$100 Million in Bounties Paid by HackerOne To Ethical Hackers (bleepingcomputer.com) 8
Bug bounty platform HackerOne announced today that it has paid out $100,000,000 in rewards to white-hat hackers around the world as of May 26, 2020. From a report: Since it started delivering vulnerability reports to its customers, HackerOne bug bounty hunters have found roughly 170,000 security vulnerabilities according to the company's CEO Marten Mickos. Over 700,000 ethical hackers are no using the bug bounty platform to get paid for security bugs in the products of more than 1,900 HackerOne customers. "It is impossible to know exactly how many cyber breaches have thereby been averted but we can estimate that it is thousands or perhaps over ten thousand," Mickos said.
Too low (Score:2)
This is like Apple marking:
WE PAID APP DEVELOPERS $10B THIS YEAR AND WE HAVE 100M DEVELOPERS!!!! ... wait so basically on average they are breaking even with the expense of Apple's developer program?
---
Here is my experience with HackerOne and American Express's bounty program: https://privacylog.blogspot.co... [blogspot.com]
Summary: next time I'll just full disclosure rather than dealing with them.
Re: (Score:1)
This is like Apple marking:
WE PAID APP DEVELOPERS $10B THIS YEAR AND WE HAVE 100M DEVELOPERS!!!! ... wait so basically on average they are breaking even with the expense of Apple's developer program?
---
Here is my experience with HackerOne and American Express's bounty program: https://privacylog.blogspot.co... [blogspot.com]
Summary: next time I'll just full disclosure rather than dealing with them.
Ill take to low over none at all. Rarely change happens is large steps. This is the right direction in showing the benefit of ethical hackers.
Re: (Score:2)
There's no such thing as an ethical hacker, and if you think there is, you're a stupid asshole.
Not news, basically a press release (Score:3)
What it also doesn't say is HackerOne takes a large cut of all bounties so they themselves made about ten million dollars paying out a hundred million..
The article doesn't offer any evidence about how many likely breaches/severe incidents this may have actually averted. Research of bug bounty programs shows they pay these ethical hackers a fraction of what a US or EU based security researcher would make per year -- with top bug bounty hackers making maybe $30k/year.
While they toss around the anecdotes of a handful of hackers who managed to make $1 million or more, based on research that's the exception rather than the rule, tantamount to how stories of winning the lottery sell lotto tickets.
To make more money, what's stopping these hackers from selling these exploits instead for much more than $1 million each (rather than combined earnings)?
Fuck a bug bounty. (Score:2)
I reported a privilege escalation bug to Facebook, through their bug bounty program. They wrote me back to say that it was a bug, and they were going to fix it right away, but because it was a privilege escalation bug they considered it "not a security bug" and so decided that my reporting was worth zero dollars.
Needless to say, there's no such thing as "ethical hacking" under capitalism. Break everything, and fucking help nobody.
Re: (Score:1)
WTF? A privilege escalation bug is NOT a security issue? Was this recent? Would it help if we send a few angry tweets to their security team to support you? That's some grade A bullshit.
This sound a lot like fulldecent's HackerOne/American Express fiasco.
Re: (Score:2)
Like 2 years old now. Not worth any more of my time. Now all the 0days I find go straight to the darkweb sales portals.
Fool me once, and all that...