DevOps platform firm GitLab has increased its payout for critical vulnerabilities by 75% with a new commitment to pay between $20,000 and $35,000 for critical issues, and raise the top payout for other severities by 50%, the company said on Nov. 22.
The company joins a host of other firms raising their payouts for researchers who find and report software vulnerabilities to be fixed by developers. In the last two years, Microsoft, Google, and Atlassian have all raised their rewards for researchers who report bugs. The market has heated up as companies recognize that bug bounties supplement their in-house security programs, reduce risk, and ultimately lower the cost of identifying vulnerabilities, says Johnathan Hunt, vice president of security for GitLab.
"Which ends up being both good and bad," says Hunt. "It is good in the way that we are improving our application security; ... we are shifting security left and finding vulnerabilities before they become public. But that said, it also does kind of discourage researchers from spending extra time on our platform."
Thus, the company's increase in bounties for vulnerabilities.
This trend in bug bounty programs underscores the difficult balance that companies have to strike between engaging with researchers and simultaneously adopting tools and processes that make vulnerabilities less likely. Overall, researcher interest in bug bounty programs has grown: Bug bounty management firm HackerOne claims 63% more researchers submitted vulnerabilities in 2020 than during the previous year. However, security issues in mature products are generally harder to find, especially the critical vulnerabilities that result in the highest bounties.
As tools improve and companies become better at application security, the easiest to find vulnerabilities — so-called "low-hanging fruit" — disappear and only hard-to-find issues are left. This means as the bug bounty ecosystem matures, maintaining the interest of researchers requires larger bounties, says Casey Ellis, founder and CTO of crowdsource vulnerability firm Bugcrowd.
"When an organization has their incentives set at a certain level and the velocity of valid reports starts to calm down, it's almost a graduation of sorts: Time to increase rewards and progress to the next level," he says. "Doing so activates hackers who might not have been as interested in a lower bounty, and also has the effect of encouraging greater focus from all participants."
By increasing its bounties, GitLab keeps pace with many other software-focused companies. A year ago, Microsoft boosted its top Windows bounty to $100,000, adding high-impact bonuses over the past year to a variety of applications and cloud services. Microsoft runs 17 different bug bounty programs, across which 341 researchers submitted a total of 1,261 qualifying reports, earning a combined $13.6 million in the year ending June 2021. Google almost doubled the amount it paid out to bug hunters in 2020, awarding $6.7 million to 662 researchers, with a top award of $132,500 for a single vulnerability.
Atlassian doubled its own top reward to $10,000 in May 2021 for its core cloud products. GitHub, a competitor to both GitLab and Atlassian's Bitbucket, paid out more than $524,000 to researchers for 203 reported vulnerabilities. GitLab's maximum payout is now $5,000 more than GitHub's cited maximum, but GitHub maintains it has an open-ended policy and could pay more for especially serious vulnerabilities.
Competition between companies will likely result in greater demand for researchers, GitLab's Hunt says.
By raising our rewards, "we are trying to increase the excitement and engagement and focus on our program," he says. "We are trying to attract a broader set of talent and skill sets globally. Honestly, it really is getting more difficult to find vulnerabilities on our platform. That is some of the feedback we have received."
GitLab and other companies are still working on the right strategy for attracting the most suitable researchers to analyze their platforms. But paying more in bounty money for the most critical flaws is not necessarily the way to go, says Hunt.
"In our case, we could have increased our bug bounties to $100,000, but there are only a couple of those that are found every year, so if we only did that, we would only probably be paying two people a lot of money," he says. "Most people don't catch the P1s [priority 1 issues], and that discourages the rest from participating in the program. We are tying to increase engagement across the board."
In addition, the population of bugs will likely never be exhausted because new software is being created — and updated — all the time, says Bugcrowd's Ellis. More than 15 years after hacker Samy Kamkar found a cross-site scripting (XSS) vulnerability in the social media service MySpace, demonstrating the potential for XSS to be a major issue, similar vulnerabilities of the same class are easy to find because they are hard to prevent and an easy error for developers to make.
While the "super hunters" might get the most lucrative payouts, consistent bug finders are common and will continue to have material to work with, Ellis says.
"Within all groups, there are people who focus on complicated attack chains and business logic exploitations, then there are those who look for simpler issues but usually in ways that others haven’t thought of before," he says. "It really does take a crowd."