Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/8/2016
01:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

‘Super Hunters’ Emerge As More Companies Adopt Bug Bounties

'Super hunters' chase down vulnerabilities wherever there's a bug bounty payday...and they've become very popular with cybersecurity job recruiters, says Bugcrowd report.

As more organizations look to adopt bug bounty programs, a tier of "super hunters" is emerging, who earn hundreds of thousands of dollars in payouts. In the process, these super hunters are attracting the attention of many companies’ security team recruiting efforts, according to Bugcrowd’s latest report on the state of the bug bounty economy.

Super hunters, although not an entirely new phenomenon, are making more money than ever as more complex and high-profile bounty programs launch with higher stakes, according to findings in the second annual  State Of Bug Bounty Report.

The elite group of hunters deploy various techniques, looking for niches, such as finding and exposing vulnerabilities in staging or development servers or forgotten servers that clearly should be de-commissioned, says Jonathan Cran, vice president of operations at Bugcrowd. Other super hunters have deep understanding of the business logic or underlying infrastructure of applications.

A bug bounty is most simply defined as “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.” Bug bounties were originally uncapped “blank check” affairs, introduced by technology giants such as Facebook, Google, Yahoo, and a few others, which have spent over $10 million on bug bounty payouts to date, Cran says.

In the past year, the term “bug bounty” has become more well-known and widely publicized through popular programs such as Tesla Motors’ car hacking program, launched in mid-2015.  In March, the US Department of Defense announced “Hack the Pentagon,” in which the DoD plans to invite vetted hackers to test the department’s cybersecurity under a unique pilot program.

However, the majority of researchers (85%) participate in bug bounty programs as a hobby or part-time job, with 70% spending fewer than 10 hours a week working on bounties. But payouts are on the rise even for these part-time bug bounty hunters, Cran says. The all-time average bug reward on Bugcrowd’s platform has risen from the $200.81 cited in last year’s report, to $294.70, an increase of 47%. The average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.

Bugcrowd harnesses the power of more than 30,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. The company connects security researchers with organizations and helps them build a partnership. The second annual report consists of survey responses from approximately 500 researchers with experience in bug bounty programs from 51 different countries.

Seventy-five percent of the researchers are between the ages of 18 and 29, followed by the second-largest age group, 30 to 44, representing 19% of respondents. Additionally, 88% of the respondents have completed at least one year of college; 55% of them have graduated with a bachelor’s or postgraduate degree. All respondents had at least a high school degree.

 

Diversified Industries Adopt Programs

Bug bounty programs are being adopted by all types of organizations; from startups to enterprises, and from virtually every industry, the report states. “I see it as the evolution of security assessment in general,” Cran says. “Five or 10 years ago very few folks were doing it.” But now almost every business has become a software vendor or pushes out software-based services to customers, he notes.

Of the nearly 300 programs Bugcrowd has launched over the past three years, “we have seen growth and diversification in the makeup of our customer base from purely tech to 25% more traditional verticals such as financial services and banking,” the report states. The top two industries represented are computer software companies and internet-based companies, followed by financial services and banking, information technology and services, computer and network security, e-commerce and retail.

Larger enterprises are adopting bug bounty programs, the report states. Companies with 5,000+ employees accounted for 44% more of the total companies launching bug bounty programs over the last 12 months.

Organizations looking to start a public bug bounty program begin privately, incentivizing a smaller number of researchers while they build their response capabilities. Over time, the programs become public, allowing everyone to participate. As of March 31 2016, 63% of all Bugcrowd program launches have been private programs.

“Organizations looking to access the benefits of crowdsourcing with specific business goals, complex technologies or environments benefit from a smaller testing pool. These organizations pay higher bounties to attract and maintain interest from the best researcher talent,” the report states.

“We recommend companies to start with a short-term private program or even an ongoing private program,” Cran says. Organizations should also establish a non-incentivized bug reporting program, opening up a channel for customers and others to submit vulnerability-related information, he says.

 

XSS continues to dominate

The most commonly discovered vulnerability is still Cross-site Scripting (XSS), which represents 66% of the total vulnerabilities disclosed, followed by Cross-site Request Forgery (CSRF).

Bug bounties are often compared to traditional application security assessment methods such as penetration testing. “The biggest differences between the two are volume of testers involved and the differing reward models. Bug bounties involve thousands of researchers as opposed to a select few penetration testers, and utilize a pay for results reward model rather than for effort,” the report states.

Additionally, the volume and diversity of security researchers participating in bug bounty programs results in a diverse range of bug types, classes, and criticality of vulnerabilities, and testing is usually performed without prior knowledge of the target, according to the report.  

Related Content:

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.