Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/4/2019
08:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018

Organizations signed up with the vulnerability disclosure platform shelled out a record $19 million for bug discoveries in their systems.

Security researchers from around the world last year reported over 100,000 valid vulnerabilities in software and systems belonging to organizations signed up with the HackerOne crowdsourced vulnerability disclosure platform.

Together the researchers earned more than $19 million in bounties in 2018 — or nearly the same amount as the combined total paid out to hackers over the past six years under the HackerOne program.

A survey-based report that HackerOne released Friday shows the number of white-hat hackers registered under the program doubled year over year to 300,000. Hackers from the US and India alone accounted for some 30% of the total and were once again among the top earners in the HackerOne community as in previous years.

However, the number of ethical hackers signing up from other countries, most notably from Africa, grew dramatically last year as well. In total, at the end of 2018, HackerOne had security researchers from as many as 150 countries registered for the program.

"One of the most striking takeaways from this year’s survey is the international growth in the number of bug-bounty hackers," says Luke Tucker senior director of community and content at HackerOne. "India and the US remain the top hacker locations year over year, but their majority is decreasing as hackers across the globe sign up for bug-bounty programs."  

The data is the latest to highlight the growing influence of crowdsourced bug-bounty programs in vulnerability discovery and remediation. HackerOne, like other bug-bounty platforms such as Bugcrowd and Synack, uses crowdsourced ethical hackers from around the world to help clients discover security vulnerabilities in their systems.

In recent years, thousands of private- and public-sector organizations have signed up with such platforms in a bid to uncover security vulnerabilities they might have missed otherwise. Last year, bug-bounty programs accounted for some 8% of all publicly disclosed vulnerabilities — up substantially from 5.8% in 2017, according to a recent report from Risk Based Security. In fact, the SECURE Technology Act (HR 7327), which President Trump signed into law last December, even authorizes the US Department of Homeland Security to establish a program that will let ethical hackers report bugs in federal government systems.

HackerOne's data shows that American and Canadian organizations are the most active users of such programs, at least based on share of bounties paid so far. They are followed by entities in the UK, Germany, Russia, and Singapore.

US government organizations have been especially enthusiastic users of the program, Tucker says. "In the realm of hacker-powered security, governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity," he says.

Tucker points to US Department of Defense programs, such as Hack the Pentagon and Hack the Army, which are conducted in partnership with HackerOne, as examples of the types of initiatives government organizations are taking with the crowdsourced vulnerability model.

It's not just enterprise organizations that are benefiting from the programs. Bug-bounty platforms are proving to be a very effective way for countless independent ethical hackers around the world to monetize their enthusiasm for bug hunting, as well.

Some top hackers in HackerOne's programs are making 40 times the median annual wage for security engineers in their home countries, according to the company. In the US, top earners last year made over six times the median annual salary of a software engineer based on salary estimates derived from PayScale.

A few researchers in the HackerOne program earned as much as $100,000 for disclosing a single critical bug. One hacker became the first under the program to top $1 million in bug bounties. Dozens of HackerOne clients also have hired security researchers they met through the program.

"We found that bug-bounty hackers are not in it just for the money, but we know those that are can make an impressive living," Tucker says.

Bug-bounty programs offer competitive rewards but are not focused on competing with other markets on price alone, he says. Bug discoverers can sometimes make substantially more money sharing their information with so-called gray market buyers, which can include intelligence agencies and government.

"[But] the hackers that report vulnerabilities to bug-bounty programs are in it for the resume they can build, the relationships, the challenge, and the recognition," Tucker says. "You lose all of this and gain a lot of uncertainty with other markets."

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
CVE-2019-16393
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
CVE-2019-16394
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.