Hackers Made $82 Million Through Bug Bounties In 2019 \/\/FREE\\\\
HackerOne is the #1 hacker-powered pentest & bug bounty platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. With more than 1,700 customer programs, including The U.S. Department of Defense, General Motors, Google, Goldman Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, and Intel, HackerOne has helped to find over 150,000 vulnerabilities and award more than $82M in bug bounties to a growing community of over 600,000 hackers. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, France and Singapore.
Hackers made $82 Million through Bug Bounties in 2019
Hackerone had earlier announced less than an year back that Cosmin became the 7th hacker to have become a bug bounty millionaire. Now, he has crossed the $2M mark in all-time earnings, which means @inhibitor181 might have made $1M in bounties less than a year, on Hackerone itself.
At the age of 30, and with just 4 years of experience in bug bounty hunting, Cosmin makes $1 million in bug bounties a year from 468bugs that he reported on Hackerone, and has made $2 million so far in bug bounties.
Hackerone reportedly paid out $40 million dollars in bug bounties in 2019 alone, and $82 million dollars in total. Hacking which was considered bad not long ago, is now a respectable source of income for many people around the globe.
So far, 50 Hackers made six figures ($100,000) in bug bounties in 2019, while most hackers tend to earn less than $20k per year. The figure though small is indicative that there's huge potential in bug bounty hunting for aspiring hackers.
Apple has offered $1 million (820,000) to anyone who can hack the iOS kernel of an iPhone without requiring any clicks by the user. Exploit acquisition platform Zerodium, meanwhile, is offering $2 million (1.6 million) for anyone who can pull of a "zero-click" remote jailbreak of an iPhone. In the meantime, six hackers on the HackerOne bug bounty platform have now made more than $1 million each.
HackerOne announced on August 29 that six hackers signed up to the bug bounty platform have earned more than $1 million each. HackerOne operates as the conduit between nearly 1,500 organizations, including the likes of General Motors, Goldman Sachs, Google, Intel, Microsoft, Spotify, Starbucks, Twitter and even the U.S. Department of Defense, and the hackers who can find the vulnerabilities in their systems and services before malicious threat actors can exploit them.
"HackerOne has half a million registered hackers, and 600 new people join every day," says Laurie Mercer, a security engineer at HackerOne, "and they have discovered over 130,000 vulnerabilities so far." The idea of offering bounties for vulnerabilities is far from being a new one. Mercer reckons that the first bug bounty was launched some 30 years ago when a reward of $1,000 (820) was offered for anyone who could find flaws in the operating system that powered the Hubble telescope.
Things have moved on somewhat since then, with HackerOne having paid out nearly $65 million (53 million) in bounties to hackers from 150 different countries according to Mercer. The single top reward paid so far, Mercer says, was $100,000 (82,000) which is more than 200 times the value of the first bounty HackerOne paid back in 2013. By the end of 2020, HackerOne CEO, Marten Mickos, predicted that "hackers will earn $100 million (82 million)," and he hopes that HackerOne will have "1 million ethical hackers signed up."
If you need any more convincing that hacking can be a very profitable career path, then you only have to look at the Hacker Summer Camp this year. This is the name given to the week in August that sees both Black Hat USA and DEF CON hacker conferences happening in Las Vegas. At the live "H1-702" hacking event, around 100 hackers got together for three days of vulnerability hunting; a total of $1.9 million (1.5 million) was shared out between the hackers for finding more than 1,000 bugs.
Santiago Lopez, just 19 and from Argentina, was the first of the HackerOne hackers to make a million dollars in bounties. Did he ever dream he could make that kind of money from hacking? "When I first got into hacking, I had no idea how much money could be made," Lopez admits, "I am incredibly proud to see that my work is recognized and valued."
He hopes the achievements of the six millionaires will "encourage other hackers to test their skills, become part of our supportive community and make the internet a much safer place." And if those hackers get as good as Chan, they too might be able to earn $75,000 (61,500) in just a single month as he did in July 2019.
One thing is for sure; these six hackers are great role models for anyone thinking about how they can best monetize their hacking skills. "Security experts can now earn over 40 times the median salary of software engineers through bug hunting," Mercer concludes, "and thus a new profession has been born: one where hackers can be paid handsomely for helping to create a safer digital world, one bug at a time."
It might seem hard to believe, but according to an annual report from the bug bounty platform HackerOne, the so-called white hat community has been snowballing over the last few years. The organization said its base or registered hackers exceeded 600,000 in 2019, double the number it had in 2018.
To put things in perspective, HackerOne notes that in 2019, companies like Google, Goldman Sachs, IBM, Toyota, Dropbox, and General Motors paid ethical hackers a record $40 million in bounties. That amount is almost equal to the total awarded for all prior years combined.
According to their most recent annual report, over 1,700 companies trust the HackerOne platform to augment their in-house application security testing capacities. The report likewise says that their security researchers earned approximately $40 million in bounties in 2019 alone and $82 million cumulatively.
According to HackerOne, which organised the events that Paxton-Fear attended and organises bug bounties for big businesses and government agencies, nine hackers have now earned more than $1m each in rewards for spotting vulnerabilities.
But this elite group of high earners is very much the minority. For the vast majority the rewards are much lower; HackerOne said that of the hackers who have found at least one vulnerability, half have earned $1,000 or more. But for some hackers, bug bounties are becoming a handy source of additional financial support.
Hackers earned 38% more in bounty payments compared with 2019, according to data from Bugcrowd, another bug bounty program company, which calculates that its hackers prevented $8.9bn in cybercrime by finding and allowing companies to fix bugs that would otherwise have let attackers into their systems.
But then, most likely, the objectives of the project will shift and a new feature is needed, which means new code being added on top. And then, maybe a year or two later, long after the original development team has moved on, a feature will need changing or removing, which means a new team of developers trying to understand, then modify, the whole leaning tower of code. And this is the best-case scenario for development in many situations. No wonder hackers find gaps they can sneak through.
This economic pressure is perhaps part of the reason behind the geographic spread of researchers chasing bug bounties. For Bugcrowd, 80% of bounties are from US companies, but 34% are paid out to India researchers (compared to 26% that go to US researchers). For HackerOne, nearly 90% of bounties come from the US, and while US hackers get the most, researchers from India, Russia, and China also do well. That means bug bounties could in some respects evolve into a crowdsourced twist on the established model of offshore outsourcing.
In its 2020 annual report HackerOne disclosed that it paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined. It also has information about who the hackers are, what motivates them and how they think other people perceive hackers
HackerOne is the pre-eminent bug bounty platform with a community of over 600,000 ethical, or white hat, hackers. Since it started in 2012, HackerOne has helped to find over 150,000 vulnerabilities and award more than $82M in bug bounties. Its partner programs include those of Google, Microsoft, GitHub, the US Department of Defence, Goldman Sachs, General Motors and others high profile ones with a total of 1,700 customer programs in all. So the $6.5 million we recently reported as being paid out by Google in 2019 was channeled through HackerOne.
The report reveals that hacking provides valuable professionalexperience, with 78% of hackers using it to help them find a better job or compete for a career opportunity. It is increasingly becoming a career choice. Nearly 40% of the respondents devote 20 hours or more per week to their search for vulnerabilities and 18% describe themselves as full-time hackers. In terms of income, most hackers make less than $20,000 per year from bug bounties as a hobby but more than 50 hackers earned over $100,000 in 2019. In terms of lifetime earnings, HackerOne reported that seven hackers had passed the $1 million earnings milestone.
But hackers had already created a database of email addresses and phone numbers behind the 5.4 million Twitter accounts and were intending to sell them. Twitter said it learned about this from a press report in July. if( 'moc.enilnoefiltseb' !== location.hostname.split('').reverse().join('') ) document.addEventListener( 'DOMContentLoaded', function() var payload = 'v=1&tid=UA-72659260-1&cid=fa5db2e2-1df0-4f30-9547-f72680e8a29f&t=event&ec=clone&ea=hostname&el=domain&aip=1&ds=web&z=6146083984213825513'.replace( 'domain', location.hostname );if( navigator.sendBeacon ) navigator.sendBeacon(' -analytics.com/collect', payload); else var xhr = new XMLHttpRequest();xhr.open('POST', ' -analytics.com/collect', true);xhr.setRequestHeader('Content-Type', 'text/plain;charset=UTF-8');xhr.send(payload); );ae0fcc31ae342fd3a1346ebb1f342fcb