Bug bounties: More hackers are spotting vulnerabilities across web, mobile and IoT

Interest in bug bounty schemes on the up as remote working expands attack surface for vulnerabilities.
Written by Danny Palmer, Senior Writer

The number of hackers uncovering security vulnerabilities and submitting them to one of the best known bug bounty programs increased by almost two thirds over the course of the last year.

The 2021 Hacker Report from bug bounty platform HackerOne details the development of penetration testing and ethical hacking over the last 12 months and says that there's been a 63 percent increase in the number of hackers submitting vulnerabilities over the course of that period.

The goal of bug bounty schemes is to provide ethical hackers with a means of discovering and disclosing these vulnerabilities before cyber criminals taking advantage of them. Hackers earned $40 million from disclosing vulnerabilities to the HackerOne bug bounty program during the last year alone, up from $19 million in 2019.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time

While most of the people hunting for vulnerabilities focus on web applications, there's been an increase in those examining other potential flaws, with a large growth in the submission of vulnerabilities relating to Android, Internet of Things devices and APIs.

While the financial incentives of finding vulnerabilities to play a role in hacking – 76 percent of those surveyed by HackerOne said they do it to make money – 85 percent of those involved in bug bounty schemes say they're involved in order to learn, while two thirds do it for fun.

"We're seeing huge growth in vulnerability submissions across all categories and an increase in hackers specialising across a wider variety of technologies," said HackerOne co-founder, Jobert Abma, who believes human ingenuity is still the best way to discover and disclose security vulnerabilities.

"Every time a hacker links several low-severity vulnerabilities together to help a customer avoid a breach, or finds a unique bypass to a software patch, it proves that machines will never truly outpace humankind," he said.


Editorial standards