Cybersecurity: This is how much top hackers are earning from bug bounties

You might not make a million dollars, but hackers are making good money from reporting vulnerabilities.
Written by Steve Ranger, Global News Director

Can you get rich from reporting software bugs? For some, hunting down vulnerabilities in websites and apps is a challenge a bit like doing a crossword; for others it's a major source of income.

Paying hackers to search for flaws in software or services is becoming increasingly common; these 'bug bounty' programmes allow hackers to get paid for spotting problems, while organisations benefit from the ability to tighten their security by paying a few thousand dollars per bug.

HackerOne, which runs bug bounty programmes for organisations including the US Department of Defense and Google, has published new data about the number of vulnerabilities found by hackers signed up to its projects -- and how much they have been paid. To date, over 181,000 vulnerabilities have been reported, and over $100 million paid out to the hackers who have signed up to its service.

SEE: Security Awareness and Training policy (TechRepublic Premium)

The company said that more than $44.75 million in bounties was awarded to hackers around the world over the past year -- an 86% year-on-year increase. The vast majority of that is awarded by organisations in the US.

Some bugs can bring in a decent reward: HackerOne said the average bounty paid for critical vulnerabilities increased to $3,650, up eight percent year-over-year, while the average amount paid per vulnerability is $979. Critical vulnerabilities make around 8% of all reports, while high severity reports account for 21%.

HackerOne said that "hacking has remained a consistent and stable source of income," for some signed-up hackers. Nearly nine out of ten are under 35 and one in five said that hacking is their only source of income.

Bug bounty millionaires

Nine individual hackers have now amassed $1 million in total bounty earnings via HackerOne in less than a decade, showing that bug bounty hunting can pay well for the elite. And over 200 hackers have earned more than $100,000, and 9,000 hackers have earned 'at least something'. Of the hackers who have found at least one vulnerability, half have earned $1,000 or more.

But even if many aren't making much money from bug hunting, the skills they are learning could be indirectly good for their careers; four out of five said they will use the skills and experience learned while hacking to help land a job.

SEE: Microsoft goes big in security bug bounties: Its $13.7m is double Google's 2019 payouts

The global coronavirus outbreak seems to have led to a surge in malicious attacks on organisations, but it has also prompted an increase in the number of hackers looking to help find and fix security flaws. HackerOne said that new hacker signups increased by 59% in the months following the start of the pandemic, while bug reports increased by 28% -- perhaps because many people were forced to stay at home, giving them more time for bug hunting.

But bug hunting for money might be getting harder. As organisations fix more vulnerabilities, average bounty values are increasing, which is a good thing for hunters. However, remaining vulnerabilities also become more difficult to identify, requiring more skill and effort to discover. 

Editorial standards