Hackers have reported the most vulnerabilities in 2022 to ensure the security of the platform, according to a recent analysis of the bug bounty program operated by HackerOne. The data, spanning from February 2022 to February 2023, revealed some interesting trends and insights into the performance of the program.
The analysis showed an 89% increase in bounty submissions in 2022 compared to the previous year. This significant spike reflected a growing awareness and interest among hackers in identifying and reporting vulnerabilities to contribute to platform security. Though there was a slight dip in submissions over the holiday season in November and December, the numbers rebounded in January 2023, with a notable 66% increase in reports.
One of the key highlights of the analysis was the record-breaking bounty payments made by the program in 2022, totaling $163,134 across 56 findings. The average bounty per report stood at $2,862, indicating the program’s commitment to rewarding hackers for their valuable contributions. The month of June was particularly notable, with over $61,000 paid out for 143 reports, 29 of which were categorized as critical or high severity.
Efficiency in responding to vulnerabilities was also highlighted as a key success factor for the bug bounty program. The program maintained an average of two days to triage a vulnerability and a month to fix it, depending on the severity. The aim was to reward hackers as quickly as possible after triage, resulting in an average payout time of nine days.
The top participating hackers in the program were acknowledged for their significant contributions to platform security. Individuals like Haxta4ok00, mikkocarreon, cache-money, whhackersbr, and fuzzsqlb0f were specifically recognized for their efforts in identifying and reporting vulnerabilities.
The analysis also shed light on the factors driving vulnerability reports, with acquisitions and third-party software flaws emerging as key challenges. The transition period following an acquisition was identified as a high-risk phase, as new products and integrations often introduced vulnerabilities that needed to be addressed promptly. Collaboration with third-party suppliers to address vulnerabilities found in their technology was another area of focus for the program.
Engineering played a crucial role in addressing security challenges, with a focus on securing products and assets from the ground up. Engineers were actively involved in quarterly security training courses and collaborated closely with security teams to integrate security measures into the product development process. The program also encouraged internal team members to contribute findings, further enhancing the security posture of the platform.
Looking ahead to 2023, the program aimed to prioritize incentivizing hackers to discover critical vulnerabilities by offering dynamic bounty payouts based on submissions. Iterating on the triage process and setting clear guidelines for what qualifies as a vulnerability were identified as key focus areas for the coming year. Experimentation and learning from the bug bounty program were highlighted as crucial elements in enhancing the effectiveness and impact of the program.
Overall, the analysis of HackerOne’s bug bounty program in 2022 revealed a strong performance in terms of vulnerability reporting, bounty payments, and response times. By addressing key challenges such as acquisitions, third-party vulnerabilities, and internal engineering practices, the program demonstrated a proactive approach to platform security and a commitment to continuous improvement.