Vulnerabilities / Threats

1/31/2017
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Paid $3 Million To Bug Hunters In 2016

Search engine giant an example of the growing number of organizations benefiting from bug bounty programs.

Despite warnings about relying too heavily on crowdsourced bug bounty programs, these vulnerability discovery initiatives are proving successful for some companies, judging from the payouts to security researchers in recent years.

One example is Google. New data from the company this week shows that in 2016, Google paid some $3 million in rewards to 350 bug hunters from 50 countries who discovered more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.

The payout was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014. Counting last year’s awards, Google has so far awarded $9 million in bug bounties since it first introduced the Vulnerability Rewards Program (VRP) in 2010.

Google is not alone in making payouts to researchers who find vulns in their products. As of last October, Facebook had paid upwards of $5 million in rewards to bug hunters, with a majority of them in India, the US, and Mexico. In the first half of 2016 alone, Facebook received over 9,000 bug disclosure reports and paid more than $610,000 to 149 researchers.

Bugcrowd, which coordinates bug-hunting programs for enterprises, last year delivered over 9,000 validated vulnerabilities to its clients, who include the likes of Fiat Chrysler Automobiles, Western Union, and Fitbit. The actual number of bug submissions was much bigger: since January 2013, Bugcrowd has paid over $2.1 million in bounties for about 7,000 validated vulnerabilities on client networks and services.

Currently, more than 500 companies have managed bounty programs under which they offer rewards and recognition to security researchers who find security bugs in their websites and services. While some large companies like Google and Facebook manage the programs independently, many others have tapped the services of firms like Bugcrowd and HackerOne to do it for them.

A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.

"One factor is that security consultancies had gotten lazy," Pescatore says. Many of them conduct their app testing engagements using medium-skilled consultants who run off the shelf tools, add very little value and produce a cut-and-paste, largely boilerplate report.

"For the same dollars spent, [bug bounty] programs are getting much higher levels of satisfaction because they are showing more value," Pescatore says.

The most successful bounty programs are the well-managed ones that use a vetting approach to create a pool of specially picked researchers. Such programs ensure that talent from the pool is assigned to go after vulnerabilities in applications and platforms that match their individual skillsets.

"Just saying 'pound on my website, if you find something I’ll give you a prize' leads to some vulnerabilities being found, but many false positives," Pescatore notes.

With so-called hack-a-thons and ill-managed programs, there is little guarantee that discovered vulnerabilities will also not be sold to other bidders, including organized crime. "The well-managed ones have been very successful, from the point of view of both quantity of meaningful vulnerabilities found per dollar spent," Pescatore says.

In a blog post this week, Eduardo Vela Nava, technical lead of Google’s vulnerability rewards programs, pointed to the company’s continuing success with the program as a reason for expanding it. Last year, for example, Google opened up its previously invitation-only Chrome Fuzzer Program to all security researchers. The program gives security researchers an opportunity to run specific fuzzers at massive scale across Google’s hardware platform and receive rewards starting at $500 for discovering bugs in them. Some of the rewards that Google has awarded under the Chrome Fuzzer Program have exceeded $30,000.

More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub, Nava said.

"I think it is great that companies see this as essentially an extension of their security quality assurance programs," says Pete Lindstrom, an analyst with UDC. "Any opportunity to manage and contain the disclosure process is more beneficial than ad-hoc public disclosure."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
2/3/2017 | 8:58:58 AM
A double edge sword
They're a double edged sword these bug bounties. Wasn't it a young hacker out to identify iPhone vulnerabilities that ended up inadvertently flooding a number of PSAPs with bogus calls at the end of last year? Sometimes feels like what these bug bounties give with one hand is only a bit more than what they take with the other.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20168
PUBLISHED: 2018-12-17
Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service ("physical address not valid" panic) via a crafted application.
CVE-2018-20167
PUBLISHED: 2018-12-17
Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. A popmedia control sequence can allow the malicious execution of executable file formats registered in the X desktop share MIME typ...
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.