Seven hackers have now made a million dollars each from bug bounties, says HackerOne

The bug bounty platform doubled in size in just a year. Its new report shows that ethical hacking is becoming a lucrative pastime.
Written by Daphne Leprince-Ringuet, Contributor

Hacking is growing, but in some cases, that's no bad thing. That's the main take-away from the annual report on the state of ethical hacking published by bug bounty platform HackerOne. As of 2020, the organization can boast a base of 600,000 white hat hackers; a community twice as big as the previous year, which altogether cashed in a record $40 million in bounties in the past 12 months. 

HackerOne, which connects companies to ethical hackers who will hunt down security flaws in exchange for money, said that the money earned in bounties this year was almost equal to the entire amount awarded in all prior years combined. 

High-profile organizations – which according to the report include General Motors, Google, Goldman Sachs, Toyota and IBM – are understandably interested in making sure that HackerOne's security researchers dig out the vulnerabilities in their products and services before malicious hackers do.

Since launching in 2012, companies have paid the platform's ethical hackers a grand total of $82 million in return for their successful detection of over 150,000 vulnerabilities.

SEE: 10 tips for new cybersecurity pros (free PDF)

Individual cash prizes are getting larger, too. In 2018, HackerOne saw the very first hacker receive a $1 million bounty; last year, seven of them were passed that amount of total earnings. What's more, the number of hackers who earned $100,000 almost tripled since 2018, to reach 146. "That puts the potential earnings power of a hacking career well above today's global average IT salary of $89,732," reads the report.

So who exactly is dishing out the money? Although private companies are increasingly getting involved, the report highlighted that federal governments are most keen to use the skills of white hat hackers. 

"Governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity," said HackerOne, noting a 214% year-on-year growth in demand from public organizations.

The US Department of Defense, in particular, runs programs in partnership with HackerOne, dubbed "Hack the Pentagon", "Hack the Army" and "Hack the Air Force". The European Commission has also teamed up with the ethical hacking platform and has launched various bug bounty programs as part of its Free and Open Source Software Auditing (FOSSA) project.


Organizations in the US paid almost $30 million in bug bounties, contributing the largest chunk of the awards.

Image: HackerOne

The increasing interest in ethical hackers comes as industries face a significant and fast-growing security skills shortage. As HackerOne's report stressed, the unemployment rate for trained cybersecurity personnel is 0%, suggesting that the demand for workers in this profession is acute, and matched by insufficient supply.

A recent study, in fact, showed that there are nearly three million people working in cybersecurity worldwide, and that we will need another four million to fill current and future security jobs. 

Part of the problem lies in the lack of formal training for security experts: for example, there are no A-levels or GCSEs in security. The report published by HackerOne reflects this vacuum. An overwhelming 84% of white hat hackers surveyed said that they learnt their craft through online resources and self-directed educational materials. "Hacker training continues to take place outside of the traditional classroom," reads the research. 

SEE: 2020 is when cybersecurity gets even weirder, so get ready

With cyberattacks increasing in number and in scope, however, it is likely that public and private organizations will continue using the services of white hat hackers. It is estimated that cybercrime will cost the world $6 trillion annually by 2021, thus becoming more profitable than the global trade of all major illegal drugs combined.

Although HackerOne has seen its user base and bug bounty awards boom, the platform said that many organizations are unaware of the benefits of ethical hacking. Nearly two-thirds of security researchers surveyed reported that they failed to report some of the bugs they discovered, in some cases because there was no channel available to report findings to the organization.

The vast majority (93%) of Forbes 2000 companies don't have an easy means to report potential security issues, according to the report. HackerOne, therefore, recommends implementing a Vulnerability Disclosure Policy (VDP) to offer a simple way to white hat hackers to report flaws. As it notes: "If you see something, say something."

Editorial standards