Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/8/2016
01:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

‘Super Hunters’ Emerge As More Companies Adopt Bug Bounties

'Super hunters' chase down vulnerabilities wherever there's a bug bounty payday...and they've become very popular with cybersecurity job recruiters, says Bugcrowd report.

As more organizations look to adopt bug bounty programs, a tier of "super hunters" is emerging, who earn hundreds of thousands of dollars in payouts. In the process, these super hunters are attracting the attention of many companies’ security team recruiting efforts, according to Bugcrowd’s latest report on the state of the bug bounty economy.

Super hunters, although not an entirely new phenomenon, are making more money than ever as more complex and high-profile bounty programs launch with higher stakes, according to findings in the second annual  State Of Bug Bounty Report.

The elite group of hunters deploy various techniques, looking for niches, such as finding and exposing vulnerabilities in staging or development servers or forgotten servers that clearly should be de-commissioned, says Jonathan Cran, vice president of operations at Bugcrowd. Other super hunters have deep understanding of the business logic or underlying infrastructure of applications.

A bug bounty is most simply defined as “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.” Bug bounties were originally uncapped “blank check” affairs, introduced by technology giants such as Facebook, Google, Yahoo, and a few others, which have spent over $10 million on bug bounty payouts to date, Cran says.

In the past year, the term “bug bounty” has become more well-known and widely publicized through popular programs such as Tesla Motors’ car hacking program, launched in mid-2015.  In March, the US Department of Defense announced “Hack the Pentagon,” in which the DoD plans to invite vetted hackers to test the department’s cybersecurity under a unique pilot program.

However, the majority of researchers (85%) participate in bug bounty programs as a hobby or part-time job, with 70% spending fewer than 10 hours a week working on bounties. But payouts are on the rise even for these part-time bug bounty hunters, Cran says. The all-time average bug reward on Bugcrowd’s platform has risen from the $200.81 cited in last year’s report, to $294.70, an increase of 47%. The average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.

Bugcrowd harnesses the power of more than 30,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. The company connects security researchers with organizations and helps them build a partnership. The second annual report consists of survey responses from approximately 500 researchers with experience in bug bounty programs from 51 different countries.

Seventy-five percent of the researchers are between the ages of 18 and 29, followed by the second-largest age group, 30 to 44, representing 19% of respondents. Additionally, 88% of the respondents have completed at least one year of college; 55% of them have graduated with a bachelor’s or postgraduate degree. All respondents had at least a high school degree.

 

Diversified Industries Adopt Programs

Bug bounty programs are being adopted by all types of organizations; from startups to enterprises, and from virtually every industry, the report states. “I see it as the evolution of security assessment in general,” Cran says. “Five or 10 years ago very few folks were doing it.” But now almost every business has become a software vendor or pushes out software-based services to customers, he notes.

Of the nearly 300 programs Bugcrowd has launched over the past three years, “we have seen growth and diversification in the makeup of our customer base from purely tech to 25% more traditional verticals such as financial services and banking,” the report states. The top two industries represented are computer software companies and internet-based companies, followed by financial services and banking, information technology and services, computer and network security, e-commerce and retail.

Larger enterprises are adopting bug bounty programs, the report states. Companies with 5,000+ employees accounted for 44% more of the total companies launching bug bounty programs over the last 12 months.

Organizations looking to start a public bug bounty program begin privately, incentivizing a smaller number of researchers while they build their response capabilities. Over time, the programs become public, allowing everyone to participate. As of March 31 2016, 63% of all Bugcrowd program launches have been private programs.

“Organizations looking to access the benefits of crowdsourcing with specific business goals, complex technologies or environments benefit from a smaller testing pool. These organizations pay higher bounties to attract and maintain interest from the best researcher talent,” the report states.

“We recommend companies to start with a short-term private program or even an ongoing private program,” Cran says. Organizations should also establish a non-incentivized bug reporting program, opening up a channel for customers and others to submit vulnerability-related information, he says.

 

XSS continues to dominate

The most commonly discovered vulnerability is still Cross-site Scripting (XSS), which represents 66% of the total vulnerabilities disclosed, followed by Cross-site Request Forgery (CSRF).

Bug bounties are often compared to traditional application security assessment methods such as penetration testing. “The biggest differences between the two are volume of testers involved and the differing reward models. Bug bounties involve thousands of researchers as opposed to a select few penetration testers, and utilize a pay for results reward model rather than for effort,” the report states.

Additionally, the volume and diversity of security researchers participating in bug bounty programs results in a diverse range of bug types, classes, and criticality of vulnerabilities, and testing is usually performed without prior knowledge of the target, according to the report.  

Related Content:

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...