Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/8/2016
01:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Super Hunters Emerge As More Companies Adopt Bug Bounties

'Super hunters' chase down vulnerabilities wherever there's a bug bounty payday...and they've become very popular with cybersecurity job recruiters, says Bugcrowd report.

As more organizations look to adopt bug bounty programs, a tier of "super hunters" is emerging, who earn hundreds of thousands of dollars in payouts. In the process, these super hunters are attracting the attention of many companies’ security team recruiting efforts, according to Bugcrowd’s latest report on the state of the bug bounty economy.

Super hunters, although not an entirely new phenomenon, are making more money than ever as more complex and high-profile bounty programs launch with higher stakes, according to findings in the second annual  State Of Bug Bounty Report.

The elite group of hunters deploy various techniques, looking for niches, such as finding and exposing vulnerabilities in staging or development servers or forgotten servers that clearly should be de-commissioned, says Jonathan Cran, vice president of operations at Bugcrowd. Other super hunters have deep understanding of the business logic or underlying infrastructure of applications.

A bug bounty is most simply defined as “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.” Bug bounties were originally uncapped “blank check” affairs, introduced by technology giants such as Facebook, Google, Yahoo, and a few others, which have spent over $10 million on bug bounty payouts to date, Cran says.

In the past year, the term “bug bounty” has become more well-known and widely publicized through popular programs such as Tesla Motors’ car hacking program, launched in mid-2015.  In March, the US Department of Defense announced “Hack the Pentagon,” in which the DoD plans to invite vetted hackers to test the department’s cybersecurity under a unique pilot program.

However, the majority of researchers (85%) participate in bug bounty programs as a hobby or part-time job, with 70% spending fewer than 10 hours a week working on bounties. But payouts are on the rise even for these part-time bug bounty hunters, Cran says. The all-time average bug reward on Bugcrowd’s platform has risen from the $200.81 cited in last year’s report, to $294.70, an increase of 47%. The average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.

Bugcrowd harnesses the power of more than 30,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. The company connects security researchers with organizations and helps them build a partnership. The second annual report consists of survey responses from approximately 500 researchers with experience in bug bounty programs from 51 different countries.

Seventy-five percent of the researchers are between the ages of 18 and 29, followed by the second-largest age group, 30 to 44, representing 19% of respondents. Additionally, 88% of the respondents have completed at least one year of college; 55% of them have graduated with a bachelor’s or postgraduate degree. All respondents had at least a high school degree.

 

Diversified Industries Adopt Programs

Bug bounty programs are being adopted by all types of organizations; from startups to enterprises, and from virtually every industry, the report states. “I see it as the evolution of security assessment in general,” Cran says. “Five or 10 years ago very few folks were doing it.” But now almost every business has become a software vendor or pushes out software-based services to customers, he notes.

Of the nearly 300 programs Bugcrowd has launched over the past three years, “we have seen growth and diversification in the makeup of our customer base from purely tech to 25% more traditional verticals such as financial services and banking,” the report states. The top two industries represented are computer software companies and internet-based companies, followed by financial services and banking, information technology and services, computer and network security, e-commerce and retail.

Larger enterprises are adopting bug bounty programs, the report states. Companies with 5,000+ employees accounted for 44% more of the total companies launching bug bounty programs over the last 12 months.

Organizations looking to start a public bug bounty program begin privately, incentivizing a smaller number of researchers while they build their response capabilities. Over time, the programs become public, allowing everyone to participate. As of March 31 2016, 63% of all Bugcrowd program launches have been private programs.

“Organizations looking to access the benefits of crowdsourcing with specific business goals, complex technologies or environments benefit from a smaller testing pool. These organizations pay higher bounties to attract and maintain interest from the best researcher talent,” the report states.

“We recommend companies to start with a short-term private program or even an ongoing private program,” Cran says. Organizations should also establish a non-incentivized bug reporting program, opening up a channel for customers and others to submit vulnerability-related information, he says.

 

XSS continues to dominate

The most commonly discovered vulnerability is still Cross-site Scripting (XSS), which represents 66% of the total vulnerabilities disclosed, followed by Cross-site Request Forgery (CSRF).

Bug bounties are often compared to traditional application security assessment methods such as penetration testing. “The biggest differences between the two are volume of testers involved and the differing reward models. Bug bounties involve thousands of researchers as opposed to a select few penetration testers, and utilize a pay for results reward model rather than for effort,” the report states.

Additionally, the volume and diversity of security researchers participating in bug bounty programs results in a diverse range of bug types, classes, and criticality of vulnerabilities, and testing is usually performed without prior knowledge of the target, according to the report.  

Related Content:

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2874
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2875
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2876
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...
CVE-2019-2877
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...