Founded over a decade ago, HackerOne is a bug bounty platform that connects organizations with a community of ethical hackers who identify and report vulnerabilities and weaknesses in software in exchange for a reward.
Basically, it is a bug bounty hosting and disclosure coordination platform that allows companies to manage reports and resolve identified issues promptly while ensuring payments to researchers.
The company just released its 2023 Hacker-Power Security Report, sharing insights into this year’s trends. The report mentions that its programs have awarded more than $300 million in rewards to ethical hackers and vulnerability researchers since the platform’s inception.
Thirty researchers have earned more than $1 million for their submissions, and one has broken the record, receiving more than $4 million for his bug reports.
This year, it took organizations an average of 25.5 days to complete fixing reported errors, a 28% improvement over last year.
How much for a mistake?
The company highlighted that crypto and blockchain entities continue to enjoy the most attention from researchers, driven by the promise of higher payouts. This year, the largest reward paid was $100,050 from a crypto company.
The average price of a bug on the platform is $500 and reaches $3,000 in the 90th percentile (top 10%). For critical and high-severity failures, the average payout is $3,700 across all industries and goes up to $12,000 at the 90th percentile
HackerOne says traditional bug hunting isn’t the only activity on the platform, with penetration testing engagements up 54% this year.
More than half of ethical hackers participating in HackerOne programs report using generative AI in some way, including writing better reports, writing code, and reducing language barriers.
61% of them report that they plan to use generative AI to find more vulnerabilities and 55% report that they expect AI tools themselves to become a major target in the coming years.
Bounty hunters are divided in predicting whether AI will lead to more secure software products or an increase in vulnerabilities.
Other opinions recorded in the report include motivation and discouraging factors, with rewards playing the largest role (73%) in participation, followed by a high number of failures (50%), opportunities to learn (45%), varied scope (46%) and quick payments (42%).
On the other hand, factors that drive researchers away from a program include slow response times (60%), limited reach (58%), poor communication (55%), low rewards (48%), and negative reviews (44% ).
