Recent news about Google and Microsoft substantially increasing their rewards for certain vulnerability disclosures and Intel launching a new bounty program signal the surging popularity of crowd-sourced bug hunting.
Google earlier this month announced that it had increased the maximum reward for remote code execution bugs to over $31,000 from $20,000 previously. Bugs involving unrestricted file system or database access now fetch $13,337, compared with the $10,000 Google used to pay for them. Google security program manager Josh Armour described the move as recognition of how much harder it has become for security researchers to find high-severity bugs.
Microsoft, meanwhile, announced that bug hunters who find flaws in its Exchange Online and Office 365 Admin Portal between March and May this year can earn up to $30,000, or double the usual reward for such finds.
Intel also has launched a program under which it will offer up to $30,000 for critical flaws in its hardware, $10,000 for similar flaws in its firmware, and $7,500 for software bugs.
The announcements come against the backdrop of the Zero Day Initiative’s Pwn2Own hacking contest last week in Vancouver, and reflect what several say is the growing and quickly evolving nature of bug bounty programs.
Here are some of the biggest shifts in these vulnerability programs:
Organizations Offering Bug Bounties Have Become More Diverse
There's been a rapid growth in the adoption of bug bounty programs over the past year, says Jason Haddix, head of trust and security at Bugcrowd, one of the pioneers in the managed bug bounty program space.
Haddix says he has seen a big uptick both in the number of organizations launching bug bounties as well as the kind of organizations launching them.
"Today, bug bounties are no longer just for the early adopter tech giants," Haddix says. "They’re for organizations of any size and level of security maturity."
Over the last year, Bugcrowd has launched programs for financial companies, automakers, retail companies, and consumer electronics firms, among others. "Today, the industry has accepted the value of bringing the crowdsourced testing model to custom web applications, IoT devices, and basically any other type of software," Haddix says.
The Number of Bug Hunters and Vulnerability Submissions is Going Through the Roof
Bug bounty programs have given security researchers of all skill levels and from around the world a legitimate way to monetize their bug discoveries. Not surprisingly, the programs have proved to be a magnet for the community.
HackerOne, which like Bugcrowd manages bug bounty programs for other organizations, has over 100,000 hackers registered with it. Over 4,700 of them have been rewarded for bugs reported, says Michiel Prins, co-founder of HackerOne.
The platform has helped some 750 organizations across multiple industries resolve a combined total of more than 40,000 bugs so far and paid out $15 million for it. Over 75% of the companies that sign up with HackerOne get a bug report in less than 24 hours.
"We've seen a marked increase in the number of researchers signing up for these programs,” adds Bugcrowd's Haddix. The number of vulnerability researchers signed up with Bugcrowd has doubled in the past 12 months, and until relatively recently, a majority of them used to be based in India. Now researchers from the US nearly equal those from India.
"During the last year, we've seen a surge in the number of submissions as well as in the number of payouts with a 287% increase in researcher payouts and a 66% increase in the size of the average payouts," Haddix says.
Payouts Get Bigger - But Harder to Get
As Microsoft and Google's announcements this week showed, organizations are willing to pay out bigger bounties for vulnerability disclosures than ever before. But getting them has become harder. The biggest rewards are reserved for bugs that are the hardest to find, the toughest to fix, or cause the most harm.
"The harder a vulnerability is to mitigate, the more we pay" is how Intel described payment under its new bug bounty program.
That trend is reflected at the Pwn2Own contest. In 2007, all it took was a single bug to win a category, says Dustin Childs, director of communications for Zero Day Initiative, the organizer of the Pwn2Own hacking competition. "Today, complete exploit chains are required to fully win a category," he says. "Teams need to put in hundreds of hours of preparation time to be successful during the contest."
The increased effort required to succeed is mirrored in the prize increases, as well. While a total of $10,000 and a laptop were awarded in 2007 at Pwn2Own, contest winners in 2016 received some $450,000 in cash and prizes over multiple categories during the contest. This year, organizers expect to pay out at least $1 million.
"The contest has proven year after year to be the root of the research community. Bugs disclosed during the event inspire the broader community to seek out other similar vulnerabilities," Childs says.
Vulnerability Pricing Models Get a Lot More Formal
As bug bounties have become more formal, so have the methods used to price them. When advising organizations how much they should pay for a bug, HackerOne considers the severity of a flaw; the scarcity or not of similar bugs; the potential impact; and the maturity of the program itself, says Prins.
Typically, the goal in setting bug bounties is not to compete with the black market on payout levels, but to encourage researchers to disclose flaws they discover in a responsible manner. "The better our ethical community is at finding vulnerabilities and our customers are at fixing them, the more scarce they become elsewhere," he says.
Bugcrowd even offers a so-called Defensive Vulnerability Pricing Model to help organizations determine how much a disclosed flaw is worth. The guide is based on information gathered from tens of thousands of vulnerability submissions and sets rates for bugs based on their criticality, Haddix says. It offers guidelines on how much money an organization might want to allocate for its bug bounty program and what reward ranges attract the best talent, he says. "The majority of our programs are scoped in accordance with these guidelines," Haddix says.
Bug Bounties aren't for Everyone
"Bug bounty programs are an emerging way to discover vulnerabilities in software," says Peter Kaloroumakis, chief technology officer at threat hunting and detection firm BluVector.
Companies are extracting value out of these programs and updating their software to address newly discovered vulnerabilities. At the same time, such programs make most sense for enterprise that are developing software products and not enterprises that are just using them.
[Hear Acuity Solutions President Kris Lovejoy discuss the rise of cyber-hunting to better defend against breaches during her session at Interop ITX on Thursday, May 18, at the MGM Grand in Las Vegas. To learn more about other Interop Security tracks, or to register, visit the live links.]
"An enterprise, which is using products, not creating them, is less likely to benefit from a bug bounty program," Kaloroumakis says. "They should focus on applying standard controls, network security monitoring and consider traditional penetration tests" by third parties, he says.