Over 800 hacker-powered programs ended up being examined in order to create a new HackerOne report. The programs’ data came from multiple companies and organizations, including GitHub, Intel, Nintendo, Uber, Airbnb, General Motors, Lufthansa, and even the US Department of Defense.
These findings are mostly based on almost 50,000 vulnerabilities in the security department that hackers managed to find and help resolve. As a reward for their efforts, over $17 million bounties are rewarded so far.
Average data breaches on an annual level involve around $4 million in losses, on a global level. However, the damage is even greater, and the cost of downtime that hacking attacks leave behind even goes up to $8 billion.
Because of these insanely large losses, many organizations that care more and more about their online security have started working with hackers. The relationship is pretty symbiotic, where the hackers are improving the companies’ safety, and getting paid in return for their reports and findings.
However, these reports are most concerning, since over 32% of the issues that hackers have solved by now is of high and even crucial severity. Some of the vulnerabilities are so large, that the companies were known to pay up to $30,000 per report. These bug bounties are a new trend that is working out quite nicely for everyone.
Hackers from all around the world are joining in this bug hunts, and over 90 countries are confirmed to be the places of these hackers’ origin. Naturally, this started a new form of competition between the companies, and it mostly comes down to who will employ better, faster, and more hackers. Some of them are paying over $900,000 per year in order to attract hackers, where some of the most crucial vulnerabilities can earn them up to $1,923.
In the last year alone, over 88 rewards related to bug bounties went over $10,000. So, it is safe to say that the program is working out nicely, and very effective. On the global level, according to HackerOne’s report, almost 50,000 vulnerabilities were resolved, which is an amazing number.
Of course, these hackers aren’t only hired by tech companies. Tech companies may be the loudest, as well as the majority of the hackers’ customers, but they are not the only ones. Around 41% of bug bounty programs came from other industries, and even the government agencies are joining in on the trend. There are also banks and other financial services, the media, and even retail and e-commerce.
Responding to reported security issues are also getting faster, and it now takes around 6 days on average, while only last years, the number of days was 7. Also, retail and e-commerce organizations are fixing their security issues in about four weeks since their discoveries, which is pretty much the fastest average speed.
Hackers themselves are most interested in the programs that are the fastest when it comes to acknowledging, validating, as well as resolving reported vulnerabilities.
Now, when it comes to average bounty-related to crucial vulnerabilities, the price also went up. In 2015, it was $1,624 on average. Now, in 2017, it is around $1,923. That is a 16% increase. Some of the top performing bounty programs have awarded their hackers with $50,000 per month on average, while some go to the incredible $900,000 per year.
Still, even with the bounty programs becoming more and more popular, it is believed that up to 94% of top companies still aren’t working on fixing their vulnerabilities. Their vulnerability disclosure policies remain unchanged for years, with most of them remaining the same as they were in 2015.