94 percent of Forbes 2000 companies have no bug bounty programs, report says
Bug bounty programs are paying more than ever, but they’re still absent from most of the world’s top 2,000 public companies, according to a new report Tuesday from HackerOne.
The San Francisco-based company, which sells its own bug bounty platform, says 94 percent of companies on the Forbes Global 2000 have no discernible way to receive reports about vulnerabilities in their networks.
That number is unchanged from HackerOne’s 2015 security report.
The companies that do have bug bounty programs, however, are willing to pay more for vulnerability disclosures, HackerOne says. The average bounty on the company’s platform had grown 16 percent in two years to a current average of $1,923.
HackerOne itself recently raised a $40 million investment and assisted the Pentagon with bug bounty programs.
The security report notes that in addition to the Department of Defense, the Food and Drug Administration, National Highway Traffic Safety Administration, National Telecommunications and Information Administration, National Institute of Standards and Technology and Federal Trade Commission have invested in bug bounty programs.
Bug bounty programs date back at least 34 years to 1983 when Hunter & Ready, an early Silicon Valley pioneer, offered cars in exchange for bug reports. Every hacker ended up taking the $1,000 cash offer instead of the car.