Bug bounty platform HackerOne paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined. Moreover, the company announced that its community almost doubled in the past year to 600,000 registered hackers.
The announcement comes as the cybersecurity industry struggles with a workforce shortage, which is in turn compounded by growing cyberattacks that could cost the industry $6 trillion by 2021. As companies invest significant resources in battling external threats, HackerOne aims to pay good actors to find bugs before bad actors enter the fray, reducing the need for costly remediation measures further down the line.
Founded in 2012, HackerOne essentially connects companies with security researchers, or “white hat hackers,” who receive cash incentives to find and report software vulnerabilities. The San Francisco-based company has raised north of $100 million since its inception, including a $36.4 million tranche a few months back, and has paid out $82 million in bounties since its inception.
According to HackerOne, U.S.-based hackers earned 19% of all bounties in 2019, followed by hackers in India (10%), Russia (8%), China (7%), Germany (5%), and Canada (4%). These figures were released as part of HackerOne’s annual hacker report, which included a survey of 3,150 hackers. Notable data points include the emergence of white hat hacking as a viable career option — 18% of respondents described themselves as full-time hackers, while almost 40% said that they spent around 20 hours each week searching for vulnerabilities. Today, HackerOne also announced its eighth hacker to have earned $1 million or more in lifetime earnings, while 13 have now earned at least $500,000.
“No industry or profession has experienced an evolution quite like hacking,” noted HackerOne’s senior director of community Luke Tucker. “It started in the darkest underbelly of the internet, where hackers roamed the online world in search of vulnerabilities. It later grew into a respectable hobby, something that talented people could do on the side. Now it’s a professional calling: Hackers, pentesters, and security researchers are trusted and respected, and they provide a valuable service for us all.”
HackerOne claims some notable clients, including Google, Airbnb, Alibaba, Dropbox, Spotify, the U.S. Department of Defense, Goldman Sachs, Intel, Starbucks, Spotify, Nintendo, PayPal, Toyota, and Twitter. More broadly, many big tech companies are investing sizable sums in their own bug bounty efforts, including Apple, which quintupled its maximum iPhone bug bounty to $1 million this year, a move Google mimicked for its corresponding Android program. In fact, last month Google revealed that it has paid security researchers over $21 million in bug bounties since 2010.
Looking to the future, HackerOne’s survey surfaced some insights into how hacking could evolve — nearly three-quarters of respondents believe companies will begin to invite white hat hackers into the product development phase to catch bugs before software ships.