HackerOne aims to pay bug bounty hunters $100 million by 2020

The bug bounty platform predicts that 200,000 vulnerabilities will have been fixed by the same year.
Written by Charlie Osborne, Contributing Writer
File Photo

HackerOne believes that by 2020, ethical hackers will have earned themselves $100 million in bug bounties through the platform.

In recent years, bug bounty schemes have become a popular method for companies to find the talent needed to discover and fix security flaws in their platforms and products.

With so many companies clamoring to gain the attention of a limited pool of skilled security professionals and enthusiasts, simply credit for finding an issue is not always enough of a lure.

However, bug bounties are a way to dangle the financial carrot, also issue credit where credit is due, as well as open up a line of communication between ethical hacker and companies.

To plug the gap between companies which had no established bug bounty systems in place and researchers who wanted to be paid for their efforts, HackerOne has gained quite a following, with hundreds of companies using the service to run their own programs -- and some using interesting tactics to keep the ball rolling.

Uber, for example, uses a virtual treasure map to help hackers uncover vulnerabilities and runs a loyalty program to keep researchers keen, while Shopify and GitHub boosted payouts this year for extra coverage. In addition, Zenefits sponsored an event at Black Hat this year that offered double bounties to those attending the conference in Vegas.

In a blog post on Wednesday, CEO of HackerOne Marten Mickos outlined the success so far of these programs, of which over 50,000 vulnerabilities have so far been found and fixed.

There are over 100,000 hackers registered with HackerOne, and over $20 million has been paid so far in bounties. By 2020, the company predicts that $100 million will be issued in rewards for resolving 200,000 bugs, and potentially over one million hackers will be registered with the program.

While difficult to predict, Mickos estimates that 16,000 of these vulnerabilities will be critical issues.

"Let's further assume that every 10th of those critical vulnerabilities could have led to a data breach or costly security incident if left unfixed," the executive says. "Knowing that the average cost of a data breach is $7 million in the US, we can estimate a total saving of around $10 billion dollars."

According to HackerOne, some of the most successful hackers on the platform are earning most than 18 times the salary of an average software engineer in their home countries, and with such financial rewards to be had, the success of such programs is likely to continue.

"The bounties hackers are awarded for their contributions to a safer internet are changing lives," Mickos says. "They are paying for education, supporting their families, buying homes and cars, and building a future that may not have been possible otherwise."

"Through the relationships with security teams, hackers are starting new careers and building fantastic skills and resumes. The future is brighter when we work together," he added.

Previous and related coverage

    DJI launches bug bounty program to stop homegrown hacking

    The arms race has gained pace with DJI offering cash rewards for vulnerability reports.

    HackerOne rejects stalker software FlexiSpy bug bounty program

    The platform says that it simply isn't right to host a system which stalks kids and spouses.

    HackerOne gives professional services away for free to open source projects

    Can free bug hunting services improve the security of the backbone of the web?

      Must-have mobile apps to encrypt your texts and calls

      Editorial standards