Threat Intelligence

7/11/2018
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Critical Vulns Earn $2K Amid Rise of Bug Bounty Programs

As of June, a total of $31 million has been awarded to security researchers for this year - already a big jump from the $11.7 million awarded for the entire 2017.

Bug bounty programs are paying more money to more hackers, more of whom are discovering severe vulnerabilities: As of June, a total of $31 million has been awarded to security researchers for this year – already a big jump from the $11.7 million awarded for the entire 2017.

Over the past year, 116 bug reports were valued at over $10,000, with organizations offering up to $250,000 for severe flaws discovered. The numbers come from HackerOne's "Hacker-Powered Security Report 2018," in which analysts pulled data from 78,275 vulnerability reports submitted by ethical hackers to more than 1,000 organizations via HackerOne's bug bounty platform.

"All of the volume numbers have increased tremendously," says HackerOne CEO Marten Mickos. "But they have been trending like this for the past three years. The direction is clear."

About 60% of organizations on HackerOne pay an average of $1,500 for critical vulnerabilities. In general, the average bounty for critical flaws is $2,041, a 6% increase year-over-year. The average award for a critical bug increased 33% to $20,000 for the highest awarding programs.

More than 72,000 vulnerabilities have been fixed as of May, and more than one-third (27,000) were addressed in the past year. Of the top 15 vulnerability types reported, cross-site scripting is the most common across all industries with the exception of healthcare and technology, where information disclosure flaws are most popular.

Government Programs Pick Up Speed
Private organizations are lagging behind the adoption curve when it comes to crowdsourced security, HackerOne reports. Nearly all (93%) of the Forbes Global 2000 list lacks a policy to receive, respond to, and remediate critical bug reports they receive from external parties.

Private programs make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 – a sign more programs are going public. Most public bug bounty programs are in tech (63%), financial services and banking (9%), and media and entertainment (9%). Public programs made up 19% of program launches last year, about double the year prior.

In the government sector, specifically, there was an 125% increase in program launches around the world. The European Commission and Ministry of Defense Singapore both have launched bug bounty initiatives, and the US Department of Defense wrapped up bug bounty challenges for the US Army, US Air Force, and the Defense Travel System.

"Looking at industries, it's interesting to see the government sector grow so strongly and pay so well," Mickos says. "They pay more than the tech sector or telecom sector for critical vulnerabilities. It tells us something – it tells us the government is very serious about this. If you pay more for critical reports, you get more critical reports."

Indeed, government programs pay an average of $3,892 for critical vulnerabilities, analysts found. The tech sector pays slightly less, at $3,635 per bug, followed by telecom ($2,976), professional services ($2,719), transportation ($1,892), and retail and ecommerce ($1,720).

A few factors are holding back private companies, Mickos says. The biggest reason, he says, is a mental block: Many companies simply don't see the value. Some do, but they don't have the capacity to fix flaws once they learn about them.

"If you lack the ability to fix them, you're caught between a rock and a hard place," Mickos says. "The ability to fix, and roll out fixes, is essential."

Hacking Hackers' Education
Security researchers have to think outside the box to gain the skills they need. Despite the growth of hacker education, less than 5% of hackers learn their skills in a classroom, HackerOne reports. Most (nearly 58%) are self-taught. Half studied computer science at an undergraduate or graduate level, and 26.4% studied computer science during or before high school.

One-quarter of hackers who submit to HackerOne are full-time students, over 90% are under the age of 35, and 44% are IT pros. Financial gain is a primary reason why ethical hackers hack, but it's decreasing in importance. Most are motivated by the chance to learn techniques (15%), to be challenged (14%), and to have fun (14%), with money falling to fourth place (13%).

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...