A bug bounty is a monetary award given to a hacker who finds and reports a valid security weakness to an organisation so it can be safely resolved.
“Hacking can open doors to anyone with a laptop and curiosity about how to break things,” said Litchfield. “I hope our achievements will encourage other hackers, young and old, to test their skills, become part of our supportive community, rake in some extra money along the way and make the internet a much safer place for people.”
Ethical hackers’ road to riches has been accelerated by the fact that bug bounty payments for vulnerablities have increased by 65% on average in the past year, driven by the fact that 25% of all resolved vulnerabilities in the past year have been classified as high to critical severity.
The most competitive bug bounty programmes, such as those run by Google, Microsoft, Apple and Intel, offer individual awards as high as $1.5m for critical issues.
All six millionaire hackers have been reporting vulnerabilities through bug bounty programmes run by HackerOne, a hacker-powered pentesting and bug bounty platform that is supported by six of the top 10 banks in North America.
In total, HackerOne members have earned $21m in the past year, an increase of $10m, or 90%, on the previous year.
The news is underscored by findings published today in HackerOne’s 2019 Security report which demonstrates the momentum in the industry.
According to the report, more than 123,000 unique valid vulnerabilities have been resolved through the platform to date, with 25% of those – 30,541 – resolved in the past year alone, which equates to a hacker reporting a vulnerability every five minutes.
Every 60 seconds, a hacker partners with an organisation on HackerOne, resulting in more than 1,000 interactions a day with hackers and companies or governments.
According to the report, hacker-powered pen tests have helped one organisation eliminate $156,784 in total costs and save a further $384,793 over three years by reducing internal security and application development efforts.
But despite the success of the HackerOne programmes, Katie Moussouris, bug bounty pioneer and CEO of Luta Security, believes that although targeted bug bounties have a role to play in cyber security, they are not a “silver bullet”, and run the risk of wiping out talent pipelines if poorly implemented, by providing incentives for people with cyber security skills to work outside organisations in pursuit of bounties.
Also see: What is ethical hacking exactly?
Organisations located in the US paid 83% of all bounties to hackers around the globe – the same share as last year. Canada-based organisations remain in second place, while those in the UK are third, both maintaining their positions from last year.