Vulnerabilities / Threats
3/20/2017
09:10 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Bug Bounty Programs are Growing Up Fast and Paying More

As more organizations crowdsource the vulnerability-hunting of their software, the process itself has become more formal, as well as more lucrative for researchers.

Recent news about Google and Microsoft substantially increasing their rewards for certain vulnerability disclosures and Intel launching a new bounty program signal the surging popularity of crowd-sourced bug hunting.

Google earlier this month announced that it had increased the maximum reward for remote code execution bugs to over $31,000 from $20,000 previously. Bugs involving unrestricted file system or database access now fetch $13,337, compared with the $10,000 Google used to pay for them. Google security program manager Josh Armour described the move as recognition of how much harder it has become for security researchers to find high-severity bugs.

Microsoft, meanwhile, announced that bug hunters who find flaws in its Exchange Online and Office 365 Admin Portal between March and May this year can earn up to $30,000, or double the usual reward for such finds.

Intel also has launched a program under which it will offer up to $30,000 for critical flaws in its hardware, $10,000 for similar flaws in its firmware, and $7,500 for software bugs.

The announcements come against the backdrop of the Zero Day Initiative’s Pwn2Own hacking contest last week in Vancouver, and reflect what several say is the growing and quickly evolving nature of bug bounty programs.

Here are some of the biggest shifts in these vulnerability programs:

Organizations Offering Bug Bounties Have Become More Diverse

There's been a rapid growth in the adoption of bug bounty programs over the past year, says Jason Haddix, head of trust and security at Bugcrowd, one of the pioneers in the managed bug bounty program space.

Haddix says he has seen a big uptick both in the number of organizations launching bug bounties as well as the kind of organizations launching them.

"Today, bug bounties are no longer just for the early adopter tech giants," Haddix says. "They’re for organizations of any size and level of security maturity."

Over the last year, Bugcrowd has launched programs for financial companies, automakers, retail companies, and consumer electronics firms, among others. "Today, the industry has accepted the value of bringing the crowdsourced testing model to custom web applications, IoT devices, and basically any other type of software," Haddix says.

The Number of Bug Hunters and Vulnerability Submissions is Going Through the Roof

Bug bounty programs have given security researchers of all skill levels and from around the world a legitimate way to monetize their bug discoveries. Not surprisingly, the programs have proved to be a magnet for the community.

HackerOne, which like Bugcrowd manages bug bounty programs for other organizations, has over 100,000 hackers registered with it. Over 4,700 of them have been rewarded for bugs reported, says Michiel Prins, co-founder of HackerOne.

The platform has helped some 750 organizations across multiple industries resolve a combined total of more than 40,000 bugs so far and paid out $15 million for it. Over 75% of the companies that sign up with HackerOne get a bug report in less than 24 hours.

"We've seen a marked increase in the number of researchers signing up for these programs,” adds Bugcrowd's Haddix. The number of vulnerability researchers signed up with Bugcrowd has doubled in the past 12 months, and until relatively recently, a majority of them used to be based in India. Now researchers from the US nearly equal those from India.

"During the last year, we've seen a surge in the number of submissions as well as in the number of payouts with a 287% increase in researcher payouts and a 66% increase in the size of the average payouts," Haddix says.

Payouts Get Bigger - But Harder to Get

As Microsoft and Google's announcements this week showed, organizations are willing to pay out bigger bounties for vulnerability disclosures than ever before. But getting them has become harder. The biggest rewards are reserved for bugs that are the hardest to find, the toughest to fix, or cause the most harm.

"The harder a vulnerability is to mitigate, the more we pay" is how Intel described payment  under its new bug bounty program.

That trend is reflected at the Pwn2Own contest. In 2007, all it took was a single bug to win a category, says Dustin Childs, director of communications for Zero Day Initiative, the organizer of the Pwn2Own hacking competition. "Today, complete exploit chains are required to fully win a category," he says. "Teams need to put in hundreds of hours of preparation time to be successful during the contest."

The increased effort required to succeed is mirrored in the prize increases, as well. While a total of $10,000 and a laptop were awarded in 2007 at Pwn2Own, contest winners in 2016 received some $450,000 in cash and prizes over multiple categories during the contest. This year, organizers expect to pay out at least $1 million.

"The contest has proven year after year to be the root of the research community. Bugs disclosed during the event inspire the broader community to seek out other similar vulnerabilities," Childs says.

Vulnerability Pricing Models Get a Lot More Formal

As bug bounties have become more formal, so have the methods used to price them. When advising organizations how much they should pay for a bug, HackerOne considers the severity of a flaw; the scarcity or not of similar bugs; the potential impact; and the maturity of the program itself, says Prins.

Typically, the goal in setting bug bounties is not to compete with the black market on payout levels, but to encourage researchers to disclose flaws they discover in a responsible manner. "The better our ethical community is at finding vulnerabilities and our customers are at fixing them, the more scarce they become elsewhere," he says.

Bugcrowd even offers a so-called Defensive Vulnerability Pricing Model to help organizations determine how much a disclosed flaw is worth. The guide is based on information gathered from tens of thousands of vulnerability submissions and sets rates for bugs based on their criticality, Haddix says. It offers guidelines on how much money an organization might want to allocate for its bug bounty program and what reward ranges attract the best talent, he says. "The majority of our programs are scoped in accordance with these guidelines," Haddix says.

Bug Bounties aren't for Everyone

"Bug bounty programs are an emerging way to discover vulnerabilities in software," says Peter Kaloroumakis, chief technology officer at threat hunting and detection firm BluVector.

Companies are extracting value out of these programs and updating their software to address newly discovered vulnerabilities. At the same time, such programs make most sense for enterprise that are developing software products and not enterprises that are just using them.

[Hear Acuity Solutions President Kris Lovejoy discuss the rise of cyber-hunting to better defend against breaches during her session at Interop ITX on Thursday, May 18, at the MGM Grand in Las Vegas. To learn more about other Interop Security tracks, or to register, visit the live links.]

"An enterprise, which is using products, not creating them, is less likely to benefit from a bug bounty program," Kaloroumakis says. "They should focus on applying standard controls, network security monitoring and consider traditional penetration tests" by third parties, he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
All Videos
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Back Issues | Must Reads
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio