Article Details

HackerOne paid $81 million in bug bounties over the past year. Bug bounty platform HackerOne has paid $81 million in rewards to white-hat hackers worldwide over the past 12 months. HackerOne manages over 1,950 bug bounty programs and provides vulnerability disclosure, penetration testing, and code security services to many organizations. Its list of customers includes high-profile companies such as Anthropic, Crypto.com, General Motors, GitHub, Goldman Sachs, Uber, and government agencies like the U.S. Department of Defense. According to a report published earlier this week, the average yearly payout across all active programs is approximately $42,000. Meanwhile, the top 100 bug bounty programs on the platform have paid out $51 million between July 1, 2024, and June 30, 2025. "In the past 12 months, HackerOne bug bounty programs collectively paid out $81 million, an increase of 13% YoY. The top 10 programs alone accounted for $21.6 million," the company said. "At the researcher level, the Top 100 all-time earners took a total of $31.8M, with individual researchers now consistently surpassing six-figure annual earnings." ​HackerOne noted that the number of AI vulnerabilities has increased by more than 200%, with prompt injection vulnerabilities surging by a staggering 540%, confirming them as the quickest-growing threat in AI security. At the same time, security issues such as XSS (cross-site scripting) and SQLi (SQL injection) are in decline, while authorization flaws, including improper access control and IDOR (insecure direct object reference), are experiencing a significant increase in reports. In total, 1,121 bug bounty programs on HackerOne included AI in scope in 2025, a 270% increase YoY, with autonomous AI-powered agents submitting 560+ valid reports. The company added that 70% of over 1,820 researchers surveyed over the last year have used AI tools in their workflow "to enhance their hunting abilities." "AI vulnerabilities increased by more than 200% this year, while enterprises expanded AI security initiatives at nearly three times last year's pace," said HackerOne CEO Kara Sprague. "At the same time, a new generation of 'bionic hackers'—security researchers using AI to enhance their hunting abilities—are driving the discovery of security issues at unprecedented scale." The Security Validation Event of the Year: The Picus BAS Summit Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation. Don't miss the event that will shape the future of your security strategy