Bug bounty platform HackerOne has awarded $81 million to security researchers worldwide in the past 12 months, a 13% year-over-year increase, according to its latest report.
HackerOne manages more than 1,950 programs across industries, offering vulnerability disclosure, penetration testing, and code security services. Its customer list includes major companies such as Anthropic, Crypto.com, GitHub, Goldman Sachs, Uber, General Motors, and even the U.S. Department of Defense.
The report highlights that the average yearly payout per program is around $42,000, while the top 100 programs collectively distributed $51 million between July 2024 and June 2025. The top 10 programs alone accounted for $21.6 million. At the researcher level, the Top 100 earners collectively received $31.8 million, with many individuals now surpassing six-figure annual incomes.
A major trend is the surge in AI-related vulnerabilities, which rose 200% year-over-year, with prompt injection flaws up 540%, making them the fastest-growing security threat. By contrast, classic issues such as XSS and SQL injection are declining, while authorization flaws—including improper access controls and IDOR (insecure direct object reference)—are on the rise.
In 2025, more than 1,121 bug bounty programs included AI in scope, marking a 270% YoY increase, with autonomous AI-powered agents submitting over 560 valid reports.
HackerOne also noted a shift in how researchers are working: 70% of over 1,820 surveyed hunters now use AI tools to enhance their bug-hunting capabilities.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
“AI vulnerabilities increased by more than 200% this year, while enterprises expanded AI security initiatives at nearly three times last year’s pace,” said HackerOne CEO Kara Sprague. “At the same time, a new generation of ‘bionic hackers’—researchers using AI to boost their hunting abilities—are driving discoveries at unprecedented scale.”
