>$5 million in bounties has been paid to 2,000 contributing hackers for finding over 14,000 vulnerabilities
Thats an average of $357/vuln - or $2,500 per "hacker" -- or if you assume everyone shared the 357/vuln that would only equate to $.17 per hacker per vuln.
That seems really really low.
What % of the $5MM or the 14K did the top hacker or group take home?
How long is the tail of zero $$ per hacker in the community of the 2K?
(I met the founder on bart some time ago and was trying to get their services at my last company, and I was just literally this morning thinking about H1 as I need to have my PII SaaS system evaluated... but I am interested in the economics of this as well)
Great questions. We'll line up a more analytical post on the topic as I don't know all the answers here, and we all should. In the interim, here's a few rough from memory answers:
> Thats an average of $357/vuln
The 14,000 includes resolved bugs where no reward was offered (Bounties are optional with ~40% of programs not offering any. i.e., "responsible disclosure", a drop in replacement for security@company.com). If you reduce the set to reports where a reward was offered, the average is closer to $750.
> What % of the $5MM or the 14K did the top hacker or group take home?
The top earner last year took $280k.
> How long is the tail of zero $$ per hacker in the community of the 2K?
This is a diverse group. Several hundred are active "hackers" driven financially. The rest are developers, hobbyist, technical consumers, who just happened to get curious about something in particular or even stumbled across a security problem in passing (this is far more common than you'd reasonably expect).
Thats an average of $357/vuln - or $2,500 per "hacker" -- or if you assume everyone shared the 357/vuln that would only equate to $.17 per hacker per vuln.
That seems really really low.
What % of the $5MM or the 14K did the top hacker or group take home?
How long is the tail of zero $$ per hacker in the community of the 2K?
(I met the founder on bart some time ago and was trying to get their services at my last company, and I was just literally this morning thinking about H1 as I need to have my PII SaaS system evaluated... but I am interested in the economics of this as well)