Bug Bounty Boom: There Are Now Six Verified Hacker Millionaires

A new study released by HackerOne has some incredible insight into the hacking ecosystem, but one detail stands out: There are now six hacker millionaires.

In March, HackerOne verified a teen in Argentina as the first millionaire via its platform. Santiago Lopez is now joined by five others: Mark Litchfield (UK), Nathaniel Wakelam (Australia), Frans Rosen (Sweden), Ron Chan (Hong Kong), and Tommy DeVoss (U.S.).

HackerOne says the total awarded to hackers via its platform was $21 million in the past 12 months, up from $10 million the year prior. It also says the United States, India, and Russia dominate the earnings, raking in over 36 percent of the total dollar amount awarded to hackers. It credits a more open ecosystem for the massive boom in payouts, both collectively and for individuals.

“Bug bounties have given me opportunities I never could have predicted going into it,” Wakelam says. “When I first started, the industry was in its infancy. Only a handful of companies invited hackers to find and share vulnerabilities. Six years later, the space has changed dramatically. Bug bounties have given me the flexibility to work from anywhere in the world, forged connections with people within an industry that I respect, created a secondary income stream within my own life, and allowed me the opportunity to branch out and pursue other business ventures. I’m grateful to be one of the first people to make it to this milestone alongside my peers, and I urge anyone who is interested in pursuing this to recognize that the first step is starting – the opportunities are there if you want to take them.”

HackerOne says hackers report vulnerabilities every five minutes, on average. Every 60 seconds, organizations partner with hackers via its platform, leading to more than 1,000 hacker-company interactions daily.

The average payout for critical vulnerabilities has increased 48 percent year-over-year (YoY); HackerOne says a critical vulnerability solution can yield a hacker an average of $3,384. Its report also notes that government bug bounty programs have increased 214 percent YoY, followed by automotive (113 percent), telecommunications (91 percent), consumer goods (64 percent), and cryptocurrency/blockchain (64 percent).

Most (79.5 percent) of bug bounty programs remain private. A private program requires an invitation from the company hosting it, but HackerOne says public bug bounty programs receive six times the interaction of private ones. Interestingly, the ratio of public to private bounty programs hasn’t changed.

(And if you think the public-versus-private argument doesn’t matter, remember Intel’s program was private, which is how Spectre and Meltdown went undetected for years. Intel’s bug bounty program is now public.)

There’s no reason to think bug bounties (or hacking in general) exist in a bubble, either. Companies are far more open and welcoming with regard to bounty programs, and platforms like HackerOne bring “hacking” from out of the shadows.