Bug Bounty Programs- Up to 25 percent of valid vulnerabilities found in bug bounty programs are classified as being of high or critical severity.
Six hackers in total have each now pocketed more than $1 million from finding vulnerabilities in bug-bounty programs – including one from the U.S. That figure comes as more bug-bounty programs bump up their rewards due to participants finding more high-severity vulnerabilities in their platforms, according to a new HackerOne report.
In March 2019, HackerOne announced that 19-year-old Argentinian hacker Santiago Lopez (also known as @try_to_hack) was the world’s first hacker to earn $1 million with bug-bounty programs. Now, five more have joined the high-standing $1 million hacker ranks, including: Tommy DeVoss from the U.S., Mark Litchfield from the U.K., Nathaniel Wakelam from Australia, Frans Rosen from Sweden, and Ron Chan from Hong Kong.
DeVoss, whose bug-bounty contributions have included Verizon Media, the U.S. Department of Defense and a critical PayPal vulnerability that earned him $10,000 last year, is the first U.S.-based hacker to reach $1 million thus far in bounties: “Hitting that $1 million dollar milestone is a huge accomplishment and it feels amazing to know that the other five hackers and I have had such a huge impact. I hope our achievements will encourage other hackers to test their skills, become part of our supportive community and make the internet a much safer place,” he said in a media statement.
“I joined the wrong chat room when I was around 10 years old,” said DeVoss (also known as @dawgyg). “When I discovered bug-bounty programs about 20 years later, I was finally able to use my curiosity for breaking things and standing up for what I believe in the name of defending organizations I believe in.”
On top of the six who have each surpassed $1 million in lifetime earnings, seven other bounty hunters hit $500,000 in lifetime earnings, and more than 50 have earned $100,000 or more in the past year. That’s according to HackerOne in its 2019 Hacker-Powered Security Report, which examined the more than 120,000 vulnerabilities spotted for 1,400 bug bounty programs.
Overall, the report said, bounty hunters have earned $12 million over the past 12 months (and over $62 million in rewards overall) for finding vulnerabilities in platforms.
The average bounty paid for critical vulnerabilities increased 48 percent over last year’s average across all industries, from from $2,281 to $3,384, with the most competitive programs today like Google, Microsoft, Apple and Intel offering individual bounty awards as high as $1,500,000 for critical issues.