$100 million in bounties paid by HackerOne to ethical hackers

Bug bounty platform HackerOne announced today that it has paid out $100,000,000 in rewards to white-hat hackers around the world as of May 26, 2020.

Since it started delivering vulnerability reports to its customers, HackerOne bug bounty hunters have found roughly 170,000 security vulnerabilities according to the company's CEO Mårten Mickos.

Over 700,000 ethical hackers are no using the bug bounty platform to get paid for security bugs in the products of more than 1,900 HackerOne customers.

"It is impossible to know exactly how many cyber breaches have thereby been averted but we can estimate that it is thousands or perhaps over ten thousand," Mickos said.

"With the average cost of breach somewhere around $8 million, the savings are in the tens of billions."

$50 million paid in a single year

As seen in the chart below, the total amount of rewards paid to hackers grew from $10 million between 2014 and 2016, to $30 million between 2017 and 2019, and reached $50 million between Q2 2019 and Q2 2020. 

12% of hackers using HackerOne to report security vulnerabilities make over $20,000 each year only from bug bounties, while 1,1% will get rewards worth more than $350,000 annually and 3% being paid over $100,000 per year.

"[I]t took five years to get to $20 Million in bounties paid, a figure we reached in Q3 2017 (see chart)," HackerOne says.

"Since then, things have really taken off, with the next $80 Million taking only three years. We recently had our best week ever — $2.4 Million in bounties paid in just six days."

Eight white-hat hackers became millionaires

According to a survey of 1,700 bug bounty hunters enrolled on HackerOne's platform from two years ago, top hackers will earn on average 2.7 times more money in rewards than a software engineer's average salary in the same country.

In August 2019 HackerOne also announced that eight of the hackers using its platforms have become millionaires, with 19-year-old Santiago Lopez (@try_to_hack) being the first one to go over $1 million in earnings in March 2019.

"Now, Mark Litchfield (​@mlitchfield​) from the U.K., Nathaniel Wakelam (​@nnwakelam​) from Australia, FransRosen (​@fransrosen​) from Sweden, Ron Chan (​@ngalog​) from Hong Kong, and Tommy DeVoss (​@dawgyg​) from the U.S. joined the $1M hacker ranks by hacking for improved internet security," HackerOne said at the time.

Cosmin (@inhibitor181) from Germany and Eric (@todayisnew) are the seventh and eight HackerOne millionaires announced earlier this year, on February 24th and February 24th, respectively.

"As a result of their creativity and tenacity, we predict hackers will have earned $1 billion in bug bounties within five years, protecting companies and governments alike from persistent and ephemeral threats," the company's CEO added.

Update: Added info on @inhibitor181 and @todayisnew.