"HackerOne Surpasses $230 Million in Paid Bug Bounties"

Bug bounty platform HackerOne recently found that ethical hackers have identified and reported more than 65,000 software vulnerabilities in 2022.  The popular hacker-powered platform, which hosts bug bounty programs for both private and public organizations, including government agencies, has paid out a total of $230 million in bug bounties since its inception.  HackerOne noted that to date, 22 hackers submitted vulnerability reports through their bug bounty program and have earned over $1 million in bounties, up from 12 in 2021.  HackerOne stated that reports for vulnerability types typically introduced by digital transformation had seen the most significant growth, with misconfigurations growing by 150% and improper authorization by 45%.  The overall time to remediation has also increased from 35 to 37 days.  HackerOne found that aviation and aerospace companies were the slowest to patch, with a median time to remediate of 148.3 days, followed by medical technology organizations, at 73.9 days.  Cryptocurrency and blockchain firms were the fastest, with 11.6 days to remediate.  According to HackerOne, organizations need to implement effective vulnerability reporting means, as 50% of ethical hackers chose not to disclose the identified security issues because the impacted entities did not have a vulnerability disclosure program.  Others (12%) were deterred by threatening legal language.  HackerOne noted that cross-site scripting (XSS) vulnerabilities earned ethical hackers the largest amount of money in 2022, followed by improper access control bugs and information disclosure flaws.  Insecure direct object reference (IDOR) and improper authorization rounded up the top five.  HackerOne also found that 95% of ethical hackers focus on identifying vulnerabilities in websites, while 24% of them focus on cloud platforms.  HackerOne observed an overall 45% increase in the use of vulnerability disclosure programs, with organizations in the pharmaceutical sector registering the highest increase, at 700%.  The automotive, telecommunications, and cryptocurrency and blockchain industries also registered a rise in the use of vulnerability disclosure programs, at 400%, 156%, and 143% growth, respectively.

SecurityWeek reports: "HackerOne Surpasses $230 Million in Paid Bug Bounties"