Feb 28, 2020

Bug bounty programs explode in popularity—with money


HackerOne, the world’s largest bug bounty platform, released its 2020 Hacker Report detailing the growth of the hacker community over the last year using data from its community of 600,000 developers.

Lots of hackers are making lots of money. The number of developers on the HackerOne platform doubled over the last year. Companies are signing up, too: HackerOne now boasts more than 1,700 customer programs.

Developers earned nearly $40M in bounties in 2019—almost as much as all preceding years combined. So far, seven hackers have passed $1M in lifetime earnings. Not bad.

Want to become a hacker? Many are self-taught, learning in their spare time. About 84% of developers said they learned hacking techniques through online resources and self-directed materials and nearly 60% of developers hack as a hobby or in their free time.

Those skills can be put to use elsewhere. Within the HackerOne community, 78% of hackers acknowledged using their hacking experience to help them find or better compete for a career opportunity.

Governments are actually leading the way. Government-led hacker-powered security programs grew 214% over the last year. In 2019 alone, HackerOne launched 22 programs and 36 altogether since 2016 with governments in North America, Asia and Europe.

In the US, the Department of Defense has been a leader in the bug bounty platform, partnering with HackerOne to help run Hack the Pentagon, Hack the Army, and Hack the Air Force.

Still, not all bugs get reported. Almost two-thirds (63%) of hackers say they’ve found bugs and not reported them—a result of threatening legal language, complicated reporting processes, and unresponsive companies. HackerOne shows that the world is beginning to embrace developer-led bounty programs, but much work is left to be done.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.