HackerOne Paid Out $81M to Bug Bounty Hunters: AI Emerges as the Primary Threat Source
70% of researchers use AI in their work, and autonomous agents have already submitted hundreds of valid reports.
70% of researchers use AI in their work, and autonomous agents have already submitted hundreds of valid reports.
The bug bounty platform HackerOne reported that over the past 12 months, white-hat hackers worldwide received payments totaling $81 million. According to the company, this is a 13% increase compared to the previous year.
Today, HackerOne manages more than 1,950 bug bounty programs and offers vulnerability disclosure, penetration testing, and code review services. Its clients include Anthropic, Crypto.com, General Motors, GitHub, Goldman Sachs, Uber, and government entities, including the U.S. Department of Defense.
On average, active programs pay researchers about $42,000 per year. The top 100 programs on the platform alone paid out a combined $51 million between July 2024 and June 2025. Furthermore, the top ten programs accounted for $21.6 million of the total payout volume.
Growth in earnings is also observed at the individual researcher level: the top 100 bug bounty hunters of all time have collectively earned $31.8 million. More and more specialists are reaching six-figure annual earnings.
HackerOne notes that the sharp increase in payouts is linked to the active development of the artificial intelligence vulnerability landscape. Over the year, the number of such reports grew by more than 200%, and cases of prompt injection increased by 540%, making it the fastest-growing threat class in the AI domain.
Simultaneously, a decline is being recorded in classic areas—XSS and SQL injections are becoming less common. However, authorization flaws, including improper access control and IDOR (Insecure Direct Object Reference), conversely, show significant growth.
According to the report, in 2025, HackerOne has 1,121 programs that have included AI technologies within their scope. This is a 270% increase from the previous year. Notably, more than 560 reports submitted by autonomous AI agents have passed validation.
The company emphasizes that the use of AI tools is becoming part of researchers' workflows. Of the 1,820 specialists surveyed, 70% admitted to using such solutions to improve the efficiency of their vulnerability searches.
"AI vulnerabilities have increased by more than 200% in a year, and corporate initiatives to prevent them are developing three times faster than last year," said HackerOne CEO Kara Sprague. She stated that a new generation of so-called "bionic hackers," who use artificial intelligence to augment their own capabilities, are finding vulnerabilities on an unprecedented scale.
For comparison, the Russian platform Standoff Bug Bounty paid out 168.9 million rubles to researchers over the year—from August 25, 2024, to August 25, 2025. During this time, 170 vulnerability search programs were launched in public and private modes. In total, bug hunters submitted 6,904 reports, of which 508 concerned high-severity vulnerabilities and 423 were critical. Educational platforms like CyberED, which compiles materials on practical information security, exist in the market to train specialists for work in such programs.
