (if) it’s actually a vulnerability. While automation
can handle the grunt work, we still need skilled human
eyes to see problems and solutions that computers
can’t. And, the earlier in the process you have hackers
engaged, the better off you will be.
FAVORITE PLATFORM TO HACK
Figure 18: Favorite platforms to hack
To learn more about the
hacker community, why
they hack, how they learn,
and even what they do with
their earnings, download
The 2020 Hacker Report.
WEBSITES
APIS
ANDROID MOBILE
TECHNOLOGY THAT I’M A USER OF/THAT HAS MY DATA
OPERATING SYSTEMS
DOWNLOADABLE SOFTWARE
INTERNET OF THINGS
OTHER
FIRMWARE
1%
2%
2%
2%
4%
4%
4%
7%
71%
80
I HACK AS A HOBBY
59%
I AM A STUDENT
27%
I HACK FULL-TIME FOR MY EMPLOYER
22%
I HACK FULL-TIME
18%
I HACK SOMETIMES FOR MY EMPLOYER
14%
SELF-EMPLOYED
11%
OTHER
2%
RETIRED
.6%
WHAT BEST DESCRIBES YOU?
Figure 19: What best describes you?
HAckers
81
WHY DO YOU HACK?
Figure 20: Why do you hack?
TO BE CHALLENGED
68%
TO MAKE MONEY
53%
TO LEARN TIPS AND TECHNIQUES
51%
TO HAVE FUN
49%
TO ADVANCE MY CAREER
44%
TO PROTECT AND DEFEND
29%
TO DO GOOD IN THE WORLD
27%
TO HELP OTHERS
25%
TO SHOW OFF
8%
OTHER
1%
82
Awarded in bug
bounties
Reports resolved
$107,000 +
110 +
Customer Spotlight // APAC
LINE Corporation, based in Japan, develops and
operates a wide range of mobile-first services and
advertising, along with businesses in Fintech, Artificial
Intelligence, and other domains. The company’s
LINE messaging app is the fastest growing mobile
messenger app in the world, and incorporates voice,
video, games, payments, and more.
LINE moved their self-run bug bounty program to the
HackerOne platform in 2019 in a bid to enable greater
transparency into their security efforts and incoming
vulnerability reports. The company also wanted to
increase participation by global hackers, so moving
to a platform with a hacker community hundreds-of-
thousands strong would quickly bring more awareness
to its growing program.
LINE started with a private bug bounty program on
HackerOne, and within 2 weeks had already paid out
$5,000 for its first validated vulnerability report. In the
first four-and-a-half months of the private program,
LINE received 101 reports, 37 of which were valid and
resulted in bounty awards.
“This means that we rewarded over 36% of the reports
we received, which is quite impressive,” wrote Robin
Lunde, Security Engineer at LINE, in a blog post.
LINE CORPORATION
83
At that point, the LINE security team transitioned to a
public bug bounty program, which immediately ramped
up the program’s participation, as its team had hoped.
In the first week of their public program, LINE received
103 reports—two more than in its entire 18-week
private program!
“It confirmed that our effort in spreading awareness
and information had been a success,” Robin added.
Adding to the program’s success was the growth in
hacker participation and expanded coverage of the
company’s diverse scope.
“Moving to HackerOne allowed for an increase in
participating reporters, as well as valid reports,”
Robin concluded. “It also resulted in a wider array of
our services being inspected and tested. This closely
aligned with our goals for moving to HackerOne
indicating that it was a success, as well as a step
towards achieving our future goals.”
Since LINE began its public bug bounty program on
HackerOne, the company has awarded over $107,000 in
bug bounties and resolved more than 110 reports.
“MOVING TO HACKERONE ALLOWED
FOR AN INCREASE IN PARTICIPATING
REPORTERS, AS WELL AS VALID
REPORTS.”
ROBIN LUNDE
Security Engineer at LINE
84
Hacker Spotlight
EUGENE
@spaceracoon
“I am motivated by the thrill of finding a bug and learning
something new. Every time I read an article on new
exploitations or discovery techniques, I’m itching to try it
out. I love thinking of clever ways to bypass a defense or
apply a novel attack.”
TOM
@Tomnomnom
“It’s a lifelong obsession with how things work. There’s
this great Richard Feinman quote, which is: ‘What I cannot
create, I do not understand.’ And I think, for software,
you’ve got to apply an additional layer of ‘What I cannot
break, I do not understand.’”
KATIE
@insider_PHD
“The community is super encouraging. The community
is super willing to help out. It’s, as far as I’m
concerned, my home.”
85
BEN
@nahamsec
“The one skill hackers must inherently have is the ability to
problem solve and a strong sense of curiosity around how
technology works and how it could possibly fail us.”
ALEX
@ajxchapman
“I like the challenge. I like the variety that hacking gives and
the opportunity for continued learning. It’s a really good
way of proving yourself and extending your knowledge
every day.”
ALYSSA
@alyssa_herrera
“What motivates me is wanting to help out security
companies protect against breaches and improve their
general security. Another motivation is being a role
model for other women who also might want to get
into this field of work.”
C
ybersecurity skills are in high demand. Since
most hackers are self-taught, they need access
to resources to help them build their skills. To
train future cybersecurity leaders, the broader security
community has to invest in education. HackerOne
is committed to preparing students for success as
ethical hackers through community programs such as
Hacker101, a free, video-based web security training
series for the next generation of ethical hackers.
One of the greatest sources of education for new
hackers is through Hacktivity, which showcases select
activity on disclosed vulnerabilities, hackers, programs,
and bounty awards. Anyone can access Hacktivity to
review detailed reports, understand how hackers work,
and learn the many different techniques, tools, and
approaches used by hackers and security teams.
HackerOne also offers Hacker101 CTF (Capture The
Flag), a series of free hacking games based on real-
world environments that challenge learners to hack and
find the flags. Experienced and aspiring hackers can
put their skills into practice with levels inspired by real-
world security vulnerabilities. HackerOne also invests in
university-based initiatives, such as those at Singapore
Management University and the National University of
Singapore, which introduce students to ethical hacking
through training and competitions.
86
HOW TOMORROW’S
HACKERS LEARN
HAckers
87
Live Hacking Events provide a unique joint learning
experience and bug bounty engagement. For in-
person live hacking events, hackers from all over the
globe fly in to participate in a dynamic, social event,
with focused testing on a targeted set of assets. This
traditionally includes two weeks leading up to the
event culminating in 2-3 days in a particular city. During
the event, the programs’ security teams and hackers
mingle together for social activities, sightseeing,
knowledge-sharing, and of course, plenty of hacking.
Events also include hacking workshops for local student
groups, structured hacking mentorship sessions, and
job recruitment workshops.
To expand the diversity and inclusion of the hacking
community, HackerOne includes community days with
Live Hacking Events. These bring local cybersecurity
focused organizations (that prioritize diversity) like
preparatory schools, groups like Cyber Patriots, Hack
the Hood, Black Girls Code, and WiSP together with top
hackers and educators. Community days give aspiring
hackers a chance to learn Hacker101 content directly
from seasoned hackers.
Security@ is the largest hacker-powered
security conference. It brings together
hundreds of security leaders, influencers,
and hackers from around the world to
share lessons, learnings, and insights with
those who are leading this modern era
of cybersecurity. Past speakers include
security leaders and experts from the U.S.
Defense Digital Service, Verizon Media, the
U.S. Department of Justice, Yelp, The New
York Times, Sumo Logic, Goldman Sachs,
Facebook, Paypal, Salesforce, Bloomberg,
Slack, Shopify, and many more.
Learn more about Security@ 2020
conference, which will be held virtually on
October 20-22, 2020.
88
Spotlight
THE LARGEST
HACKER-POWERED
SECURITY
CONFERENCE
89
90
Spotlight
MILLION
DOLLAR
HACKERS
Nine individual hackers have reached $1 million /
€850,000 / ¥7 million in bounty earnings on the
HackerOne platform. That’s an incredible milestone
for anyone in any profession, but these hackers have
reached this pinnacle in well under a decade. It shows
the earnings potential of hacking and also highlights
the global diversity: these 9 hackers hail from 7
different countries.
But it doesn’t take a million dollars to increase a
hacker’s quality of life. It could be a full-time job, or
it could add some extra money to cover rent, a car, a
vacation, or anything. Only 53% of hackers do it for the
money. Yet, over 200 hackers have earned more than
$100,000.
Many more hackers—just under 9,000—have earned
at least something on HackerOne. Of all hackers who
have found at least one vulnerability, 47% have earned
$1000 or more.
Hackers have
earned more
than $100,000.
of Hackers have
earned $1,000
or more.
200
47%
Nine individual hackers have reached $1 million in bounty earnings on the HackerOne platform. 91
92
Spotlight
I
n early 2020, as the global
pandemic took hold, the
Internet Complaint Center
at the U.S. Federal Bureau of
Investigation reported seeing
three- to four-times their typical
number of reports. The spike in
cybercrime also prompted the U.S.
National Counterintelligence and
Security Center to issue a warning
about “threat actors” increasing
their attacks on medical research
organizations. A related study
revealed that large-scale breaches
increased 273% in early 2020,
compared with 2019.
In the summer of 2020, HackerOne
surveyed 1,400 global security
leaders at large companies across
North America, Europe, and Asia-
Pacific, to learn more about their
challenges during the pandemic.
Unfortunately, what many are
dealing with in reality reflects the
warnings offered earlier in the year.
The impact of both challenges
are forcing security teams to face
more threats while dealing with
diminished resources.
Nearly two-thirds (64%) of global
security leaders believe their
organization is more likely to
experience a data breach due to
COVID-19, and 30% have seen
more attacks since the start of
the pandemic. Unfortunately, 30%
have seen their security teams
reduced and one-quarter have seen
their budgets reduced since the
pandemic began.
But as the pandemic has increased
threats and decreased resources,
it has also increased distractions.
More than a third (36%) of
security leaders say that digital
transformation initiatives have
accelerated as a result of COVID-19,
and 30% have had to switch
priorities from application security
to securing new work-from-home
and collaboration tools.
Many are now looking to hacker-
powered security to augment their
own resources and offer a pay-
for-results approach that’s more
justifiable under tightened budgets.
As a result of the challenges posed
by COVID-19, 30% of security
leaders say they are more open
to accepting vulnerability reports
from third party researchers about
information security issues.
Learn how HackerOne can help
you quickly add resources to your
security efforts.
SECURITY LEADERS
SEEING OUTBREAK OF
CYBERCRIME DURING
PANDEMIC
Seeing more attacks
30%
Reduced security teams
30%
Dealing with
budget cuts
25%
Security breach more
likely
64%
GLOBAL HEADLINE
UKFRANCEGERMANYAUSTRALIASINGAPOREUSACANADA36% of security leaders say that digital
transformation initiatives have accelerated as a
result of COVID-19
39%
32%
34%
36%
37%
35%
37%
31% of security leaders say they have had to go
through a digital transformation ahead of the
planned roadmap as a result of COVID-19
34%
28%
29%
22%
39%
32%
33%
30% of security leaders have had to switch
priorities during the pandemic from application
security to securing the use of working from
home and collaboration tools
34%
26%
41%
28%
29%
30%
27%
30% of security leaders have seen more attacks
on their IT systems as a result of COVID-19
31%
36%
28%
33%
21%
34%
30%
30% of security leaders say their security teams
have been reduced during the pandemic
37%
28%
28%
35%
30%
24%
30%
30% of security leaders say that as a result of
the challenges posed by COVID-19, they are
more open to accepting reports from third party
researchers about information security issues
30%
33%
34%
32%
21%
34%
26%
A quarter of security leaders say that information
security budgets have been negatively impacted
as a result of COVID-19
29%
30%
23%
26%
24%
27%
27%
64% of global security leaders believe their
organisation is more likely to experience a data
breach due to COVID-19
69%
70%
70%
55%
58%
57%
68%
66% of global security leaders feel under scrutiny
to prove the business takes information security
seriously
72%
62%
61%
53%
76%
61%
75%
93
Figure 21: Cybersecurity trends during COVID-19
94
CLOSING
THOUGHTS
HACKER-POWERED SECURITY IS THE FUTURE OF
CYBERSECURITY — AND THAT FUTURE IS HERE.
In an era of increasing uncertainty and unprecedented
challenges, hackers are empowering organizations to
keep their customers safe: in more areas of the world,
on more attack surfaces, in new ways, using new tools
and methods. Security leaders are partnering with
hackers to supplement their security teams, reduce
risk across the software development lifecycle, achieve
compliance, and reinforce brand trust.
And hackers — these creative individuals who enjoy
overcoming limitations -- are using this partnership
to support themselves and enrich their communities.
Hackers have already received over $100 million / €85
million / ¥696 million in bounties. And we estimate that
total to grow by 1,000% within the next 5 years. Many
hackers are donating their bounties
to charitable causes.
The COVID-19 pandemic has shown us how small
and interconnected our world is. Technology is
fundamentally global, and yet the systems upon
which we have built our digital lives can be upended
in seconds. We rely on these systems for everything:
to work, live, learn, travel, to buy and sell things, to
experience art and entertainment. To threaten these
systems is to threaten our way of life.
But this interconnectedness is a positive thing,
too. Keeping the internet safe is a global effort.
Finding the hundreds of millions of vulnerabilities
in our technology would be impossible without an
international pool of talent.
Hackers know that. Security leaders know that. Boards
are starting to mandate it; government agencies are
recommending it as a best practice. And HackerOne is
here to lead the charge.
// exit
TOGETHER, WE
HIT HARDER
— AND AS
A GLOBAL
COMMUNITY,
WE HACK FOR
GOOD.
95
96
METHODOLOGY & SOURCES
Findings in this report were collected from the HackerOne
platform using HackerOne’s proprietary data based on over
2,000 collective bug bounty and vulnerability disclosure
programs. The 2020 data in this report spans from May 2019
through April 2020.
FORBES GLOBAL 2000 VULNERABILITY DISCLOSURE
RESEARCH: Our research team searched the internet
looking for ways a friendly hacker could contact these
2,000 companies to disclose a vulnerability. The team
looked for web pages detailing vulnerability disclosure
programs as well as email addresses or any direction
that would help a researcher disclose a bug. If they
could not find a way for researchers to contact the
company to disclose a potential security vulnerability,
they were classified as not having a known disclosure
program.
Any companies that do have programs but are not
listed as having one in the Disclosure Directory are
encouraged to update their profile in the Disclosure
Directory on their company’s page. See ISO 29147 for
additional guidance or contact us.
COVID CONFESSIONS OF A CISO: Research conducted by
Opinion Matters on behalf of HackerOne. The survey
includes responses from 1,400 security professionals in
companies employing 1,000 or more, and located in the
U.K., France, Germany, Australia, Singapore, the U.S.A.
and Canada. Research was conducted in July 2020.
97
THE 2020 HACKER REPORT: Data was collected from
a proprietary HackerOne survey in December 2019
and January 2020, totaling over 3,150 respondents
from over 120 countries and territories. The surveyed
individuals have all successfully reported one or more
valid security vulnerabilities on HackerOne, as indicated
by the organization that received the vulnerability
report.
ABOUT
HACKERONE
HACKERONE EMPOWERS THE WORLD TO BUILD
A SAFER INTERNET. As the world’s trusted hacker-
powered security platform, HackerOne gives
organizations access to the largest community
of hackers on the planet. Armed with the most
robust database of vulnerability trends and industry
benchmarks, the hacker community mitigates cyber
risk by searching, finding, and safely reporting real-
world security weaknesses for organizations across all
industries and attack surfaces.
Customers include The U.S. Department of Defense,
Dropbox, General Motors, GitHub, Goldman Sachs,
Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF
Singapore, Nintendo, PayPal, Qualcomm, Slack,
Starbucks, Twitter, and Verizon Media. HackerOne
was ranked fifth on the Fast Company World’s Most
Innovative Companies list for 2020. Headquartered in
San Francisco, HackerOne has a presence in London,
New York, the Netherlands, France, Singapore, and
over 70 other locations across the globe.
98
99
TRUSTED BY
More Fortune 500 and Forbes Global 1000 companies than
any other hacker-powered security alternative.
the world’s most trusted hacker-powered security platformwww.HackerOne.com