Posted on March 11, 2021 at 1:21 PM
A recent report by bug bounty platform HackerOne revealed that the numbers of ethical hackers discovering and submitting vulnerabilities have increased over the past 12 months. The report also stated that some of them are turning millionaires through their efforts to uncover vulnerabilities for companies.
HackerOne made this revelation at the 2021 Hacker Report. According to the platform, there has been a 63% increase in the number of hackers that submitted vulnerabilities within the past 12 months.
The bug bounty program offers ethical hackers the platform to discover vulnerabilities within systems and servers before the threat actors discover them for exploitation. HackerOne also revealed that the ethical hackers earned a whopping $40 million last year through various vulnerability discoveries. This is an increase of $19 million from the previous year.
Hackers have more time due to COVID-19
HackerOne gave some details of their earnings by pointing out that nine of the more active hackers earned over $1 million each after revealing their findings to the affected organizations.
The platform also suggested that the COVID-19 pandemic gave the hackers ample time to pursue the bounty program, most of who were initially working part-time.
HackerOne commissioned a survey that revealed that 38% of the participants had spent more time on the bounty program since the Pandemic broke out.
Many of the participants have day jobs in their respective organizations, and they come from dozens of different countries such as China, Argentina, the USA, Egypt, and Nigeria.
Since 2018, the number of ethical hackers has increased by 143%, which shows that security teams and hackers are increasingly working together to manage cyber threats.
The pandemic has also given rise to more cyberattacks on institutions and organizations, as threat actors take advantage of employees working from home.
For instance, as more enterprises move to the cloud, incidences of misconfiguration bugs increased by 310%, reflecting how attacks have increased due to the pandemic.
Bugs reported across 20 different bug categories
The HackerOne report also revealed that the top hackers were reporting vulnerabilities across 20 different bug categories. There is presently a 53% increase of reports in both privilege escalation and improper access control categories.
Co-founder of HackerOne Jobert Abma commented on the report by stating that the platform has seen an increased number of activities by participants.
“This year’s Hacker report demonstrates the depth of vulnerability insights that hackers bring to a security program,” he added.
Abma also revealed that the platform is seeing steady growth in the number of less technical vulnerabilities that are easily discovered and fixed. The platform has also seen an increased number of creative hackers who are trying to discover new attack vectors.
It also shows that mankind will always remain on top of machines whenever hackers connect several low-key vulnerabilities to help an organization avoid a breach.
The report also revealed that there is a clear decrease in the number of hackers that couldn’t report vulnerability because of unclear reporting processes. It’s an improvement on the 2020 Hacker report which showed that nearly 70% of hackers discovered vulnerabilities but did not report them. According to HackerOne, the platform has given hackers a more legal framework and the opportunity to initiate a vulnerability check and report findings to enable a quick fix before threat actors discover them.
Abundant motivation available for hackers
The hackers are also more motivated to carry on with their bug hunting activities than in the past. The HackerOne survey revealed that its community of ethical hackers is highly motivated both in terms of learning opportunities and financial rewards through bounties.
In March 2019, Santiago Lopez, a 19-year old Argentine hacker, became the first hacker millionaire from the HackerOne bounty program. Six months later, five more hackers joined him in the millionaires’ club.
Last year, another hacker surpassed the $1 million mark after earning over $2 million from bounties received from several vulnerability discoveries.
The bounty program is now booming, as almost all top organizations have one form of a program or the other for vulnerability discovery. Some organizations have even gone as far as putting their hackers on lucrative permanent payroll to keep them motivated and focused on their tasks.
Despite the large amount spent on bounty payments, many organizations still find it cheaper and better than dealing with cyber criminals if they discover the vulnerabilities first.