As far back as 2015 , major company like Sony and Intel have essay to crowdsource efforts to fasten their system and lotion through the San Francisco startup HackerOne . Through the “ bug amplitude ” programme offer by the company , hackers once catch as a nuisance — or sorry , as criminals — can place security vulnerability and get pay for their piece of work .

On Tuesday , HackerOnepublisheda riches of anonymized data point to emphasise not only the comprehensiveness of its own program but foreground the direct type of bugs discovered by its virtual army of hackers who ’ve reaped financial reward through the program . Some $ 29 million has been give out so far with wish to thetop 10 most rewarded types of security weaknessalone , according to the company .

HackerOne food market the bounty program as a means to safely mime an authentic kind of world menace . “ It ’s one of the in effect defense you’re able to have against what you ’re really protecting against , ” said Miju Han , HackerOne ’s director of product management . “ There are a lot of protection prick out there that have theoretically risks — and we definitely endorse those tool as well . But what we really have in hemipterous insect bounty programs is a real - world security risk of exposure . ”

A laptop is standing on a table during the Chaos Communication Congress, an annual hacker conference held in Germany.

A laptop is standing on a table during the Chaos Communication Congress, an annual hacker conference held in Germany.Photo: Jens Schlueter / Getty

The program , of course of study , has its own restriction . participant have the power to define the cathode-ray oscilloscope of engagement and in some typeface — as with the U.S. Defense Department , a “ hackable target”—place limits on which systems and methods are authorized under the political program . vicious hack and foreign antagonist are , of course , not bound by such rule .

“ Bug bounty can be a helpful tool if you ’ve already invest in your own security measures prevention and detection , ” said Katie Moussouris , CEO of Luta Security , “ in term of secure development if you bring out code , or secure exposure management if your organization is mostly just trying to keep up with patching survive infrastructure . ”

“ It is n’t suited to supplant your own prophylactic cadence , nor can it replace penetration testing , ” she say .

Graphic: <a href=

HackerOne” class=”size-full wp-image-2000069649″ /> Graphic:HackerOne

Not surprisingly , HackerOne ’s data shows that overwhelminglycross - site scripting(XSS ) attacks — in which malicious scripts are injected into otherwise trusted land site — remain the top vulnerability reported through the program . Of the top 10 case of bugs reported , XSS make up 27 percent . No other type of bug comes tight . Through HackerOne , some $ 7.7 million has been paid out to cover XSS vulnerability alone .

Cloud migration has also led to a cost increase in exploits such asserver - side postulation forgery(SSRF ) . “ The attacker can supply or modify a URL which the code black market on the server will read or submit data to , and by cautiously selecting the uniform resource locator , the attacker may be able to scan server constellation such as AWS metadata , connect to internal services like hypertext transfer protocol - enabled databases or perform Emily Post request towards inner services which are not intended to be exposed , ” HackerOne enjoin .

presently , SSRF makes up only 5.9 percentage of the top microbe reported . Nevertheless , the company enounce , these server - side exploit are cut up as more and more company regain homes in the cloud .

Article image

Other top bounties include a range of code injection feat or misconfigurations that allow unlawful access code to organisation that should be locked down . company have bear out over $ 1.5 million alone to cover unconventional access ascendance .

“ society that pay off more for bounties are decidedly more attractive to cyberpunk , peculiarly more attractive to top hacker , ” Han say . “ But we know that premium paid out are not the only motivation . Hackers wish to hack company that they like using , or that are locate in their country . ” In other quarrel , even though a company is spend more money to pay hackers to find out hemipterous insect , it does n’t necessarily have in mind that they have more security .

“ Another factor is how fast a caller is change , ” she said . “ If a caller is developing very rapidly and expanding and growing , even if they pay a lot of bountifulness , if they ’re changing up their codification base a lot , then that means they are not necessary as secure . ”

Argentina’s President Javier Milei (left) and Robert F. Kennedy Jr., holding a chainsaw in a photo posted to Kennedy’s X account on May 27. 2025.

According to an article this year inTechRepublic , some 300,000 hacker are currently sign up up with HackerOne ; though only 1 - in-10 have reportedly claim a bountifulness . The best of them , a radical of roughly 100 hackers , have earned over $ 100,000 . Only a couple of elect hackers have attained the highest - pay ranks of the program , reaping rewards close to , or in excess of , $ 1 million .

look at a full breakdown of HackerOne ’s “ most impactful and rewarded ” exposure typeshere .

Security

William Duplessie

Daily Newsletter

Get the respectable tech , science , and culture word in your inbox day by day .

News from the future , delivered to your present .

You May Also Like

Starship Test 9

Lilo And Stitch 2025

CMF by Nothing Phone 2 Pro has an Essential Key that’s an AI button

Photo: Jae C. Hong

Doctor Who Omega

Roborock Saros Z70 Review

Argentina’s President Javier Milei (left) and Robert F. Kennedy Jr., holding a chainsaw in a photo posted to Kennedy’s X account on May 27. 2025.

William Duplessie

Starship Test 9

Lilo And Stitch 2025

Roborock Saros Z70 Review

Polaroid Flip 09

Feno smart electric toothbrush

Govee Game Pixel Light 06