At $30,000 for a flaw, bug bounties are big and getting bigger

Hackers can make a full time living from spotting holes in software and claiming a payout.
Written by Steve Ranger, Global News Director
Peshkova, Getty Images/iStockphoto

Hackers are being paid as much as $30,000 for finding a single critical flaw in a company's systems, and the amount companies are willing to pay is increasing.

While the use of such bug hunting programmes is still limited, some large organisations are offering hackers rewards for spotting flaws in their systems.

According to data from HackerOne, a company which sets up bug bounty programmes for businesses, the biggest spending companies are now paying out nearly $900,000 a year to people who report bugs.

The data comes from bug bounty and vulnerability disclosure programmes run by HackerOne for companies such as Airbnb, GitHub and the Department of Defense - in total accounting for 50,000 security vulnerabilities spotted and more than $17m in bounties awarded since it launched.

Spotting a critical vulnerability will earn $1,923 on average, but the company said that in the past 12 months, 88 individual bug bounties rewards were over $10,000 each, with the top rewards in its programmes reaching $30,000. Companies like Apple and Microsoft also have their own bug bounty programmes, which can go as high as $100,000.

About two-thirds of companies pay around $1,000 on average for critical vulnerabilities, although a few outliers will pay $15,000 or more. That's possibly because bug bounty programmes pay lower bounties when they launch -- simply because the average company will have so many holes in its security to fill.

But as an organization fixes more vulnerabilities, flaws become harder to spot and so bounties rise to encourage hackers to keep looking: for example, Google has steadily increased its top bounty for Chrome from $3,000 to $100,000 over the course of more than five years.

A survey by HackerOne last year found that seventeen per cent of the 600 hackers it spoke to said they relied solely on bug bounty programs for their income, while another 26 percent said that between 76 percent and 100 percent of their incomes come from bug bounty programs. Nine out of ten were under 34.

Travel and hospitality are the quickest payers, handing over the money 18 days after the report is submitted, on average, followed by food and beverage (19 days). Unsurprisingly government agencies, at 61 days, are the slowest to pay up. Companies also pay up at different stages: around one in five pay when the vulnerability is validated, while half will pay when a vulnerability is fixed and the others on a case-by-case basis.

Nearly two thirds of bug bounties programmes are run by tech companies, but there is growing interest from government agencies, media and entertainment, financial services and banking and retail. However, only around six percent of the the top publicly-traded companies have public vulnerability disclosure policies.

HackerOne said that cross-site scripting - XSS - was the most common vulnerability type discovered by hackers using its platform. For financial services and banking, the most common vulnerability was improper authentication.

Programmes using the skills of outside hackers to help companies fix their security can take a number of forms, from the basics of having a vulnerability disclosure policy, which often takes the form of a "security@" email address, through to bug bounty programmes that any hacker can have a go at. There are also private bug bounty programs, which are only open to a few key hackers, and time-bound bug bounties, which are open for only a short period of time to invited hackers only.

More on bug bounties

A look at the top HackerOne bug bounties of 2016

Cash isn't everything when bug bounties compete with the black market

Editorial standards