Ten generous companies paid out more to attract more engagement on one platform.
For the second year in a row, Verizon Media has the top program, with more than US$9.4 million in bounties paid as of April. Bug-bounty programs of companies such as PayPal, Gitlab and Uber paid total bounties ranging from US$3 million to $987,000, and the rankings other factors such as time-to-respond, time-to-bounty payout, and the number of hackers involved in each program.
These top 10 apparently represent how vulnerability disclosures can work, and show how competitive bounties elicit higher engagement, while transparency in payouts builds trust with the global hacker community.
Said HackerOne’s CTO and co-founder, Alex Rice: “These top 10 programs are setting the standard for how transparency breeds trust in security in collaboration with a team of diverse hackers from across the globe. At HackerOne, Default to Disclosure is one of our values. And while this isn’t a mandate for our customers and hackers, it is something we encourage every customer to think about. By sharing where we’re vulnerable, other defenders can learn, friendly hackers can learn, and we’re all safer in the end.”
According to Rice, every Global 2000 company is grappling with a daunting cybersecurity problem. Decades of advancements in cyber security software have provided many critical benefits, but have also proven to be inadequate. “Security vulnerabilities are a when, not an if, when it comes to software. Companies that ignore this are negligent. With software development cycles becoming increasingly continuous, security teams are left playing catch up,” Rice concluded.
To accommodate this fast-paced method, enterprises can consider bug bounties as a complementary security strategy for innovation.