‘Ethical’ hackers earn $45 million annual bounty

So-called ethical hackers earned almost $45 million collectively from bug bounties in the last 12 months, according to data collected by virtual private network Atlas.

Ethical hacking (or penetration testing) is the exploitation of an IT system with the permission of its owner to determine its vulnerabilities and weak points. It is widely accepted as an effective way of testing and validating an organisation’s cyber security position.

The results of ethical hacking are typically used to recommend preventive and corrective countermeasures that mitigate the risk of a cyber attack.According to the latest findings from Atlas, in total, hackers reported 60,000 valid vulnerabilities over the past year, receiving $979 on average per single vulnerability.

The United States remains the top payer of bounties, rewarding hackers $39,125,265 in the past year. Rewards paid by the US organisations alone account for 87% of the total amount of bounties paid.

Russia was in second place, granting $887,236 in bounty rewards to hackers. Bonuses awarded by Russian companies make up 2% of the total bounty prizes awarded to hackers.

Organisations from the UK round out the top 3, with $559,215 paid to hackers as bounty rewards. Bounty rewards distributed by UK companies amount to a little over 1% of the total amount of bounties paid in the past 12 months.

Commenting on the findings, Rachel Welch, COO of Atlas, said: “While bug bounty programs will not solve the cybersecurity talent shortage, organisations can still benefit significantly by outsourcing ethical hackers to identify weak spots in their security measures.”

When it comes to the hackers themselves, US hackers are leading the way. Together the US hackers earned $7,204,299, which accounts for 16% of the total amount of bounty winnings distributed over the last 12 months.

Chinese hackers come in second, commanding $5,355,683. Bounty rewards received by Chinese hackers make up nearly 12% of all bounties paid in the past year.

Chinese hackers are closely followed by Indian hackers, who netted $4,401,251 in bounty winnings. Rewards collected by Indian hackers constitute close to one-tenth of the total amount of bug bounty rewards paid from May 2019 to April 2020.