Bug-Bounty Programs Shift Focus to Most Critical Flaws

The number of bug bounty programs jumped by a third, the median payout for a critical vulnerability report rose to $3,000, but rewards for easier-to-find lower-severity flaws stagnated in 2021.

4 Min Read
HackerOne saw bounties on critical flaws increase, but all others stagnate.Courtesy of HackerOne

The market for independent vulnerability research took off in 2021, with the volume of bug bounties rising by more than a third and total bounties paid surging to nearly $37 million, according to a report from vulnerability program management firm HackerOne.

The report, which only includes data from HackerOne's programs, matches what other bounty programs are experiencing. The number of vulnerabilities reported this year to Trend Micro's Zero Day Initiative (ZDI), a long-running, third-party bug-bounty program, surpassed the 1,453 vulnerabilities it published in 2020. Bugcrowd, which manages crowdsourced vulnerability research programs, saw a 50% increase in submissions in 2020 and a 65% increase in priority-one issues, according to the latest data available.

HackerOne also saw more vulnerabilities in 2021, with 34% more security issues disclosed in its clients' bug-bounty programs, according to its "Hacker-Powered Security Report 2021."

"At the highest level, most organizations made discovering and remediating bugs a bigger priority this year — especially vulnerabilities identified as critical," says Chris Evans, CISO and chief hacking officer at HackerOne. "This suggests to me that businesses are focused on improving their processes and investing more in security to ensure they’re not the next victim of a cyberattack."

While more vulnerabilities are being reported, attention is mainly shifting to the most critical flaws. The median payout for the disclosure of critical bugs jumped to $3,000 — up from $2,500 in 2020 — but rewards for low- and medium-severity flaws stagnated, according to the HackerOne report. Low-severity issues averaged a $150 bounty, while medium-severity vulnerabilities rose slightly to an average payout of $500, up from $450 in 2020.

The shift toward a focus on more critical vulnerabilities comes as more researchers sign up for more programs. About three-quarters of hackers have more time for research because of the move to remote work, while eight out of 10 ethical hackers recently identified a vulnerability they had never seen before the pandemic, says Casey Ellis, founder and chief technology officer of Bugcrowd.

"This points to the growing difficulty in protecting the attack surface across an increasingly distributed remote workforce due to the pandemic," he says. "But it also highlights the nature of many ethical hackers to follow the work of their peers and to emulate their fellow hackers’ approaches to problem-solving by sharing their successes and iterating on them."

The 1% Problem Continues
The emphasis on more critical vulnerabilities will likely favor a small number of highly competitive and technical researchers. The fact that a small number of researchers make the lion's share of profit is a known issue with vulnerability programs. In fact, there are typically two groups of competitive participants: those researching critical vulnerabilities and those finding a large number of low and medium issues, says Dustin Childs, communications manager at Trend Micro’s ZDI.

"One camp submitted a high number of low-earning cases, while the other camp submitted just a few high-dollars cases," he says. "While it may look like one or two researchers dominated submissions, the payouts were relatively even between a lot of different folks."

In addition, the expansion in the number of programs has created more opportunity for new researchers, HackerOne's Evans says.

"However, we continue to see great, new talent emerging from HackerOne's platform," he says. "I anticipate that as more resources become available to hackers, hacking as a career continues to become legitimized, and organizations recognize the value hackers bring, this gap will shrink."

Dominant Vulnerability Classes Remain 
The top three classes of reported vulnerabilities remain unchanged between 2020 and 2021, with cross-site scripting (XSS), information disclosure, and improper access control claiming the top slots, according to the HackerOne report. The vulnerabilities with the largest growth in disclosures, however, are business logic errors, of which the number reported grew by 67%. Information disclosure vulnerabilities had a 58% increase, and privilege escalation flaws jumped by 55%.

The ZDI also noted researchers are taking more interest in servers, operating systems, and infrastructure tools.

Not every company has seen a massive increase. Microsoft's program may have reached maturity as the company has paid out nearly the same amount — $13.6 million in 2021 versus $13.7 million in 2020 — for approximately the same number of vulnerability reports — 1,261 in 2021 versus 1,226 in 2020. In November, software development platform GitLab increased its bounty prices by 50% to 75% as a way to increase participation, as bugs become harder to find.

Are the hours researching vulnerabilities a good way for hackers to earn income? All three bug-bounty programs argue yes, especially in countries such as India —  BugCrowd's top source of hacking prowess — or as a second gig. While nearly 80% of Bugcrowd's programs originate in the United States, hackers from India claim nearly a third of the proceeds and US hackers claim 22%, according to BugCrowd's "2021 Inside the Mind of a Hacker" report.

Changes wrought by the global pandemic also made businesses more likely to work with hackers, giving part-time hackers more opportunities for research. Seventy-one percent of surveyed bug finders made more money as remote work became more accepted, the report states.

"Bug-bounty programs have become a viable, self-directed career option for many computer-minded individuals from all walks of life," Bugcrowd's Ellis says. "Ethical hackers will continue to challenge the powerful forces behind these attacks, enabling companies to continuously secure their digital assets and software development life cycles with greater efficiencies than traditional security approaches."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights