Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/11/2018
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Critical Vulns Earn $2K Amid Rise of Bug Bounty Programs

As of June, a total of $31 million has been awarded to security researchers for this year - already a big jump from the $11.7 million awarded for the entire 2017.

Bug bounty programs are paying more money to more hackers, more of whom are discovering severe vulnerabilities: As of June, a total of $31 million has been awarded to security researchers for this year – already a big jump from the $11.7 million awarded for the entire 2017.

Over the past year, 116 bug reports were valued at over $10,000, with organizations offering up to $250,000 for severe flaws discovered. The numbers come from HackerOne's "Hacker-Powered Security Report 2018," in which analysts pulled data from 78,275 vulnerability reports submitted by ethical hackers to more than 1,000 organizations via HackerOne's bug bounty platform.

"All of the volume numbers have increased tremendously," says HackerOne CEO Marten Mickos. "But they have been trending like this for the past three years. The direction is clear."

About 60% of organizations on HackerOne pay an average of $1,500 for critical vulnerabilities. In general, the average bounty for critical flaws is $2,041, a 6% increase year-over-year. The average award for a critical bug increased 33% to $20,000 for the highest awarding programs.

More than 72,000 vulnerabilities have been fixed as of May, and more than one-third (27,000) were addressed in the past year. Of the top 15 vulnerability types reported, cross-site scripting is the most common across all industries with the exception of healthcare and technology, where information disclosure flaws are most popular.

Government Programs Pick Up Speed
Private organizations are lagging behind the adoption curve when it comes to crowdsourced security, HackerOne reports. Nearly all (93%) of the Forbes Global 2000 list lacks a policy to receive, respond to, and remediate critical bug reports they receive from external parties.

Private programs make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 – a sign more programs are going public. Most public bug bounty programs are in tech (63%), financial services and banking (9%), and media and entertainment (9%). Public programs made up 19% of program launches last year, about double the year prior.

In the government sector, specifically, there was an 125% increase in program launches around the world. The European Commission and Ministry of Defense Singapore both have launched bug bounty initiatives, and the US Department of Defense wrapped up bug bounty challenges for the US Army, US Air Force, and the Defense Travel System.

"Looking at industries, it's interesting to see the government sector grow so strongly and pay so well," Mickos says. "They pay more than the tech sector or telecom sector for critical vulnerabilities. It tells us something – it tells us the government is very serious about this. If you pay more for critical reports, you get more critical reports."

Indeed, government programs pay an average of $3,892 for critical vulnerabilities, analysts found. The tech sector pays slightly less, at $3,635 per bug, followed by telecom ($2,976), professional services ($2,719), transportation ($1,892), and retail and ecommerce ($1,720).

A few factors are holding back private companies, Mickos says. The biggest reason, he says, is a mental block: Many companies simply don't see the value. Some do, but they don't have the capacity to fix flaws once they learn about them.

"If you lack the ability to fix them, you're caught between a rock and a hard place," Mickos says. "The ability to fix, and roll out fixes, is essential."

Hacking Hackers' Education
Security researchers have to think outside the box to gain the skills they need. Despite the growth of hacker education, less than 5% of hackers learn their skills in a classroom, HackerOne reports. Most (nearly 58%) are self-taught. Half studied computer science at an undergraduate or graduate level, and 26.4% studied computer science during or before high school.

One-quarter of hackers who submit to HackerOne are full-time students, over 90% are under the age of 35, and 44% are IT pros. Financial gain is a primary reason why ethical hackers hack, but it's decreasing in importance. Most are motivated by the chance to learn techniques (15%), to be challenged (14%), and to have fun (14%), with money falling to fourth place (13%).

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
CVE-2020-25157
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
CVE-2020-25648
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...