Bug Bounty payouts increase six percent
The average payout price for critical vulnerabilities are up six percent and average $2,041 compared to the previous year. HackerOne's 2018 Hacker-Powered Security Report, published Wednesday looked at data derived from the HackerOne community between May 2017 and April 2018. In the report the company also revealed a total of 116 bug reports that were filed across all sectors of its program and worth over $10,000 each last year, a 30 percent jump from 2016. HackerOne stated that bounty program run by government agencies had the largest average bounty payout for critical vulnerabilities at $3,492. The travel and hospitality sectors paid out the least for a critical vulnerability, at $668. Medium severity vulnerabilities are still the most commonly reported as part of bug bounty programs, with 39 percent of all reported bugs in 2018 being medium, only 6 percent were rated critical.
Hackers have earned $31 million from bug bounty payouts overall. According to HackerOne, the top earning hackers made almost three times the median salary of a software engineer in their home country, with some making up to 16 times. Governments are leading the way with the Hack the Pentagon program, which was first launched in 2016. The U.S. Department of Defense has received over 5,000 reports since the launch of their vulnerability disclosure policy. The government has also launched three more bug bounty challenges in the same model as Hack The Pentagon, including the Hack the DTS challenge launched in April. Beyond the U.S., the Singapore Ministry of Defense and the EU Commission also launched public programs.
Valid reports hit an all-time high as program signal becomes a primary program performance metric. The fear of program noise such as informative or duplicate submissions, is a relic of the past across hacker powered programs. With a platform wide signal of 80%, the resources required to run a hacker powered program were reduced in 2018. Adoption of of vulnerability disclosure policies are increasing at enterprises, overall, there has been a 54 percent annual increase in new Enterprise VDP program launches. This includes organizations like Goldman Sachs, Toyota, and American Express, who launched VDPs in 2018. Companies still have a ways to go, the adoption of the Forbes 2000 only marginally improved. Today, 93% of the Forbes 2000 still don't have a public facing VDP.