The Pentagon’s willingness to pay freelance hackers to report cyber vulnerabilities has opened the floodgates for similar programs from other agencies, report the organizers of the original Hack The Pentagon. San Francisco-based HackerOne now counts clients ranging from the US Air Force, Army, and Defense Travel System to the Singaporean Ministry of Defense and the European Commission, with Congress passing a bill to add the Department of Homeland Security.
Since its founding in 2012, HackerOne has paid hackers $31 million for discovering over 72,000 vulnerabilities. Growth is so fast that over a third of this, $11.7 million for 27,000 bugs, was awarded in the last 12 months.
Government business worldwide more than doubled in the last year, increasing 125 percent. In fact, HackerOne says the public sector is now ahead of most industries in acceptance of this emerging model of “open source” cybersecurity.
“It came pretty quickly,” HackerOne’s Finnish CEO, Mårten Mickos, told me. “I think…they all looked at Hack the Pentagon and said, ‘if America is doing it, we can do it.'”
True, the highest “buy bounties” — payments to freelance cybersecurity experts for reporting unique and dangerous vulnerabilities — are still from private sector tech companies. Intel and Microsoft now offer up to $250,000 for particularly critical discoveries, although no one’s actually collected this maximum payout, yet. 116 “unique critical vulnerabilities” earned over 10,000 each last year. Average bounty payments are much lower, ranging from just $668 per bug in the travel/hospitality industry to $3,635 in the technology sector — but government beats them at all an average payout of $3,892.
Our IP Address: