Hackers earned nearly $45 million from bounties in the last 12 months

In popular culture, hackers are often associated with bad guys. However, just as there are criminal hackers, there exist ethical hackers who help organizations find security vulnerabilities. According to data acquired by Atlas VPN, ethical hackers earned $44,754,742 million collectively from bug bounties in the last 12 months.

The numbers are based on HackerOne’s 4th Annual Hacker-Powered Security Report, which looks at data from May 2019 up to April 2020. Companies that have bug bounty programs listed there include such big names as Google, PayPal, AT&T, Costa Coffee, Line Corporation, and many more.

Over the last year, hackers reported 60,000 valid vulnerabilities and collected $44,754,742 million in bug bounty winnings. Hackers received $979 on average per single vulnerability.

The United States remains the top payer of bounties, rewarding hackers $39,125,265 in the past year. Rewards paid by the US organizations alone account for 87% of the total amount of bounties paid.

Up next is Russia, which granted $887,236 in bounty rewards to hackers. Bonuses awarded by Russian companies make up 2% of the total bounty prizes awarded to hackers.

Organizations from the UK round out the top 3, with $559,251 paid to hackers as bounty rewards. Bounty rewards distributed by UK companies amount to a little over 1% of the total amount of bounties paid in the past 12 months.

Four countries, including Luxembourg, Dominican Republic, South Africa, and Samoa, paid bounties for the very first time over the last year.

When it comes to the hackers themselves, US hackers are leading the way. Together the US hackers earned $7,204,299, which accounts for 16% of the total amount of bounty winnings distributed over the last 12 months.

Chinese hackers come in second, commanding $5,355,683. Bounty rewards received by Chinese hackers make up nearly 12% of all bounties paid in the past year.

Chinese hackers are closely followed by Indian hackers, who netted $4,401,251 in bounty winnings. Rewards collected by Indian hackers constitute close to one-tenth of the total amount of bug bounty rewards paid from May 2019 to April 2020.

Other regions with hackers who collected over $1 million in bounty rewards include Russia ($3,083,973), Germany ($1,920,452), Canada ($1,653,313), United Kingdom ($1,430,886), France ($1,223,231), and Hong Kong ($1,040,347).

Hackers from Benin, Comoros, Costa Rica, Gambia, Luxembourg, Malta, Oman, Paraguay, Senegal, the State of Palestine, Uganda, and Venezuela received rewards for the first time in the past year.

Technology companies paid the biggest share of bug bounty rewards

There is a huge discrepancy between the amount of bug bounty rewards paid by different industries. The top two most paying industries include computer software and internet service sectors, while the bottom two industries include local government and healthcare sectors.

Companies in the computer software industry distributed the biggest share of bounty awards to hackers in the past 12 months. In total, such companies paid out $16,263,982 in bounty awards, which make up more than 36% of the total awards paid.

Next up is companies in the internet and online service industry, which distributed $16,079,195 in bounty rewards to hackers over the past 12 months. Bounty rewards paid by the organizations in the internet and online service sector also account for nearly 36% of the total bounties awarded in the past year.

Companies in the telecommunication industry occupy the third spot. Together they distributed $2,497,042 in bounty rewards accounting for close to 6% of the total winnings from May 2019 to April 2020.

Other industries paying more than $1 million in bounties to hackers include financial and insurance services ($2,286,351), media and entertainment ($1,826,974), as well as retail and eCommerce ($1,004,045).


Alex T.

Alex T.


Tags: Hackers cybersecurity bug bounty