HackerOne's 2020 Top 10 public bug bounty programs

The HackerOne bug bounty platform reveals its most successful bug bounty programs.

HackerOne, a company that hosts bug bounty programs for some of the world's largest companies, has published today its ranking for the Top 10 most successful programs hosted on its platform.

The ranking is based on the total amount of bounties awarded to hackers by each company, as of April 2020.

HackerOne's 2020 list is the second edition of this ranking, with the first published last year. The 2019 Top 10 ranking was: (1) Verizon Media, (2) Uber, (3) PayPal, (4) Shopify, (5) Twitter, (6) Intel, (7) Airbnb, (8) Ubiquiti Networks, (9) Valve, and (10) GitLab.

In 2020, there have been some shifts in the Top 10, but the leader remained the same, with Verizon Media still retaining is position at the top and running the most successful bug bounty program on HackerOne.

1) Verizon Media

2019 rank: #1 (-)

Verizon Media is the unquestionable leader of the most active and successful bug bounty program hosted on the HackerOne platform. In the span of a year, Verizon Media more than doubled the amount of bounties awarded to security researchers, going from $4 million to more than $9,4 million this year, for a total of $5.4 million awarded in the span of a year.

Currently, Verizon Media ranks #1 in all-time bounties paid (over $9.4 million), #1 in hackers the company thanked (1,315), and #1 in most bug reports resolved (5,928). In addition, one of the Verizon Media bug bounty rewards also ranks in the Top 5 biggest payouts ever handed out on HackerOne, with a $70,000 award handed out to a lucky researcher.

h1-01-verizonmedia.png

2) Paypal

2019 rank: #3 (+1)

Despite running one of the most recent programs on HackerOne, registered merely in August 2018, Paypal has thoroughly established itself as one of the most active companies on the platform, paying out nearly $2.8 million over the past two years, and $1.62 million over the past year.

h1-02-paypal.png

3) Uber

2019 rank: #2 (-1)

Since last year's ranking, Uber's security team has awarded $620,000 in bug bounties, bringing the company's total to $2,415,000 awarded on HackerOne since the program was set in motion in December 2014.

Currently, Uber's bug bounty program also ranks in the top 5 most thanked hackers, the top 5 most reports resolved, and the top 5 highest bounty paid rankings.

h1-03-uber.png

4) Intel

2019 rank: #6 (+2)

Intel went up two spots in the 2020 ranking after the company paid more than $1 million in bug bounties to researchers in the past 12 months.

While the sum has never been made public, Intel has also paid the highest bug bounty ever paid on the HackerOne platform, with the sum believed to be somewhere between $100,000 and $200,000 for a side-channel vulnerability impacting its CPU architectures.

h1-04-intel.png

5) Twitter

2019 rank: #5 (-)

With one of the oldest programs on HackerOne, launched in May 2014, Twitter has paid over $1,288,000 in bounties to security researchers, with $118,000 of these being distributed in the past 12 months.

h1-05-twitter.png

6) GitLab

2019 rank: #10 (+4)

In 2020, code hosting platform GitLab went from #10 to #6 in one of the biggest jumps in this year's ranking. The company paid more than $641,000 in bug bounties to security researchers in the past 12 months, bringing its total payouts to $1,211,000.

The company also has one of the fastest response times on HackerOne, responding to security researchers within an hour, on average, to new bug reports.

h1-06-gilab.png

7) Mail.ru

2019 rank: 14 (+7)

A new entry in the HackerOne Top 10, Russian email service Mail.ru recorded the biggest jump in this year's rankings. The company paid more than $819,000 in bug bounties over the last 12 months to reach a total payout of $1,119,000 since registering on the platform in April 2014.

Currently, Mail.ru's bug bounty program also ranks in the top 5 most thanked hackers ranking (973 thanked hackers) and the top 5 most reports resolved (3,333 resolved reports).

h1-07-mailru.png

8) GitHub

2019 rank: 11 (+3)

Another program that was very active over the past 12 months was GitHub. The company paid more than $467,000 to security researchers for bugs reported over the last 12 months, bringing its program totals to $987,000 since its launch in April 2016.

h1-08-github.png

9) Valve

2019 rank: 9 (-)

Valve kept its place in the Top 10 this year, remaining on the #9 position. In the last 12 months, the company paid an additional $381,000 in bounties to bug hunters, raising its total to $951,000 since launching its program on HackerOne in October 2017.

h1-09-valve.png

10) Airbnb

2019 rank: 7 (-3)

Despite awarding more than $344,000 in bug bounties in the last 12 months, this wasn't enough for Airbnb to keep its #7 spot from last year. In 2020, the company ranked #10 after awarding more than $944,000 in bug bounties since February 2015.

h1-10-airbnb.png