Threat Intelligence

7/11/2018
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Critical Vulns Earn $2K Amid Rise of Bug Bounty Programs

As of June, a total of $31 million has been awarded to security researchers for this year - already a big jump from the $11.7 million awarded for the entire 2017.



Bug bounty programs are paying more money to more hackers, more of whom are discovering severe vulnerabilities: As of June, a total of $31 million has been awarded to security researchers for this year – already a big jump from the $11.7 million awarded for the entire 2017.

Over the past year, 116 bug reports were valued at over $10,000, with organizations offering up to $250,000 for severe flaws discovered. The numbers come from HackerOne's "Hacker-Powered Security Report 2018," in which analysts pulled data from 78,275 vulnerability reports submitted by ethical hackers to more than 1,000 organizations via HackerOne's bug bounty platform.

"All of the volume numbers have increased tremendously," says HackerOne CEO Marten Mickos. "But they have been trending like this for the past three years. The direction is clear."

About 60% of organizations on HackerOne pay an average of $1,500 for critical vulnerabilities. In general, the average bounty for critical flaws is $2,041, a 6% increase year-over-year. The average award for a critical bug increased 33% to $20,000 for the highest awarding programs.

More than 72,000 vulnerabilities have been fixed as of May, and more than one-third (27,000) were addressed in the past year. Of the top 15 vulnerability types reported, cross-site scripting is the most common across all industries with the exception of healthcare and technology, where information disclosure flaws are most popular.

Government Programs Pick Up Speed
Private organizations are lagging behind the adoption curve when it comes to crowdsourced security, HackerOne reports. Nearly all (93%) of the Forbes Global 2000 list lacks a policy to receive, respond to, and remediate critical bug reports they receive from external parties.

Private programs make up 79% of all bug bounty programs on HackerOne, down from 88% in 2017 and 92% in 2016 – a sign more programs are going public. Most public bug bounty programs are in tech (63%), financial services and banking (9%), and media and entertainment (9%). Public programs made up 19% of program launches last year, about double the year prior.

In the government sector, specifically, there was an 125% increase in program launches around the world. The European Commission and Ministry of Defense Singapore both have launched bug bounty initiatives, and the US Department of Defense wrapped up bug bounty challenges for the US Army, US Air Force, and the Defense Travel System.

"Looking at industries, it's interesting to see the government sector grow so strongly and pay so well," Mickos says. "They pay more than the tech sector or telecom sector for critical vulnerabilities. It tells us something – it tells us the government is very serious about this. If you pay more for critical reports, you get more critical reports."

Indeed, government programs pay an average of $3,892 for critical vulnerabilities, analysts found. The tech sector pays slightly less, at $3,635 per bug, followed by telecom ($2,976), professional services ($2,719), transportation ($1,892), and retail and ecommerce ($1,720).

A few factors are holding back private companies, Mickos says. The biggest reason, he says, is a mental block: Many companies simply don't see the value. Some do, but they don't have the capacity to fix flaws once they learn about them.

"If you lack the ability to fix them, you're caught between a rock and a hard place," Mickos says. "The ability to fix, and roll out fixes, is essential."

Hacking Hackers' Education
Security researchers have to think outside the box to gain the skills they need. Despite the growth of hacker education, less than 5% of hackers learn their skills in a classroom, HackerOne reports. Most (nearly 58%) are self-taught. Half studied computer science at an undergraduate or graduate level, and 26.4% studied computer science during or before high school.

One-quarter of hackers who submit to HackerOne are full-time students, over 90% are under the age of 35, and 44% are IT pros. Financial gain is a primary reason why ethical hackers hack, but it's decreasing in importance. Most are motivated by the chance to learn techniques (15%), to be challenged (14%), and to have fun (14%), with money falling to fourth place (13%).

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...