Companies have demonstrated their willingness to pay for any sort of flaw that might be seen as crucial. They have even been known to pay up to $30,000 for a single vulnerability in their systems. And that is not all, but instead, the pay for finding such flaws is even increasing.
Using bug bounty programs for fixing company’s security systems is still very limited. But, as always, the bigger companies that can afford to pay these enormous prices have seen the potential and benefit of doing so.
HackerOne’s data says that some of the biggest companies have been known to pay up to $900,000 per year to hackers capable of finding flaws. Since bug bounties appeared, it is estimated that up to $17 million was paid to hackers, that in turn reported over 50,000 system flaws. Companies known for using hackers this way include GitHub, Airbnb, and even the Department of Defense.
So, according to math, one crucial flaw will earn you around $1,923 on average. However, it was also reported that in the last year, over $10,000 was paid for each of the 88 bug bounties. The top reward has even reached $30,000, and these were not even the top companies. Some of the corporate giants like Microsoft or Apple have even offered $100,000 rewards.
The majority of companies, which is around two-thirds of them, are willing to pay between $1,000 and $15,000 per bug. However, that only includes vulnerabilities seen as critical, since these systems are so full of holes that a regular bug bounty program would make any company go bankrupt in no time.
Still, as vulnerabilities are found and fixed, they become rarer. This, in turn, makes the rewards go higher and higher so that the hackers would actually feel encouraged to search for flaws. Google is a pretty good example of this, and over the course of five years, their rewards for Chrome flaws went from $5,000 to $100,000.
More than 17% of hackers have admitted that their entire income depends solely on bug bounties. 26% of hackers stated that only the majority of their income depends on hunting for bugs. And 9/10 of these hackers were younger than 34.
According to statistics, the quickest pays come from hospitality and travel agencies. After the bug is reported, hackers usually receive their pay after 18 days. Food and beverage usually also follow along.
Government agencies take over 60 days to make the payment, and when it comes to companies, it mostly depends on the company itself. Only one out of five will pay as soon as the bug is confirmed. Half of the rest of them pay after the fix has been issued, and the other half has no rules when it comes to when they will pay.
The majority of the bug bounties are run by tech companies. However, lately, the government is getting more and more interested as well. Even banks, financial services, entertainment, and even retail.
The most often type of flaw is XSS (cross-site scripting). And when it comes to banks, most often it is the improper authentication issue.
There are many different programs that use outside hackers for fixing the company’s systems. Some are private, and only several handpicked hackers are invited to participate. Others are only open for the short amount of time, but the majority are large and open for a while.