26 Bug Bounty Statistics To Make Your Jaw Drop! (2024)

Bug Bounty Statistics

As most businesses transition to the digital world, they become a natural target for various hacker attacks. There are plenty of ways these dangerous individuals can bypass security protocols and put people’s information in danger. Knowing that companies invest more and more resources towards identifying vulnerabilities. In addition to their own efforts, companies that deal with a lot of data typically ask contributors for help. Together, they make the digital world much safer.

Here’s how that works.

A bug bounty stimulates software gurus to discover security issues on various websites. Bug bounty represents a deal between companies and individuals regarding discovering malfunctions on websites.

  • Is our information safe on the web?
  • Can someone track our transactions?
  • Can someone steal money from your bank account?
  • How secure is sharing your card details on online platforms?

These are burning questions on all internet users’ minds. During every online session, many people wonder if someone can sneak inside their phones or computers and steal relevant data, not to mention money. It’s only natural to think about how secure the internet is now a days, especially sites to whom we entrust our information and money. Are we, and if so, how are we protected?

Searching for website bugs is one of the methods companies use to improve the security of their platforms. People worldwide search for security issues, detect malware and improve services. Therefore, what better way to understand these companies’ efforts than through cold, hard numbers?

Let’s take a look at the latest bug bounty statistics.


Contents show

Bug Bounty Statistics In The Crypto World

Cryptocurrencies have become prevalent in recent years. Considering the advantages of Blockchain technology, we can assume that using digital coins is safer than fiat money.

Moreover, many experts believe it’s nearly impossible to intercept or alter crypto transactions. Still, all major crypto platforms continuously improve data protection protocols to prevent security breaches.


1. You can earn up to $100,000 by reporting a bug on Binance.


As one of the largest crypto exchanges, Binance offers its users maximum security. That said, contributors can earn between $200-$10,000 per vulnerability. In total, the prize can go as high as $100,000. As a result, individuals that find security issues affecting the blockchain, node, or wallet can receive lucrative rewards.


2. The minimum bug bounty payout for finding a crack in Kraken security systems starts from $500.


Kraken has a specific vulnerability rating where contributors can earn from $500 and up depending on the bug report score. The company will pay developers in cryptos. An individual must register and provide documents to Kraken’s support center to receive bug payments.


3. Saleem Rashid is the main contributor on Shiftcrypto with 5,400 points.


Shiftcrypto has a Hall of Thanks designed to highlight the main contributors. The alias Saleem Rashid is in the lead with 5,400 points on its list. The next developer under the name “jubobs” has only 400 points. The website’s bug bounty program is open to anyone who believes they can do better than Saleem.


4. $80,000 is the reward for discovering critical bugs on Crypto.com.


According to HackerOne, developers can earn impressive sums of money when reporting bugs on Crypto.com. The company has listed potential rewards and bug report scores. For example, reporting low severity bugs can earn you up to $1,200. If you discover more severe bugs, you can claim rewards up to a staggering $80,000 per bug.


5. Cryptocurrencies’ share in bug bounty programs is only 4%.


Statista reveals that almost 24% of internet and online service niche companies offer bug bounty programs. Computer software companies are immediately behind with 16%. Additionally, around 8% of financial services and insurance companies offer rewards to individuals who discover bugs.

Cryptocurrency & blockchain companies participate in the total bug bounty programs with a “mere” 4% share.


6. There are more than 7,000 white hat hackers on Hackenproof.


Ethical hackers can join various platforms and receive rewards for detecting security malfunctions on websites. Hackenproof is one of the most prominent examples, with more than 7,000 contributors and over 300 active programs.

So far, the platform has paid $523,564 to hackers for a total of 3,493 bug reports. The assets included in the program are Blockchain, Web, Mobile, DEX, DeFi, Wallet, Hardware, and more.


7. $120.3 million was stolen after a major hacker attack on DeFi protocol BadgerDAO.


It is not uncommon for crypto-users to keep their assets in a “vault,” which they can subsequently redeem for tokens. This process was possible thanks to the BadgerDAO protocol. Unfortunately for numerous crypto-owners, hackers managed to cash out $120.3 million worth of assets in December 2021.

PeckShield stated the amount could be more and claimed it’s challenging to determine the actual value of stolen tokens. This incident is the most recent in a long line of problems that demonstrate why bug bounties are critically important.


Bug Bounty Stats for Internet & Online Services

The internet has changed the world, and today only a handful of people aren’t using any web services. Conversely, the majority depends on browsers, social media, and the like. As such, the world of Internet services is a target for numerous hackers looking to exploit any vulnerability. 


8. $15,000 is the payout for reporting bugs on Mozzila’s critical sites.


There are 3.5 billion internet users. Whether through social media or other platforms, web traffic reached 3.5 billion online users. In other words, one in three people uses social media regularly. Aside from social media platforms, nearly 4 billion people worldwide use Google, while Mozzila has “only” 153 million users.

Mozzila has a specific program to encourage organizations and individuals to discover security malfunctions on its related sites. The program has developed a unique classification based on the website’s importance and bug type.

Contributors can earn up to $15,000 per bug on the following websites:

  • www.mozilla.com
  • www.mozilla.org
  • www.firefox.com
  • www.getfirefox.com


9. $31,337 is the bug bounty for the remote code execution on Google.


With a considerable number of users comes great responsibility. As a result, Google offers generous rewards for command injection, deserialization bugs, and sandbox escapes vulnerability detection. For applications that allow taking over a Google account, software developers can earn up to $31,337.

Depending on the website and bug severity, contributors may earn more or less money through Google’s bug hunters program.


10. There were 234 bugs reported on Brave Software.


There’s no browser immune to hackers with bad intentions. Still, users can be safe knowing that Brave knights in shiny armor are looking after them. So far, contributors have managed to resolve 234 bugs on Brave, but there are 32 more assets in scope at the moment.


11. The average payout for discovering bugs on Opera is $204.54.


Opera is one of the most significant internet browsers worldwide, with more than 380 million users. As such, finding security issues is of utmost importance, leading Opera to pay $204.54 on average for bug discoveries. Generally, developers can earn between $50 and $10,000 for reporting security issues to Opera.


12. Google paid $6.7 million to bug researchers in 2020.


Reputation has no price. Google spendings on resolving security breaches went over seven digits in 2020. The company paid $6.7 million to 662 contributors from 62 countries. Google’s bug reporting spendings have increased three-fold compared to 2015. Seven years ago, the company spent $2 million on resolving security issues on their webpages.


13. here’s a $250,000 bug bounty on Microsoft Hyper-V bugs.


The global leader in computer software, hardware, and gaming systems offers a staggering $250,000 for reporting bugs in their Microsoft Hyper-V program. This program is only the beginning, as the company provides more 6-digit figures for contributors on different projects.

On the other hand, payments on ElectionGuard and Office Insider vulnerabilities are among the lowest, with a $15,000 average reward.


14. Google paid $50,000 for resolving issues on Android 11.


Another old saying goes “better safe than sorry,” and it epitomizes Google’s views before the official release of Android 11. The fact the company managed to iron out all issues before releasing the new version proves they were right.

Bug bounty played the main role in discovering 11 security problems, earning researchers $50,000 as a result.


Bug Bounty Statistics in the Financial Services Sector

Dealing with money is always a unique challenge. Breaches in this niche can have severe consequences on both companies and regular users.

As a result, malware, unauthorized transactions, and money laundering are, among other things, the most challenging tasks these institutions have to deal with.

Let’s put figures on their efforts.


15. 1,000 researchers work on discovering bugs on PayPal.


The average PayPal payment volume is around $936 billion. It’s not surprising that one of the largest global platforms for money transactions represents an ideal target for hacker attacks. Consequently, the company invests enormous amounts of money in preventing security breaches.

Besides a dedicated team of experts inside PayPal, the platform also recruits more than 1,000 researchers through different channels. So far, the company has spent around $2 million on bug-related programs.


16. More than 200,000 vulnerabilities have been found on Bugcrowd.


It is not uncommon for white hat hackers to join larger communities in pursuing new challenges. Bugcrowd is one such website, serving as an intermediary between other sites and contributors.

Consequently, developers have managed to detect and solve 200,000 web security issues on multiple financial service companies. The average payout was $1,432.


Government Websites Bug Reports Statistics

A government internet page is where citizens can communicate with authorities, check information about elected officials, public servants, code of ethics, and more.

Let’s see how secure they are.

17. The Department of Homeland Security bug bounty program pays $500-$5,000 to those who discover vulnerabilities.


Some of the world’s largest companies offer almost a quarter of a million dollars to the most skillful hackers who manage to find vulnerable security protocols.

On the other hand, DHS evidently believes there are no significant issues on its websites. Thus, they offer up to $5,000 for bug reports on their site.


18. The U.S. Air Force website had 54 vulnerabilities.


During the three-month challenge, Bugcrowd contributors worked on discovering weak protocols on the official website of the United States Air Force. These individuals discovered 54 vulnerabilities and earned around $124,000 for their efforts.


19. White hat hackers can earn up to $55,380 by discovering bugs on the Swiss Government’s website.


Homeland security isn’t the only government site that relies on hackers’ brains worldwide to increase protection. The Swiss Government also holds the security of users’ information in the highest regard. Therefore, contributors can earn up to $55,380 for discovering bugs.


Social Media Bug Researchers Statistics

20. 403 software issues have been resolved on Snapchat.


The famous social media company that offers some of the most popular Android and iOS apps offers $35,000 for resolving server-side remote code execution issues. So far, researchers have solved 403 issues, while 26 still wait to be checked.


21. Payment researchers can earn $30,000 from Meta (Facebook).


Contributors can earn a staggering $30,000 for discovering bugs that allow third parties to access private Instagram content. Additionally, the company stated there’s no upper limit for the payout. However, Meta considers some security issues off-limits, so beware where you prod.


22. Bug researchers can earn up to $5,000 from Vimeo.


The company believes no one’s perfect, and we couldn’t agree more. Vimeo is open for all people of goodwill to track down its security issues and offers a generous reward in return. Contributors can earn between $500 and $5,000 for discovering bugs on vimeo.com.


Retail Bug Bounty Statistics

Retailers are also on the hackers’ radar. Let’s see how they work to eliminate security fallacies.


23. Intel offers $100,000 for discovering vulnerabilities on Intel Hardware.


One of the largest chip manufacturers and microprocessor developers offers up to $100,000 per discovered bug. The company has developed a bug resolving program with 4 different levels:

  • Critical
  • High
  • Medium
  • Low.

Depending on the level, contributors can earn from $500 to $100,000 per resolved bug. Interestingly, the program is open for non-US residents.


24. To date, 1801 software bugs have been resolved on Uber.


Connecting people with their families, friends, and favorite restaurants has always attracted peeping toms. Consequently, the company has devoted a special bug bounty program to contributors worldwide.

Developers can earn $750 on average by resolving security issues on Uber platforms. So far, contributors resolved 1801 reports, while 1 remains in scope.


25. To date, Shopify has paid out a total of $2 million for bug discovery and removal.


The folks at Shopify understand the meaning of one of the oldest sayings: “never interrupt others while shopping.” Thousands of people input their personal information on this platform. It is only natural for such a large company to feel a great amount of responsibility for their clients.

So far, the company has received 83 valid reports. Contributors earned around $2 million from reporting bugs to the platform.


26. White hat hackers can earn up to $6,000 for finding critical bugs on Starbucks.


Perhaps Starbucks’ coffee is flawless, but the company’s website has had well over 1,300 bugs. Luckily, contributors resolved most of them, with 39 in scope so far.

The average payout for a resolved security issue is around $500, while the maximum stands at $6,000.



Bug bounty programs are no joke.

Online security breaches can lead to severe consequences for users and companies. Consequently, countless companies have decided to pursue bug bounty programs directly or through various third-party platforms. Various contributors apply, either in groups or individually, and help companies protect their users – for monetary compensation, of course. It’s a win-win, wouldn’t you say?

The good news is that most businesses put high effort into resolving bugs and protecting their clients, as you can see from the bug bounty statistics above.

Bug bounty hunters and companies are both making a ton of money (not to mention the amount of free swag). I hope this blog post has opened your eyes to the great opportunities in bounty hunting.

Thanks for taking the time to read this. If you have any questions at all, please feel free to reach out to us. We’re always happy to help.

150+ Creative Cyber Security Slogans and Taglines

365 Cybersecurity Company Name Ideas That Work


  1. bugcrowd.com
  2. kraken.com
  3. shyftcrypto.com
  4. hackerone.com
  5. statista.com
  6. hackenproof.com
  7. theblockcrypto.com
  8. mozilla.org
  9. bughunters.google.com
  10. hackerone.com
  11. bugcrowd.com
  12. zdnet.com
  13. microsoft.com
  14. zdnet.com
  15. linkedin.com
  16. bugcrowd.com
  17. cnnpolitics.com
  18. bugcrowd.com
  19. swissinfo.ch
  20. hackerone.com
  21. zdnet.com
  22. hackerone.com
  23. intel.com
  24. hackerone.com
  25. shopify.in
  26. hackerone.com

Leave a Reply

Your email address will not be published. Required fields are marked *