luke

Key Findings From The Hacker-Powered Security Report: Bounty Payments Are Increasing (4 of 6)

Key Findings From The Hacker-Powered Security Report: Bounty Payments Are Increasing (4 of 6)

<Note: This is the fourth in a six-part series expanding on the “key findings” of the Hacker-Powered Security Report 2017. Based on data gathered from over 800 hacker-powered security programs, plus surveys of both those managing the programs and the participating hackers, the report provides striking new insights to help more organizations understand and implement hacker-powered security.>

As mentioned in our last post of this series, when hackers provide value, they appreciate thoughtful engagement with the organization they’re helping. You know what else hackers appreciate? Same thing we all appreciate: money! Cha-ching!

Of course, in the world of hacker-powered security, money means bounties. And them bounties, they are a rising.

Hacker-Powered Security Report Key Finding #4: bounty payments are increasing.

The Hacker-Powered Security Report found that the average bounty paid to hackers for a critical vulnerability was $1,923 in 2017. That’s compared to $1,624 in 2015, which is an increase of 16 percent.

As you can imagine, money talks. Better hackers — those with more experience and in-demand skills — go where the money is, and that means organizations that pay more generally get access to the best talent. The report found that top performing bug bounty programs award hackers an average of $50,000 a month, with some paying nearly $900,000 a year.

Of course, bounties also increase in value as attack surfaces become hardened and the lower severity bugs are identified and resolved. With hacker-powered security becoming popular in more and more industries, many organizations have been running bounty programs for three, four, five, or more years. That means most of their “easier” (e.g smaller bounty) bugs have already been resolved.

The report also found that most “new” bug bounty programs will pay average or below average bounties when they first launch. As an organization fixes more vulnerabilities and their attack surface hardens, bounty payouts increase over time. In most cases, critical vulnerabilities are harder to find in an organization that pays $30,000 on average, than in an organization that pays $1,000 on average.

Offering competitive bounty awards is ultimately the best way to attract top hackers, according to the report. Better hackers can find more bugs of higher severity in less time. In the last year, several tech companies awarded $30,000 bounties for critical bugs, while organizations across gaming, ecommerce and retail, and media and entertainment awarded $20,000 bounties for critical bugs. In total, over the past 12 months, there were 88 awarded bounties over $10,000.

or more data on bounty payments, even by industry, download the Hacker-Powered Security Report.

Check back next week for our dive into the Hacker-Powered Security Report’s number five key finding: a glaring lack of vulnerability disclosure policies!


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report