The Hacker-Powered Security Report 2018
“Crowdsourced security testing is rapidly approaching critical mass, and ongoing adoption and uptake by buyers is expected to be rapid…” — Gartner Emerging Technology Analysis: Bug Bounties and Crowdsourced Security Testing published June 2018
The Hacker-Powered Security Report 2018 is the most comprehensive report on the bug bounty and vulnerability disclosure ecosystem including analysis of 78,275 security vulnerability reports received in the past year from ethical hackers that reported them to over 1,000 programs through HackerOne.
Hackers are finding more severe vulnerabilities driving increased bounty awards. Twenty-four percent of resolved vulnerabilities are classified as high to critical severity. False positives are becoming a relic of the past, with 80 percent signal platform-wide, meaning 80 percent of submitted reports are valid.
The opportunities and challenges are greater than ever before. As hacker-powered security approaches critical mass, read the full report to learn more about best practices of starting and running effective disclosure and bug bounty programs, and get to know some of the stories and stats about the hackers themselves.
Here’s a quick review of some of the statistics you’ll find in the report:
- Over $31M has been awarded to hackers as of June 2018 with $11.7M awarded in 2017 alone.
- A total of 116 unique bug reports earned bounties over $10,000 in the past year with the average amount paid for critical issues rising to over $2,000.Organizations are now offering as much as $250,000.
- Governments are leading the way with 125 percent increase year over year. New public program including the European Commission and the Ministry of Defense Singapore, among others joining the U.S. Department of Defense on HackerOne.
- Global adoption continues and Latin America is realizing the largest uptake of vulnerability disclosure policies and bug bounty programs, with an increase of 143% year over year.
- 93% of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world.
- Less than 5% of hackers learn their skills in the classroom — hackers want more education.
History of Hacker-Powered Security
It’s not just organizations like Goldman Sachs, Toyota, Schneider Electric and others that are recognizing the need and value of hacker-powered security. Legislators are taking notice and taking action: submitting bills like Hack the DHS, Hack the State Department and inviting expert testimony. In February, 2018, HackerOne joined other industry leaders and testified in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security.
The report includes an exhaustive list of events relevant to the industry dating back to 1983 in “The History of Hacker-Powered Security” section.
Trends in Hacker Education
Less than 5% of hackers learn their skills in the classroom — hackers want more education. They want to learn from each other, and explore creative solutions to tough problems. Hackers from over 100 countries have been paid for their research through HackerOne programs, and some are making 16.7x what they would otherwise be earning as a security engineer in their home country.
Read about how diverse organizations are tapping into the power of the community through hacker-powered security in our customer spotlights sprinkled throughout the report.
Download your copy of the The Hacker-Powered Security Report 2018 today.
Originally published at https://www.hackerone.com/blog/Hacker-Powered-Security-Report-2018.