Top 5 Takeaways from the 2021 Hacker-Powered Security Report: Industry Insights
For the fifth year in a row, HackerOne published a report that provides insights from the world’s largest database of vulnerabilities and bug bounty customer programs. Here are the top five findings:
- The adoption of ethical hacker programs is growing across all industries, with a 34% increase in total customer programs in 2021. The traditionally conservative industries of financial services and government continue to lead in the adoption of these testing programs, with a 62% increase in financial services programs and an 89% increase of government programs, led this year by the UK’s Ministry of Defence and Singapore’s GovTech agency.
- Hackers reported 21% more vulnerabilities in 2021 than in 2020. While traditional bug bounty saw a 10% increase in valid vulnerability reports, Vulnerability Disclosure Programs (VDPs) saw a 47% increase, and reports from hacker-powered pentests rose by 264%.
- The median price of a critical bug rose 20% from $2,500 in 2020 to $3,000 in 2021. The average bounty price for a critical bug rose by 13%, and by 30% for a high severity-rated bug.
- In the past year, the industry-wide median time to resolution fell by 19% from 33 days to 26.7 days, with some industries such as retail and e-commerce seeing time-to-remediation dropping by more than 50%.
- The number-one most discovered bug on HackerOne continues to be Cross Site Scripting, but other bug categories have seen a significant increase since 2020. Information Disclosure saw a 58% increase in valid reports and Business Logic Errors had a 67% increase, giving them a spot on the HackerOne Top 10 for the first time.
Join HackerOne’s new CISO, Chris Evans, to delve into the findings of the report at a free webinar where you’ll discover the fastest-growing vulnerability categories, how bounty prices are changing year over year, and which industries are fastest to fix. Read the full 2021 Hacker-Powered Security Report: Industry Insights here.
The 7th Annual Hacker-Powered Security Report