Can you get rich from reporting software bugs? For some, hunting down vulnerabilities in websites and apps is a challenge a bit like doing a crossword; for others it's a major source of income.
Paying hackers to search for flaws in software or services is becoming increasingly common; these 'bug bounty' programmes allow hackers to get paid for spotting problems, while organisations benefit from the ability to tighten their security by paying a few thousand dollars per bug.
HackerOne, which runs bug bounty programmes for organisations including the US Department of Defense and Google, has published new data about the number of vulnerabilities[1] found by hackers signed up to its projects -- and how much they have been paid. To date, over 181,000 vulnerabilities have been reported, and over $100 million paid out to the hackers who have signed up to its service.
The company said that more than $44.75 million in bounties was awarded to hackers around the world over the past year -- an 86 percent year-on-year increase. The vast majority of that is awarded by organisations in the US.
Some bugs can bring in a decent reward: HackerOne said the average bounty paid for critical vulnerabilities increased to $3,650, up eight percent year-over-year, while the average amount paid per vulnerability is $979. Critical vulnerabilities make around 8% of all reports, while high severity reports account for 21%.
HackerOne said that "hacking has remained a consistent and stable source of income," for some signed-up hackers. Nearly nine out of ten are under 35 and one in five said that hacking is their only source of income.
Nine individual hackers have now amassed $1 million in total bounty earnings via HackerOne in less than a decade, showing that bug bounty hunting can pay well for