Hacker Powered Security Report 2019 PDF
Hacker Powered Security Report 2019 PDF
Executive Summary
            Hacking is here for good, for the good of all of         But some of the most recent breaches have one
            us. Half a million hackers have willingly signed up      thing in common: they were detected, discovered
            with HackerOne to help solve one of the greatest         and reported by good hackers.
            challenges our society faces today. We cannot
            prevent data breaches, reduce cyber crime, protect       Hackers are no longer anonymous guns-for-hire.
            privacy or restore trust in society without pooling      They are being embraced by everyone from the
            our defenses and asking for external help.               insurance industry to government agencies. Hacker-
                                                                     powered security is today a given part of
            The positive power of the hacker community far           a mature and proactive security program.
            exceeds the risks and the might of adversaries.
            To date, HackerOne has helped find and fix               It’s not hard to see why. Businesses process more
            over 120,000 vulnerabilities for 1,400 client            sensitive data and more personal information
            organizations, earning hackers more than $62             than ever before. Software development lifecycles
            million in awards—nearly half of that in the past year   are increasingly continuous. As companies work
            alone. A quarter of valid vulnerabilities found are      overtime to push code, criminals work overtime
            classified as being of high or critical severity. When   to find ways to break in. It feels impossible to scale
            a new bug bounty program is launched, in 77% of          security with product development. Innovation is
            the cases, hackers find the first valid vulnerability    outpacing traditional security measures.
            in the first 24 hours. That is how fast security can
            improve when hackers are invited to contribute.          Working with hackers allows you to provide security at
                                                                     the speed of innovation.
            Yet the work is not done. It has barely begun. Each
            day we must fear the discovery of yet another giant      The number of hacker-powered security programs is
            data breach. The number and the magnitude of             rapidly growing all over the world. Latin America saw
            the breaches keep growing. At risk are financial         record growth of 41% over the previous year. The
            institutions, healthcare organizations, e-commerce       federal government sector grew an impressive 214%.
            companies, big box stores, media companies and
            practically anyone relying on technology.
                            450K+           The more than 450,000 hackers registered on HackerOne find vulnerabilities missed
                                            by traditional detection methods. These trusted hackers—90% of whom are under
                             TOTAL
                                            the age of 35—play a critical role in securing organizations large and small.
                        REGISTERED
                          HACKERS
                                            Security vulnerabilities are a fact of life. For this reason, technology unicorns,
                                            e-commerce conglomerates, governments around the world, and hospitality giants
                             120K+          are competing to attract hackers who have one key advantage over traditional
                                            methods: they can think like an attacker.
                        TOTAL VALID
                    VULNERABILITIES         The stories of these hackers are inspirational. They’re an invaluable extension of the
                         SUBMITTED          most trusted security teams, on a mission to find what others may have missed or
                                            could not see.
                          $62M+             Hackers are the solution to the world’s cybersecurity challenges. By investing in
                                            people, not just software, we will see the greatest outcome. It is our mission to
                              TOTAL
                                            empower the world to build a safer Internet. This report is a glimpse into how hackers
                           BOUNTIES
                                            and organizations are doing just that.
                               PAID
Hacker-Powered Program Adoption and Bounties by Geography.....................9 .5 Critical Components for Every VDP................................................................35
           Building a Global Community for a More Secure Tomorrow..............................11                                                 Forbes Global 2000 Breakdown................................................................................ 36
CONTENTS
           The HackerOne Top 10 Most Impactful and Rewarded                                                                                       Enabling Compliance with Hacker-Powered Penetration Tests.......................43
           Vulnerability Types........................................................................................................19
                                                                                                                                                  Cybersecurity Insurance: Reducing Risk with Hacker-Powered Security...... 44
           Customer Spotlight: Goldman Sachs...................................................................... 20
                                                                                                                                                  Customer Spotlight: GitHub.......................................................................................45
           Time to Resolution by Industry..................................................................................21
                                                                                                                                                  Hacker Community Trends and Statistics............................................................. 46
           Flip the Script, Think Like a Hacker........................................................................... 23
                                                                                                                                                  	Live Hacking Events..................................................................................................... 54
           Bounty Trends: Severity...............................................................................................24
                                                                                                                                                  Mentorship Program and Community Days...........................................................55
                Vulnerabilities by Severity..................................................................................... 24
                                                                                                                                                  Spotlight: Security@ Conference.............................................................................56
                Average Bounty Payout Per Industry for Critical Vulnerabilities................ 25
                                                                                                                                                  History of Hacker-Powered Security....................................................................... 58
                Bounties by Severity............................................................................................... 26
                                                                                                                                                  Closing Thoughts......................................................................................................... 63
           Customer Spotlight: PayPal........................................................................................27
                                                                                                                                                  Methodology & Sources.............................................................................................. 64
           Bounty Trends: Top Awards........................................................................................28
                                                                                                                                                  About HackerOne......................................................................................................... 65
                Bounty Awards by Industry.................................................................................. 29
creatively overcoming limitations. hacker can participate in for a chance at a bounty reward.
               Hacker-Powered Security: Any goal-oriented hacking            Private Bug Bounty Program: A limited access program
               technique that utilizes the external hacker community to      that select hackers are invited to participate in for a
               find unknown security vulnerabilities and reduce cyber        chance at a bounty reward.
               risk. Common examples include private bug bounty
               programs, public bug bounty programs, time-bound bug          Time-Bound Bug Bounty Challenge: A limited access
               bounty programs, hacker-powered penetration testing           program with a predetermined time frame where select
T ERM S
               for compliance, and vulnerability disclosure policies.        hackers have a chance at earning a bounty award.
               With hacker-powered security testing, organizations can
                                                                             Vulnerability: Weakness of software, hardware or online
               identify high-value bugs faster with help from the results-   service that can be exploited.
               driven ethical hacker community.
                                                                             Vulnerability Disclosure Policy (VDP): An organization’s
               Hacker-Powered Penetration Test: A limited access             formalized method for receiving vulnerability submissions
               program where select hackers apply a structured               from the outside world, sometimes referred to as
               testing methodology and are rewarded for completing           “Responsible Disclosure.” This often takes the form of a
               security checks.                                              “security@” email address. The practice is outlined in the
               Hacktivity: Hacker activity published on the                  Department of Justice (DoJ) Framework for a Vulnerability
               HackerOne platform.                                           Disclosure Program for Online Systems and defined in ISO
                                                                             standard 29147.
                 The average bounty paid for critical vulnerabilities                   programs increased 41% this year.
            01   increased to $3,384 in the past year. That’s a 48% increase
                 over last year’s average of $2,281 and a 71% increase over        05   Six hackers surpassed $1 million in lifetime earnings, seven
                 the 2016 average of $1,977. Bounty values for less severe              more hit $500,000 in lifetime earnings, and more than 50
                 vulnerabilities are also rising, with the average platform-wide        earned $100,000 or more in the past year alone. Skilled and
                 bounty increasing 65% from last year.                                  dedicated hackers have the potential to build a career and
                                                                                        make a competitive living with the opportunities offered by
                                                                                        hacker-powered security.
            02   Federal Government had the strongest year-over-year
                 industry growth at 214%, and last year saw the first launch
                 of programs at the municipal level. This strong growth was        06   Globalization of hacker-powered security continues to
                 followed by Automotive (113%), Telecommunications (91%),               increase. Several new countries entered the top 10 highest
                 Consumer Goods (64%), and Cryptocurrency & Blockchain                  paying, hackers living in 19 countries earned more than
                 (64%). For the fifth year in a row, every industry increased           $100,000 in total last year, and more organizations in more
                 their participation in the hacker-powered security market by           countries are hosting live hacking events. We’ve paid hackers
                 adding net new programs.                                               from 112 countries, that’s 57% of all the countries in the world.
                                                                                        We’ve had hackers submit reports from 163 countries: that’s
                 The majority of bug bounty programs remain private                     84% of all the countries in the world.
            03   at 79% with little change from years prior. Public programs
                 engage 6 times as many hackers from the Technology                07   Hacker-powered pentests on the rise as organizations
                 sector, with Internet & Online Services at 32% and Computer            are using hackers to bring realistic simulations of real-world
                 Software at 22%, followed by Cryptocurrency & Blockchain               attacks to security testing. In a recent report, one organization
                 and Media & Entertainment tied at 9% each. 50 total                    detailed how hacker-powered pentests helped them eliminate
                 programs advanced from private to public in the last year.             $156,784 in total costs and save an additional $384,793 over
                                                                                        three years by reducing internal security and application
                                                                                        development efforts.
                                   Organizations located in the U.S. paid 83% of all bounties to hackers around the globe, the
                                   same share as last year. Canada-based organizations remain in the second spot, while those
                                   in the U.K. are in third place, both maintaining their positions from last year. Israel and Belgium
                                   entered the top 10 highest paying countries for the first time.
                                   Hackers are also continuing to earn more money no matter where they reside. In just the past
                                   year, more than 50 individual hackers earned $100,000 or more. And in the past few months,
                                   six hackers have surpassed $1 million in total bounties earned while another seven hackers
                                   exceeded $500,000 in total earnings. These top earners are just as global as the organizations
                                   seeking their help, hailing from Argentina, Australia, Belgium, Canada, Hong Kong, Sweden,
                                   and the U.S.
                    30%
                                   Hackers in the U.S. earned 19% of all bounties last year, with India (10%), Russia (6%), Canada
                      32%          (5%), and Germany (4%) rounding out the top five highest-earning countries. Hackers in
                                   Canada saw the most earnings growth with 148% more bounties earned versus 2017.
Latin America
                             41%   Prolific hackers reside in Egypt, Argentina, Sweden, and Thailand, each of which had hackers
North America                      earning a combined 200% or more than in the previous year. Thailand hackers earned 467%
                       34%         more than they did in 2017.
                                                                                                                                                                        United States:
                                                                                                                                                                        $4,454,155
India: $2,336,024
                                                   United States:
                                                                                                                                                                        Russia: $1,529,311
                                                       $19,579,930
Countries where programs are located
Germany: $844,290
Netherlands: $780,156
                                                                                                                                                                        Egypt: $749,766
                                                 Canada: $536,439
                                        United Kingdom: $463,330                                                                                                        United Kingdom: $739,302
                                               Germany: $277,035
                                                                                                                                                                        China: $732,251
                                              Singapore: $273,850
                                                  Russia: $268,530                                                                                                      Argentina: $718,026
                                             Switzerland: $161,635
                                                   Israel: $115,660
                                                Belgium: $106,663
                                                Sweden: $104,960                                                                                                        Other: $9,532,327
Other: $1,654,004
                                                                      Figure 2: Visualization of the bounty flow by geography showing on the left where the companies
                                                                      paying bounties are located and on the right where hackers receiving bounties are located.
5%
11%
27%
Bug bounty programs can be either public or private. Public bug bounty
programs, like Starbucks, GitHub, and Airbnb, are open to everyone, while
private programs require individual hackers to be invited or accepted                        PUBLIC VS. PRIVATE
through an application process to participate. Public programs are open
to the widest range of hacker diversity and therefore produce superior
results. On average, public programs engaged six times the number
of hackers reporting valid vulnerabilities. That’s nearly doubled
from last year.
Similar to past years, private programs make up 79% of all bug bounty
programs on HackerOne, whereas public programs make up the
remaining 21%.
Most of the public bug bounty programs are run by technology companies,
with Internet & Online Services accounting for 32% of all public programs,
followed by Computer Software at 22%, and Cryptocurrency & Blockchain
and Media & Entertainment tied at 9% each. Private programs are similarly
                                                                                         Figure 4: Percentage of bug bounty programs that
distributed, led by Internet & Online Services at 27%, Computer Software                 are public versus private as of 2018.
at 21%, Financial Services & Insurance at 8%, and Media & Entertainment
at 7%, and Computer Hardware and Retail & E-commerce tied at 5%.
            Technology companies still lead the pack           In Local Government, we are seeing a rise in
            with a combined 60% of all active bug              security investments at the state and local
            bounty programs, with Internet & Online            level for the first time. Recent ransomware
            Services (28%) and Computer Software               attacks have crippled operations across
            (21%) making up nearly half of the overall         Texas, in Baltimore and Atlanta, and even
            total. However, the rapid growth in non-           rural areas, like Garfield County, Utah, Lake
            technology industries puts Financial Services      City, Florida, and La Porte County, Indiana,
            & Insurance (8%), Media & Entertainment            demonstrating that organizations of all
            (7%), and Cryptocurrency & Blockchain (5%)         sizes must enhance security measures.
            as the remainder of the top five industries in
            overall bug bounty program participation.
                                                                                                                                    21.2%
       SHARE OF TOTAL BUG BOUNTY PROGRAMS                                                                          12.1%
       SHARE OF NEW PROGRAMS LAUNCHED                                                                       8.9%
                                                                                                                                     21.6%
                                                                                                     7.5%
                                            Financial Services & Insurance
                                                                                                     7.5%
                                                                                                     7.2%
                                                                                           3.8%
                                                                                             4.6%
                                                                                                   6.3%
                                                                                            4.2%
                                                     Retail & E-commerce
                                                                                      2.8%
                                                                                           3.9%
                                                                             0.5%
                                                                                       3.3%
                                                                                      2.8%
                                                                                     2.2%
                                                                                    1.8%
                                                                                    1.8%
                                                                                     2.2%
                                                                                1.6%
                                                     Federal Government
                                                                                           3.8%
                                                                                1.6%
                                                                               1.0%
                                                                                1.5%
                                                                                      2.5%
                                                                                1.3%
                                                                                                      Figure 5: Distribution of existing programs and
                                                                                    1.8%              new programs launched by industry vertical.
                                                                                1.2%
HACKERONE                                                                                                                                                  15
                                                                                     2.3%
                                                                             0.1%
            Vulnerabilities by Industry
            As of May 2019, more than 123,000 unique valid vulnerabilities have been
            resolved on HackerOne, with 25% of those—30,541—resolved in the
            past year alone. Each one of these vulnerabilities represents a real world-
            risk that was safely mitigated. Without hacker-powered security, many of
            these critical vulnerabilities would still be at large.
            Why are these vulnerabilities growing in number? What are the most
            impactful vulnerabilities that may not be in the OWASP Top 10? What’s the
            top listing of vulnerabilities submitted by volume? Our analysis of the Top
            10 most impactful vulnerabilities sheds light on these questions and more.
                          TRANSPORTATION FINANCIAL SERVICES        FEDERAL           HEALTHCARE        INTERNET &           MEDIA &            RETAIL &   TELECOM    TRAVEL &
                                            & INSURANCE          GOVERNMENT                          ONLINE SERVICES     ENTERTAINMENT       E-COMMERCE             HOSPITALITY
      CROSS-SITE
    SCRIPTING (XSS)             50%                16%               16%                19%                22%                24%                18%       24%         36%
     INFORMATION
      DISCLOSURE                16%                10%               22%                17%                17%                12%                21%       21%         12%
      IMPROPER
   ACCESS CONTROL               5%                 6%                3%                 10%                7%                 7%                 7%        9%          6%
 VIOLATION OF SECURE
  DESIGN PRINCIPLES             2%                 16%                19%               6%                 6%                 7%                 6%        5%          5%
      IMPROPER
    AUTHENTICATION              3%                 4%                1%                 11%                5%                 7%                 6%        4%          5%
  CROSS-SITE REQUEST
    FORGERY (CSRF)              2%                 9%                10%                7%                 5%                 5%                 5%        2%          3%
         OPEN
       REDIRECT                 3%                 7%                5%                 3%                 5%                 9%                 6%        4%          5%
       BUSINESS
     LOGIC ERRORS
                                3%                5%                 4%                 3%                 5%                 7%                 5%        2%          3%
        PRIVILEGE
      ESCALATION                3%                2%                 1%                 4%                 4%                2%                  4%        2%          3%
    INSECURE DIRECT
OBJECT REFERENCE (IDOR)         3%                4%                 2%                 4%                 4%                3%                  3%        1%          7%
 SERVER-SIDE REQUEST
    FORGERY (SSRF)              1%                1%                 1%                 4%                 3%                 1%                 1%        1%          1%
    CODE INJECTION              2%                1%                 0%                 1%                 2%                2%                  2%        2%          1%
SQL INJECTION 2% 2% 2% 3% 2% 2% 1% 6% 2%
   DENIAL OF SERVICE
                                0%                2%                 1%                 0%                 2%                 2%                 1%        2%          1%
    CRYPTOGRAPHIC                                                    2%
                                0%                2%                                    0%                 1%                 1%                 1%        1%          1%
Figure 6: The top 15 vulnerability types platform-wide, and the percentage of vulnerabilities received per industry.
                                                      Less than half of this year’s Top 10 overlap with the OWASP Top 10.
                                           03
                                                      Highly impactful vulnerabilities, like SSRF, IDOR, and Privilege
                                           04         Escalation, are harder to find but continue to be the most
                                                      valuable vulnerabilities based on bounties awarded.
HACKERONE                                                                                                                                      19
CUSTOMER SPOTLIGHT
                           Goldman Sachs
                           Goldman Sachs just turned 150 years old. This       Today, Goldman Sachs is working with
                           global financial investment leader was built on     hackers to identify vulnerabilities in their
 to researchers who
                           adapt to a frequently changing world.               loans. On average, their internal security
                                                                               team has resolved vulnerability reports
                                                                               within two months, and have responded
 report vulnerabilities
                           In May 2018 Goldman Sachs became the first
                           investment bank to launch a vulnerability           to bug reports in as little as one minute,
                           disclosure policy. In the first year of their       further resolving reports within one hour.
 is key to building        program, more than 23 vulnerabilities,
                           each representing real world risk to their
 relationships with them   customers and data, were safely resolved.
by Industry                                                              Education
                                                                             2
                                                                                                                                            Retail & E-commerce
                                                                                                                                                  3
                                                                                                                                       62                          13
Public bug bounty programs receive their first vulnerability             Aviation & Aerospace                                               Media & Entertainment
report within the first 24 hours in 77% of the cases. For the U.S.                               26                                                           8
Army, it only took five minutes. Once a customer has confirmed                                                                    57                               12
the vulnerability is valid, they have the opportunity to reward
                                                                         Federal Government                                                 Professional Services
the hacker and fix the issue. HackerOne tracks the time-to-
vulnerability resolution for all programs. A speedy resolution not                       5                                                        2
only helps to quickly protect the organization and its customers                                                                 55                                    12
by eliminating the vulnerability, it also helps attract hackers to       Electronics & Semiconductor                                        Financial Services & Insurance
the customer’s program and is a key indicator of program health.                                       17                                             4
                                                                                                                        25                                             12
Our data demonstrates that the top performing programs on                Computer Hardware & Peripherals                                    Healthcare
HackerOne (based on the HackerOne Success Index) attract                                              17                                                  8
not only more hackers but more repeat hackers. Repeat hackers                                                      20                                             11
are responsible for most resolved reports and bounties on the
                                                                         Telecom                                                            Cryptocurrency & Blockchain
HackerOne platform. The more time a hacker spends looking at
                                                                                 3                                                                2
specific software, the more valuable the reports are likely to be.
                                                                                                              19                                          7
This indicates there is significant value in building hacker loyalty.
                                                                         Computer Software                                                  Energy & Utilties
                                                                                             6                                                1
Looking at data across the HackerOne platform, the overall
                                                                                                       17                                         2
median time to resolution was 17 days, down from 22 days in
the previous year. Consumer Goods was the fastest at resolving           Automotive & Ground Transportation
vulnerabilities in just two days. Rounding out the top 5 fastest                     4
were Cryptocurrency & Blockchain (seven days), Healthcare                                             16
(11 days), Financial Services & Insurance (12 days), and                 Local Government
Professional Services tied with Media & Entertainment                      >1                                                                                 MEDIAN DAYS TO BOUNTY
(12 days).                                                                                                                                                    MEDIAN DAYS TO RESOLUTION
                                                                                                      16
                                                                         Travel & Hospitality
                                                                                             6
                                                                                                  16
                                                                        Figure 6: Median number of days to resolution and
                                                                        reward over the
                                                                          Internet      past year.
                                                                                    & Online   Services
                                                                                             6
                                                                                                  16
HACKERONE                                                                                                   HAC KE R- POWE R E D SECU R IT Y R E PO RT 2019                       21
                                                                         Other
                                                                                             6
                                                                                                 14
Industries resolving issues more slowly are those in highly regulated
areas with complex software stacks and/or integrated supply
chains. At the other end of the speed spectrum are Education (62
days), Aviation & Aerospace (57 days), and Federal Government
(55 days).
The industry with the fastest median days to bounty payment was
Local Government (< one day). Consumer Goods, Professional
Services, and Education all had a median time-to-bounty of less
than two days. The industries with the slowest days to bounty
payment are Aviation & Aerospace (26 days), Electronics &
Semiconductor (17 days), and Computer Hardware (17 days).
All industries tend to pay hackers before issues are resolved (but
after they are validated), which reflects the value they see in the
hackers’ work. Hackers appreciate speedy award payments when
their work is done. More organizations are also starting to re-
engage hackers after an issue has been resolved, soliciting their
help to validate that a fix does indeed resolve the reported issue.
All input fields must     Whitelist validation OWASP Anti-Samy XSSHunter   <script>alert(1)</script>
have strict validation.   per input field.     Library
Figure 8: A bug bounty lifecycle at Verizon Media, showing how a bug report can be
worked upstream to impact every stage of software development. Graphic courtesy
of Verizon Media’s The Paranoids.
                           PayPal
                           “The security team for PayPal’s digital        “In addition to being able to work with a
                            payments platform is tasked with protecting    broader more diverse set of researchers,
                                                 Computer Software
Bounty Trends:                                                                                                                                        $100,000
                                                 Internet & Online Services
Top Awards                                                                                                                      $57,500
                                                 Computer Hardware & Peripherals
                                                                                                                      $31,337
From 2012 through May 2019, organizations
                                                 Cryptocurrency & Blockchain
awarded hackers more than $51 million.
                                                                                                                      $30,000
Nearly half of that, $23.5 million, was
awarded in the past year alone.                  Media & Entertainment
                                                                                                                $25,000
Enterprise businesses worldwide are              Telecom
eager to compensate hackers for their                                                                       $20,000
work. Apple, Google, Intel, Microsoft, and
                                                 Automotive & Ground Transportation
other leading organizations offer seven-
                                                                                                  $18,500
figure awards for vulnerabilities. It’s not
uncommon for even smaller companies to           Electronics & Semiconductor
offer bounties in the tens of thousands of                                                       $15,000
dollars for critical security vulnerabilities.   Financial Services & Insurance
                                                                                                 $15,000
The highest bounty paid in the past
                                                 Professional Services
year remains $100,000. Organizations
                                                                                                 $15,000
in the Cryptocurrency & Blockchain,
Media & Entertainment, Technology, and           Retail & E-commerce
Telecommunications industries all awarded                                                  $10,000
top bounties of $20,000 or more. Across all      Federal Government
industries, 511 bounty awards in excess of                                              $6,772
$10,000 were paid over the past year. That’s
up 340% from the 116 bounties of this size       Aviation & Aerospace
awarded in the previous year.
                                                                                  $5,000
                                                 Consumer Goods
                                                                                  $5,000
                                                 Education
                                                                               $4,000
                                                 Other
                                                                               $4,000
                                                 Travel & Hospitality                                        Figure 12: The top bounty awarded in the past
                                                                               $4,000                        year on the HackerOne platform by industry.
                                                 Local Government
                                                                 $1,000
HACKERONE                                                                                                                                                    28
                                                                      BOUNTY AWARDS BY INDUSTRY
          Internet & Online Services
                                                                                                                                                           $10,310,304
          Computer Software
                                                                                                                                 $5,300,953
          Media & Entertainment
                                                                                   $1,504,395
          Cryptocurrency & Blockchain
                                                                               $968,504
          Financial Services & Insurance
                                                                             $925,992
          Retail & E-commerce
                                                             $584,732
          Computer Hardware
                                                         $431,498
          Automotive & Ground Transportation
                                                       $406,498
          Electronics & Semiconductor
                                                $387,141
          Travel & Hospitality
                                               $323,826
          Professional Services
                                            $274,975
          Telecom
                                         $206,448
          Federal Government
                                    $151,533
          Consumer Goods
                                   $150,650
          Healthcare
                                 $148,673
          Other
                             $127, 875
          Aviation & Aerospace
                       $32,900
          Education
               $18.500                                        Figure 13: The total bounties paid in the past year by each
                                                              industry category on the HackerOne platform.
H A C K E R O Local
              NE    Government                                                                                              HAC KE R- POWE R E D SECU R IT Y R E PO RT 2019   29
             $13,150
CUSTOMER SPOTLIGHT
                       Dropbox
                       In April 2019, HackerOne kicked off               and share best practices, and the company
                       Singapore’s first live hacking event (h1-65)      launched their public bug bounty program
                       with leading global collaboration platform        in January 2015. Since then, the team has
                       Dropbox. Over the course of 8 hours, 39           paid out more than $1 million in bounty
bounty program “Dropbox invests heavily to build a security But for h1-65, they wanted to do something
 has one of the most    team comprised of the best talent in the
                        industry,” says Rajan Kapoor, Director
                                                                         new. At this live hacking event, Dropbox
                                                                         opened up its core properties for testing,
                        of Security at Dropbox. “Our HackerOne           but also added newly-acquired HelloSign
 permissive scopes      bug bounty program has one of the most           to the event’s scope. Dropbox firmly
                        permissive scopes in the industry. This          believes this progressive approach to
 in the industry.”      allows us to work with security researchers
                        to test the broadest attack surface possible.
                                                                         hacker-powered security should be an
                                                                         industry standard. This comprehensive
                        The impressive contributions from the            approach to security helps ensure increased
                        community have made Dropbox, and                 product security as well as upstream
                        the Internet as a whole, a safer place.”         security for products you integrate with.
                                                                                                                                   11%
                                                                                  26%          27%                                 NOISE
                                                                                  NOISE        CLEAR
PLATFORM AUTOMATION AND SMART ALGORITHMS                                  2017                                  2017
                                                                                                                  40%
                                                                                                                                             48%
                                                                                             2018 SIGNAL-TO-NOISE RATIO                      CLEAR
HackerOne’s set of crowdsourced vulnerability data results in                            47%                                 NOMINAL
unrivaled machine learning algorithms. In January 2018, we announced                     NOMINAL
Human-Augmented Signal, which improves the signal of programs
                                                                                 PUBLIC PROGRAMS                             PRIVATE PROGRAMS
significantly and automatically. How does it work? Our system utilizes
various criteria to automatically classify all incoming reports and
                                                                                                                                   11%
reports with potential noise are forwarded to HackerOne security
                                                                                 26%           23%                                 NOISE
analysts for review. This human-in-the-loop review guards against                              CLEAR
false positives and further trains our machine learning classifiers.
                                                                                 NOISE                                                       42%
                                                                          2018                                  2018                         CLEAR
                                                                                                                               47%
TRACKING HACKER SIGNAL                                                                   51%                                   NOMINAL
The HackerOne Platform allows you to privately invite a select group of                  NOMINAL
hackers to test your platform in a safe and controlled manner. Hacker
activity and productivity is tracked in three main ways: Reputation,
Signal, and Impact. Signal measures average report validity, Impact
measures average report severity, and Reputation is a cumulative                  Figure 14: Signal-to-noise ratios on the HackerOne platform.
measure of Signal and Impact. These scores can be used as a filter for
determining which hackers are invited to your private programs or to
serve as an initial method for evaluating incoming reports.
We’ve set a goal to reach 90% signal—a standard that hasn’t been
seen on any other platform in our industry. Currently, HackerOne
consistently maintains 81% signal platform-wide.
             HackerOne makes it easy so you can spend more time resolving the vulnerabilities hard-working
             hackers identify. Here’s how it works:
            01   You identify and select hackers based on their activity on other bounty programs, as well
                 as their Signal, Impact, and Reputation scores. These scores track hacker activity and
                 submission quality, resulting in an individual Reputation score. By looking for those who have
                 experience on similar technologies, and who are high performers, you can narrow down your
                 list of potential participants.
                 HackerOne helps you further narrow your list by finding hackers with the skills you need. Each
            02   hacker’s profile page contains their “Hacktivity,” which shows all of their previously resolved
                 reports and includes their number of bugs found, thanks received, and badges earned. This
                 offers a unique view into the skills and experience of each hacker and, if public, the details of
                 the actual reports. Hackers can also add skills to their profile, which require them to submit
                 relevant reports.
                 Your HackerOne Program Manager works with you to develop your program’s custom
            03   requirements, which might include a robust application process, and even background checks.
             If you’re looking for even more scrutiny over potential participants, you need HackerOne
             Clear. HackerOne Clear hackers meet the strictest background and identity standards of the
             most demanding global organizations, such as the U.S. Department of Defense. Contact us to
             learn more.
Forbes Global                                            3%
2000 Breakdown                                           of technology & software
                                                         companies on the Forbes Global
                                                         2000 list have a channel for
                                                         responsible vulnerability disclosure.
To improve the security of their connected systems, every   Like many companies, we have a responsible
corporation should have a vulnerability disclosure policy   disclosure program which provides an avenue for
that allows them to receive security submissions from the   ethical security researchers to report vulnerabilities
outside world.                                              directly to us.
JEFF MASSIMILLA                                             C A P I TA L O N E
Chief Product Cybersecurity Officer,
General Motors
SCOTT CR AWFORD
Research Director of Information Security,
451 Research                                                All companies should consider promulgating a
                                                            vulnerability disclosure policy, that is, a public
                                                            invitation for white hat security researchers to report
We need to move to a world…where all companies
                                                            vulnerabilities. The U.S. Department of Defense runs
providing internet services and devices adhere to a         such a program. It has been very successful in finding
vulnerability disclosure policy.                            and solving problems before they turn into crises.
JULIAN KING
Security Union Commissioner,                                ROD J. ROSE NS TEIN
European Commission
                                                            Former Deputy Attorney General,
                                                            U.S. Department of Justice
       HACKERONE                                                                                                      37
                                                                                Manufacturers should also adopt a coordinated
                                                                                vulnerability disclosure policy and practice that includes
                                                                                acknowledging receipt of the vulnerability to the
                                                                                vulnerability submitter within a specified time frame.
                                                                                U.S. F O O D A N D D R U G A D M I N I S T R AT I O N
                                                                                Postmarket Management of Cybersecurity in Medical
                                                                                Devices
                                                                                NICK RITTER
                                                                                VP Product Security,
                                                                                General Electric
                          Google Play
                          In October 2017, Google and HackerOne         “As the Android ecosystem evolves, we
                          introduced the Google Play Security Reward     continue to invest in leading-edge
                          Program, the first and only vulnerability      ideas to strengthen security,” says
                          rewards incentive program for an app           Vineet Buch, former Director of Product
Key legislative initiatives this year include the        Internet of Things (IoT) security for consumer
passage of the Secure Technology Act (H.R. 7327)         devices has also been a hot topic among lawmakers
and the National Defense Authorization Act for           around the world. The U.K. government proposed
Fiscal Year 2020 (NDAA), which would require             new IoT security legislation that would better
federal agencies to utilize VDPs and conduct             secure the hundreds of thousands of devices
security testing through crowdsourced platforms.         that consumers have connected to the Internet,
The Hack Your State Department Act was also              including a requirement to establish a VDP. The
introduced in the U.S. Senate, requiring the agency      U.S. Senate Homeland Security and Government
to establish a VDP and a bug bounty program to           Affairs Committee advanced the Internet of Things
identify and report vulnerabilities of Internet-facing   Cybersecurity Improvement Act to establish
information technology of the Department of State.       cybersecurity standards for federal devices that
                                                         are connected to the internet, including the
                                                         requirement of coordinated vulnerability disclosure.
The National Institute of Standards and Technology
(NIST) is also pioneering hacker-powered policies
with their voluntary framework for managing risks
related to cybersecurity. It’s designed to promote
       HACKERONE                                                                                                41
            The government of Singapore remains a leader in hacker-
            powered security. In addition to programs run by their Ministry
            of Defense and Government Technology Agency, the Cyber
            Security Advisory Panel (CSAP) of the Monetary Authority of
            Singapore (MAS) recommended financial institutions adopt
            bug bounty programs as part of their cyber testing.
HACKERONE                                                                                            44
CUSTOMER SPOTLIGHT
                        GitHub
                        GitHub brings together the world’s largest      to its existing bug bounty program, which
                        community of developers to discover,            allowed the company to reach a new crowd
                        share, and build better software. Their         of hackers. These new tactics empowered
                        commitment to open source projects and          the community to earn an additional
                                                                            $62M+
                                                                            Total Bounties Paid
HH
 AACC
    KKEE
       RROO
          NNEE                                                               H AHCAKCEKRE- RP -OPW
                                                                                                 OEWREERDE D
                                                                                                           S ESCEUCRUI T
                                                                                                                       RYITR
                                                                                                                           Y ERPEOPROTR 2T021 09 1 9   4 64 6
Hacker                                           82%
Perceptions in
                                                 of Americans believe hackers can
                                                 help expose system weaknesses to
                                                 improve security in future versions.
America
                                                 57%
In January 2019, HackerOne commissioned          Millennials (ages 18-34) are most
a survey, conducted online by The Harris         likely to believe that hacking is
Poll among over 2,000 U.S. adults to gauge       a legitimate profession (57%
                                                 vs. 31% of those ages 35+).
their perception of hackers. The results, a
portion of which are included below, are both
encouraging and humbling. They represent
part of an ongoing mission to redefine the
term hacker in the likes of the Cambridge
                                                 64%
                                                 of Americans think not all
Dictionary, removing the unnecessary and
                                                 hackers act maliciously.
incorrect association with criminality.
                                                 83%
                                                 More than 4 in 5 Americans believe
                                                 hacking is an illegal activity.
            Hackers’ motivation to join is not solely centered around bounties. Nearly three times as
            many hackers (41%) begin hacking to learn and contribute to their career and personal
            growth, and nearly as many hack to have fun (13%) as those who do it for the money (14%).
            With each new company and government agency joining HackerOne every day—such as
            the Hyatt Hotels, Airbnb, GitHub, Starbucks, HBO, U.S. Department of Defense, General
            Motors, Alibaba, Goldman Sachs, Toyota and more—comes curiosity and a genuine desire
            to help the internet become more secure (9%).
@T E K N O G E E K
To Be Challenged
                                                        13.5%
To Have Fun
                                                        13.5%
To Advance My Career
                                                12.7%
To Help Others
                               8.3%
To Show Off
                   2.7%
Other
            1.5%
                                                                                                Figure 16
Figure 15
                                                                       40.6x
                                                                       ARGENTINA
                                                                                                        6.4x
                                                                                                        6.3x
                                                                                                                     UNITED STATES OF AMERICA
                                                                                                                     SWEDEN
                                                                                                        6.2x         CHINA
                                                                       24.5x
                                                                       THAILAND
                                                                                                        6.2x         ALGERIA
                                                                                                        4.8x         CANADA
                                                                                                        3.9x         PAKISTAN
                                                                       24.2x
                                                                       EGYPT
                                                                                                        3.8x         MOROCCO
                                                                                                        3.5x         LATVIA
                                                                                                        3.1x         BELGIUM
                                                                       17.6x
                                                                       INDIA
                                                                                                        3.0x         PHILIPPINES
                                                                                                        3.0x         AUSTRALIA
                                                                                                        2.9x         NEW ZEALAND
                                                                       6.7x
                                                                       HONG KONG
                                                                                                        2.9x         GERMANY
                                                                                                        2.9x         PORTUGAL
                                                                                                        2.7x         HUNGARY
                                                                                                        2.5x         ROMANIA
                                                                                                        2.5x         CHILE
            Figure 17: Median annual wage of a security engineer was                                    2.5x         ETHIOPIA
            derived from PayScale for each region. The multiplier is
            the top bounty earnings divided by the median annual                                        2.4x         INDONESIA
            wage of a software engineer.
                                                                                                        2.2x         NETHERLANDS
                                                               Hacker101 CTF (Capture The Flag) is a series of free hacking games based on real-world environments
                                                               that challenge learners to hack in and find the flags. Experienced and aspiring hackers can put their
                                                               skills into practice with levels inspired by the real world security vulnerabilities. Flags are placed in
The Hacktivity feed remains a resource for hackers to learn    various locations such as a file, a database, or source code. To complete the CTF, learners hunt down
from their peers. Of note, in total, over 6,200 reports have   all the flags using the skills from the Hacker101 videos. With new levels added every month, there’s
been disclosed on HackerOne’s Hacktivity.                      always a new challenge waiting. Should students get stuck, the 6,500+ members of our online Discord
                                                               discussion server are available 24/7. Organizations looking for security help recognize the value of
                                                               Hacker101 training. Finding flags in a CTF allows hackers to directly earn invitations to private bug
                                                               bounty programs on HackerOne.
                                                               To celebrate $50M in bounties paid to hackers on the HackerOne platform as of April 2019,
                                                               we announced our most advanced CTF ever which presented challenges spanning from mobile, crypto,
                                                               and the web. Hackers had to first hunt down the “HackerOne Thermostat” app, break into the backend,
                                                               and find their way into the thermostat itself to finally get into the accounting server to steal the flag.
                                                               Hundreds of hackers participated, but only a select few were able to make it all the way to the end. This
                                                               was the first time we created a dedicated space, a channel on our Discord server, for folks to chat about
                                                               one of our big CTFs. It was thrilling to watch thousands of messages fly back and forth, especially as
                                                               hackers hit one of our favorite red herrings, a fake SQL parser. The results really speak for themselves;
                                                               we received so many outstanding submissions and saw more creativity than ever before.
                                                               In 2018 Hacker education got another boost with the introduction of Hackboxes: Sandbox
                                                               environments of disclosed vulnerability reports on HackerOne’s Hacktivity where learners can test
                                                               their skills in real-world simulated bugs. The 5 Hackbox environments were launched with the help of
                                                               HackEDU and are available for anyone to test their hacking skills and see if they can replicate the same
                                                               bug that was discovered.
The first live hacking event was set up by Frans Rosen and Justin
Calmus in 2015. They invited friends that were in town attending
DEFCON to a suite at the MGM Grand in Las Vegas for eight solid
                                                                               18                                  $2,000,000
                                                                               EVENTS                              HIGHEST AMOUNT PAID OUT
                                                                                                                   AT SINGLE EVENT
                                                                                                                   (H1-702, 2019)
Find out more HackerOne community days and live hacking events and how to participate.
                                                   H1-514 MONTREAL
                                                                                H1-3120 AMSTERDAM
H1-202 WASHINGTON DC
H1-65 SINGAPORE
                                                                             H1-4420 LONDON
                                                H1-212 NEW YORK
H1-91832 GOA
1983: The first known “bug” bounty program that paved the way               2002 | February: Chris Wysopal and Steve Christey of the Internet Engineering
for today’s industry is launched by operating system company                Task Force publish the Responsible Vulnerability Disclosure Process.
Hunter & Ready, Inc.
                                                                            2002 | August: IDefense’s Vulnerability Contributor Program launches with
1988: In response to the first major computer virus, the                    rewards to researchers who find vulnerabilities in software systems.
Computer Emergency Response Team (CERT) coordination
center is created to research software vulnerabilities.                     2002 | August: Open Sourced Vulnerability Database (OSVDB) is launched to
                                                                            provide technical information on vulnerabilities.
1995: Netscape launches the first modern-day bug bounty
program, offering monetary rewards for Netscape Navigator                   2004 | August: Mozilla Foundation starts offering bug bounties up to $500 for
2.0 Beta.                                                                   critical vulnerabilities found in Firefox and other Mozilla software.
1998 | May: Seven members of Boston-based hacker think tank                 2005 | July: Zero Day Initiative launches to help connect security researchers
“L0pht” appeared before a Senate committee and bluntly stated               with vendors and encourage the responsible reporting of zero-day vulnerabilities
that networks of computers and software were terribly insecure.             through financial incentives.
1999: Nomad Mobile Research Center (NMRC) publishes a bug                   2007: The first PWN2OWN contest kicks off, igniting a competition
disclosure policy stating their intent to verify problems and               to exploit Mac OSX across a limited time frame.
contact vendors with technical details.
2009 | March: Alex Sotirov, Dino Dai Zovi, and Charlie Miller petition for   2013 | October: Microsoft offers its first bug bounty to identify bugs in
“no more free bugs” at the CanSecWest conference.                            Internet Explorer.
2010: Google announces a bug bounty program for web applications,            2013 | November: Facebook and Microsoft sponsor the creation of the
Mozilla expands its program to include web properties, and Microsoft         Internet Bug Bounty (IBB) program for core internet infrastructure and free
announces their Coordinated Vulnerability Disclosure Policy.                 open source software.
2011 | April: Microsoft implements a new company policy requiring            2014 | January: Microsoft helps draft ISO/IEC 29147:2014, which provides
all employees to follow a detailed set of procedures when reporting          guidelines for the disclosure of potential vulnerabilities in products and
security vulnerabilities in third-party products.                            online services.
2011 | July: Facebook announces a bug bounty program with a $500             2014 | April: HackerOne launches Hacktivity, showcasing public vulnerability
minimum reward for valid bugs.                                               coordination activity occurring on the HackerOne platform.
2012: HackerOne is founded with the mission to empower the world to          2014 | July: Google creates Project Zero, a team of top security
build a safer internet.                                                      researchers working full-time to identify zero-day vulnerabilities
                                                                             in any software.
2013 | March: The Government of the Netherlands publishes their
Guideline for responsible disclosure of IT vulnerabilities.
    bounty program launches.               cybersecurity disclosure signed by     of Defense kicks off the first          Working Group published v1.1
                                                    29 companies.                      government VDP.                     of Coordinated Vulnerability
                                                                                                                              Disclosure Template.
2015 | August: Oracle’s security chief, Mary Ann Davidson, publishes a          2016 | November: The U.S. Department of Defense kicks off the first
rambling missive against the security research industry.                        government VDP.
2015 | November: HackerOne launches Disclosure Assistance to help               2016 | December: National Telecommunications and Information
hackers report vulnerabilities safely to organizations without public           Administration (NTIA) Safety Working Group publishes v1.1 of
disclosure programs.                                                            “Coordinated Vulnerability Disclosure Template” as a guide for
                                                                                companies on security researcher disclosure best practices and
2016 | January: European Union Agency for Network and Information               policies.
Security (ENISA) publishes “Good Practice Guide on Vulnerability
Disclosure” to propose recommendations for vulnerability disclosure.            2016 | December: Food and Drug Administration issues “Postmarket
                                                                                Management of Cybersecurity in Medical Devices” to inform industry
2016 | April: First Federal bug bounty program, Hack the Pentagon               and FDA staff of the Agency’s recommendations for proactively
launches.                                                                       managing cybersecurity vulnerabilities.
2016 | May: Global Forum on Cyber Expertise announces that                      2017 | February: Federal Trade Commission provides comments on
29 organizations signed the “Coordinated Vulnerability Disclosure               the NTIA’s “Coordinated Vulnerability Disclosure Template,” stating
Manifesto” to showcase their public vulnerability reporting mechanisms.         that “the template could be a useful tool for any company providing
                                                                                software-based products and services to consumers.”
2016 | August: HackerOne kicks off its first live hacking event in Las
Vegas, H1-702, paying out over $150K in bounties in just 3 days.
2017 | May: Hack the DHS, a bill to establish a bug bounty pilot program         2017 | October: In remarks delivered at the Global Cybersecurity
within the Department of Homeland Security is proposed, and later in 2018        Summit, Deputy Attorney General Rod J. Rosenstein says “All companies
passes the U.S. Senate by unanimous vote.                                        should consider promulgating a vulnerability disclosure policy.”
2017 | July: U.S. Department of Justice publishes A Framework for a              2018 | February: HackerOne and others testify before the U.S. Senate
Vulnerability Disclosure Program for Online Systems.                             on the benefits and nature of hacker-powered security. Senators
                                                                                 express their support for this vital form of cybersecurity.
2017 | August: Carnegie Mellon University’s Software Engineering Institute
publishes “The CERT® Guide to Coordinated Vulnerability Disclosure” to           2018 | April: Hack Your State Department Act is proposes and would
describe best practices for when vulnerabilities are discovered.                 require the Secretary of State to design and establish a VDP.
2017 | August: UC Berkeley class CS 194-138/294-138 opens to                     2018 | April: Facebook announces their Data Abuse Bounty, offering
undergraduate and graduate level engineering students with a                     rewards for reports of data abuse.
cybersecurity curriculum utilizing bug bounty programs in coursework.
                                                                                 2018 | May: Goldman Sachs becomes the first investment bank to
2017 | August: U.S. Senators Cory Gardner (R-CO) and Mark R. Warner (D-          launch a public VDP.
VA), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron
                                                                                 2018 | June: U.S. Representatives Mike Quigley (R-IL) and John Katko (R-
Wyden (D-WA) and Steve Daines (R-MT), introduce bipartisan legislation to
                                                                                 NY) introduces “Hack the Election” or the Prevent Election Hacking Act
improve the cybersecurity of Internet of Things (IoT) devices.
                                                                                 of 2018 to help combat the threat of election hacking in part by creating
                                                                                 a bug bounty program.
  2018 | September: U.S. General Services Administration, the first civilian          2019 | April: HackerOne exceeds $50,000,000 in bounties paid out to
  agency to run a bug bounty program, selects HackerOne as TTS bug                    hackers.
  bounty partner.
                                                                                      2019 | May: Economic impact study finds crowd sourced penetration
  2018 | October: U.S. Department of Defense awards HackerOne third                   testing can deliver 115% return on investment over three years.
  hack the pentagon “crowdsourced security” contract.
                                                                                      2019 | June: HackerOne opens regional office in France.
  2018 | October: Second annual dedicated hacker-powered security
                                                                                      2019 | June: U.S. Senators introduces the Hack Your State Department
  conference, Security@ 2018, takes place in San Francisco.
                                                                                      Act that would require a Vulnerability Disclosure Process and bug
  2019 | January: Hyatt becomes first global hotel hospitality company to             bounty program.
  launch a public bug bounty program.
                                                                                      2019 | August: Capital One thanks hacker for reporting unauthorized
  2019 | January: 19-year-old Santiago Lopez becomes the first bug                    access to their responsible disclosure program.
  bounty hacker to surpass $1,000,000 in bounty awards.
                                                                                      2019 | August: Apple’s bug bounty program ups its max payout to
  2019 | February: HackerOne opens regional office in Singapore.                      $1,000,000.
  2019 | March: HackerOne hacker community surpasses 300,000 with                     2019 | August: HackerOne sets bug bounty record awarding hackers
  more than 600 hackers registering any given day.                                    $2,000,000 during a single live hacking event.