Bug Bounties, Vulnerability Management

Ethical Hackers Land $300 Million in Bug Bounties

Ethical hackers

Hacker One, an ethical, bug bounty hacking community, has awarded some $300 million to ethical hackers and researchers involved in resisting cyberattacks since the program’s launch a decade ago.

The platform puts organizations together with a community of ethical hackers who identify and report bugs in exchange for a reward. The association relies on the expertise of ethical hackers to discover assets, apply continuous assessment and enhance processes to detect the most critical security flaws across an organization’s attack surface.

To date, 30 hackers have landed more than $1 million on the platform, with one hacker surpassing the $4 million mark in total earnings. Crypto and blockchain organizations continue to see strong program engagement, offering the highest average overall rewards for hackers and awarding the year’s top payout of $100,050, Hacker One said.

Ethical Hackers Diversity into AI

According to the newly released 2023 Hacker-Powered Security Report, hackers are finding opportunities to earn more by diversifying their skill sets as emerging technologies, such as artificial intelligence (AI), reshapes the threat landscape.

For example, according to the data, some 55% of hackers plan for Generative AI (GenAI) to become a top target in the coming years. Customers also expanded how they use hackers outside of traditional bug bounty, as pentesting engagements increased by 54% on the platform in 2023.

Key findings from the report include:

  • 61% of hackers said they will use and develop hacking tools from GenAI to find more vulnerabilities.
  • 62% of hackers plan to specialize in the OWASP Top 10 for Large Language Models.
  • Hackers also said they plan to use GenAI to write better reports (66%) or code (53%) and reduce language barriers (33%).
  • Hackers reported insufficient in-house talent and expertise as the top challenge for organizations, and hackers are filling this gap: 70% of customers stated hacker efforts have helped them avoid a significant cyber incident.
  • 57% of HackerOne customers believe exploited vulnerabilities are the greatest threat to their organizations, over phishing (22%), insider threats (12%), and nation-state actors (10%).
  • Customers are getting faster at fixing vulnerabilities, as the average platform-wide remediation time dropped 10 days in 2023. Automotive, media and entertainment, and government verticals saw the biggest decrease in time to remediation with an over 50% improvement.
  • Organizations are reducing costs by embracing human-centered security testing earlier in their software development lifecycles, with customers saving an estimated $18,000 from security experts reviewing their code before release.

"Organizations are under pressure to adopt GenAI to stay ahead of competitors, which, in turn, is transforming the threat landscape. If you want to remain proactive about new threats, you need to learn from the experts in the trenches: hackers," said Chris Evans, HackerOne chief information security officer and chief hacking officer. "The versatility of hackers and the impact of the vulnerabilities they surface make them instrumental to how our customers anticipate and address risk.”

The annual Hacker-Powered Security Report is based on data from HackerOne’s vulnerability database and gathers views from HackerOne customers and more than 2,000 hackers on the platform. It was compiled between June 2022 and September 2023.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.