HackerOne Reports Bug Bounties Rise as XSS Remains the Top Flaw

The average bug bounty paid for a critical vulnerability in now $1,923, though there is significant variability across industries.

HackerOne Bug Bounties

Bug bounty platform vendor HackerOne published its 28-page 2017 Hacker-Powered Security report today, providing insight into the current state of the bug bounty marketplace. Among the top-line findings in the report is that the average bug bounty paid for a critical vulnerability in now $1,923.

Through the bug bounty platform, vendors benefit from HackerOne's community of researchers that look for security vulnerabilities and are rewarded financially when they report them. 

While the average bounty for a critical vulnerability in 2017 is $1,923, there is a high-degree of industry variability in the top amounts paid out by vendors. The top bounty awards on the HackerOne platform is $30,000 which is paid by technology vendors. In contrast, the top bounty award from healthcare vendors is only $3,000.

Looking at the average bounty per industry for critical vulnerabilities however presents a different viewpoint. The transportation industry pays out the highest average bounty for a critical vulnerability at $4,491, while the average in the technology industry is $2,015. Healthcare is near the bottom of the list at $643 while Education is last at $317.

Going beyond simply getting researchers to report vulnerabilities, HackerOne also tracks the time to resolution for reported vulnerabilities. From January 2016 to May 2017, the average time it took vendors to fix reported flaws across the HackerOne platform varied by industry. The most responsive industry was e-commerce and retail businesses which resolved vulnerabilities in an average of 31 days. In the technology industry, the average time to resolution was 36 days, while in government the average was significantly longer at 90 days.

Looking at the specific vulnerabilities that researchers are finding across the HackerOne Platform, Cross Site Scripting (XSS) tops the list at 26 percent of reported issues. As to why XSS is the most often reported bug, Alex Rice, CTO and founder of HackerOne said that part of it is due to lack of understanding during the software development cycle.

"When we make things accessible to the internet and allow user input, vulnerabilities like XSS can occur," Rice told eWEEK. "With XSS the attack vector is any user input field anywhere on a website."

Rice said that developers still aren't deploying the right counter-measures and controls to limit the risk of XSS. One of the strongest defenses against XSS according to Rice is Content Security Policy (CSP), which is a browser feature that can help to enforce same origin browser policies.

The second most common software vulnerability found across the HackerOne platform are improper authentication issues, which account for 12 percent of bug reports. Rice explained that the types of issues that are categorized as improper authentication include invalid login forms and other types of mis-configured authentication objects.

"The solutions to improper authentication issues are diverse," Rice said. "Traditional security scanners don't easily find all authentication errors, so it's an area that really benefits from human examination by real researchers."


While security researchers are finding vulnerabilities that are being fixed by HackerOne's customers, the new report doesn't provide any direct insight into how bug bounty activity impacts data breaches.

"I don't think we have enough visibility into breaches to be able to answer if there have been a reduction in breaches from organizations that have bug bounty programs," Rice said. "Organizations that run bug bounty programs end up with fewer un-resolved vulnerabilities, so you can reason that they would likely end up with fewer breaches as well."

Though HackerOne is continuing to grow its platform, there are still many companies that do not have a bug bounty or vulnerability disclosure program in place. Rice commented that the simple reality is that vulnerabilities are going to be found and organizations need to have mature ways of handling them. 

"It's still shocking to far too many executives at large organizations that they are not able to resolve all vulnerabilities on their own," Rice said. "They continue to believe that it's a problem they can figure out by hiring the right staff with the right skills and that's just completely unrealistic."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.