07
A New Success Metric: Return on Mitigation
$4.88M
the global average cost of a data breach has increased 10% over the previous year
In contrast, even top-tier bounty payouts in the 95th percentile are relatively small investments.
However, many organizations still struggle to measure the ROI of proactive security measures like bug bounty programs. Securing budget for these initiatives often requires stakeholder buy-in, which means translating bug bounty success into clear financial value.
Check out how organizations like yours measure the success of their security programs
Our panel of security professionals
41%Absence of incidents or breaches
HackerOne customers
57%Absence of incidents or breaches
Our panel of security professionals
39%Risk assessment
HackerOne customers
48%Risk assessment
Our panel of security professionals
37%Financial savings estimated from avoiding risk or avoiding breaches
HackerOne customers
45%Financial savings estimated from avoiding risk or avoiding breaches
Our panel of security professionals
36%Agility and speed of security teams’ responsiveness
HackerOne customers
32%Agility and speed of security teams’ responsiveness
Our panel of security professionals
36%Discount on cyber insurance
HackerOne customers
9%Discount on cyber insurance
Our panel of security professionals
35%Estimated savings of reputational or customer-related impacts as a result of a security program
HackerOne customers
45%Estimated savings of reputational or customer-related impacts as a result of a security program
“The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI."
Eric Kieling
Head of Application Security, Booking.com
Introducing Return on Mitigation
HackerOne recently introduced the concept of return on mitigation (ROM), an extension of ROI that is specific to cybersecurity. ROM compares the cost of mitigating risks to the potential financial losses from cyber incidents, and considers the qualitative and quantitative benefits of proactive security investments, including:
- Restoring compromised system
- Lost revenue due to downtime
- Legal and regulatory penalties
- Damage to public trust and reputation
ROM shifts the focus from short-term cost savings to long-term resilience, highlighting the importance of risk management and the overall business benefits of proactive security measures.
Find out how ROM is calculated in the SANS White Paper: Human-Powered Security Testing
Recommendations
Track your response times, ability to stay within your agreed SLAs to remediate vulnerabilities, and your time to bounty payout to understand the health of your program and efficacy of your processes.
Understand the goals and success metrics of your different stakeholders, from engineering teams to the board, so you can align your reporting to their priorities and focus areas.
Adopt a return-on-mitigation strategy to effectively put an incident avoided into financial terms.
“Paying $15k for a critical vulnerability that could cost us millions in the wild is the best discount."
Security Leader, Media & Entertainment Industry
Download the Full 8th Annual Hacker-Powered Security Report
Get researcher insights, customer testimonials, industry data, analysis and advice, and more.
Data sources
HackerOne’s annual community survey surveyed 2,321 security researchers that were active on the platform in the 30 days prior to the survey. The survey took place between June 24, 2024, and August 4, 2024.
The data collected from HackerOne’s platform is from the period between June 2023 and June 2024.
HackerOne’s customer survey was conducted via UserEvidence and surveyed 50 HackerOne customers between July 15, 2024, and August 15, 2024.
The survey of security professionals was conducted by Opinion Matters and surveyed 500 security professionals across the US and Europe. The survey was conducted between July 31, 2024, and August 6, 2024.
About HackerOne
HackerOne is the global leader in human-powered, AI-enabled security, fueled by the creativity of the world’s largest community of security researchers plus cutting-edge AI to protect your digital assets. The HackerOne Platform combines the expertise of our elite community and the most up-to-date vulnerability database to pinpoint critical security flaws across your attack surface. Our integrated solutions—including bug bounty, pentesting, code security audits, spot checks, and AI red teaming—ensure continuous vulnerability discovery and management throughout the software development life cycle. Trusted by industry leaders such as Coinbase, General Motors, GitHub, Goldman Sachs, Hyatt, PayPal, Snap Inc., and the U.S. Department of Defense, HackerOne was named a Best Workplace for Innovators by Fast Company in 2023 and a Most Loved Workplace for Young Professionals in 2024.