A total of 116 bug reports worth more than $10,000 were paid out in the past year, with some organizations offering as much as $250,000 to hackers who uncover so-called “critical vulnerabilities,” according to The Hacker-Powered Security Report 2018, issued by bug-bounty firm HackerOne.
As of June, more than $31 million had been awarded to hackers so far this year. That’s almost three times the $11.7 million given in all of 2017, according to the report.
“Today we see that relying on compliance, checking boxes and purchasing the latest security products only gets you so far. A scanner can’t find a vulnerability it doesn’t know exists. Creative intellectual humans do that. Hackers do that,” according to HackerOne.
Bug bounty competitions within the federal government have proliferated since 2016’s high-profile “Hack the Pentagon” effort, which offered researchers rewards for uncovering digital defects in the Pentagon’s public websites.
Hack the Pentagon spawned similar efforts within the U.S. Army and Air Force and has prompted lawmakers to introduce various measures that would establish competitions at the Homeland Security, State and Justice departments.
The Defense Department also launched a vulnerability disclosure portal that has uncovered thousands digital weak spots.
The HackerOne report found that Latin America saw the biggest uptick in vulnerability disclosure policies and bug bounty programs in the last year, with an increase of 143 percent, according to the analysis.