HackerOne, a leading platform in offensive security, announced it has paid out a total of $81 million in bug bounties to its global community of white-hat hackers over the past year.
This figure, detailed in the company’s 9th annual Hacker-Powered Security Report, marks a 13% increase from the previous year, highlighting the growing reliance on crowdsourced security to defend against evolving cyber threats. The report covers the period from July 1, 2024, to June 30, 2025.
The findings underscore a significant return on investment for organizations utilizing bug bounty programs. For every dollar spent on bounties, companies saved an average of $15, culminating in an estimated $3 billion in mitigated financial losses from potential breaches.
This 15x return demonstrates the financial efficacy of leveraging ethical hackers to identify and remediate vulnerabilities before they can be exploited by malicious actors.
Emergence of “Bionic Hackers”
A central theme of the 2025 report is the emergence of the “bionic hacker” security researchers who extend their expertise with artificial intelligence.
This synergy of human creativity and AI-driven automation is reshaping the security landscape. According to HackerOne, there has been a 210% surge in valid AI-related vulnerability reports since 2024, with researchers increasingly focused on testing AI and machine learning systems.
The report indicates that 67% of surveyed researchers now use AI or automation tools to accelerate reconnaissance and testing. The platform has also seen the advent of “hackbots,” autonomous AI agents that have submitted 560 valid reports, primarily identifying surface-level flaws like Cross-Site Scripting (XSS).
While human ingenuity remains crucial for uncovering complex business logic and multi-step exploits, AI is proving to be a powerful force multiplier.
The distribution of the $81 million in bounties reveals key industry priorities and risk areas. The technology sector, particularly computer software and internet services, led in total payouts.
Computer Software programs accounted for over $9.7 million in bounties, while the top 10 programs on the platform paid out a combined $21.6 million.
Vulnerability trends show a shift in focus. While payouts for common bugs like XSS are declining, rewards for more critical issues such as Improper Access Control (IAC) and Insecure Direct Object Reference (IDOR) are on the rise.
IDOR-related rewards increased by 23% and valid reports grew by 29%, signaling that attackers and researchers are concentrating on authorization and access control weaknesses.
The report emphasizes that the future of cybersecurity belongs to organizations that can effectively combine human expertise with AI-powered tools to stay ahead of adversaries in a rapidly changing threat environment.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.




