Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/23/2019
02:55 PM
50%
50%

Bug Bounties Continue to Rise as Google Boosts its Payouts

Reward for vulnerability research climbed 83% in the past year.

Bug bounties just got another boost.  

On July 18, Google announced it had raised its payout for vulnerabilities found in its Web services, Chrome operating system, and Android software, including tripling the maximum baseline reward to $15,000 from $5,000 and doubling the maximum reward for "high quality report" to $30,000, from $15,000.

The company also bumped up its top reward — for a complete chain of exploits that results in code execution on a Chromebook — to $150,000.

Google is not alone. Other companies are either raising their bounties or facing a trend of needing to increase bounties to attract researchers. The average vulnerability payout increased by 83%, with critical vulnerability payouts reaching and average of $2,700, according to Casey Ellis, chief technology officer with vulnerability research crowdsourcing firm Bugcrowd. 

"From a numbers standpoint, things are continuing to trend up and to the right in terms of the average severity of the issues and in terms of the incentives that are being used to attract those issues," he says.

A decade ago, companies argued over the appropriateness of paying hackers and security researchers a reward for reporting vulnerabilities. Now, the payouts for security security issues regularly surpass $1,000 and often exceed $10,000. 

In 2018, for example, ethical hackers made $19 million through HackerOne's vulnerability-program management platform, compared to $11.7 million the prior year. Among those companies that launched their first bounty programs in the last year are Hyatt Hotels and Postmates, the company said. 

"We continue to see more bug bounty programs launching and with that increased hacker engagement as some are motivated by higher bounties awards," says Miju Han, director of product management for HackerOne.

More recent research has shown that bug bounties can help companies improve their security. In a paper presented at the Workshop on the Economics of Information Security in June, two researchers created a model that showed two significant benefits of bug bounty programs: diverting certain types of hackers away from attack their systems, and convincing attackers to cooperate with the company. 

An important finding is that a bug bounty program only works to recruit white-hat hacker talent if the company also has an in-house security program aimed at protecting its assets. If the organization cuts back too much on security, then the bug bounty program will not be able to make up the difference. In addition, companies with valuable assets may not be able to dissuade hackers from going after their digital goods, the researchers found. 

"[T]he bug bounty program is not a one-size-fits-all solution," Jiali Zhou and Kail-Lung Huii, both researchers from Hong Kong University of Science and Technology, stated in the paper. "Firms do need to evaluate their own security environment, the value and vulnerability of their systems, and in-house protection strategies to make better use of bug bounty programs."

Yet, the reason behind the roughly annual doubling of average bounties — up 73% last year and 83% this year, according to Bugcrowd — is unclear. While platformssuch as Microsoft Windows operating system and Google's Chrome OS have been hardened over the years and thus are much more difficult to plumb for system-compromising security issues, other new software frameworks have become targets for hackers and, thus, good candidates for bug bounties. 

The end result is a marketplace that has not yet found its equilibrium point, or even neared it, Bugcrowd's Ellis says.

"Supply and demand and making sure the marketplace is attractive enough and liquid enough to keep everyone happy and engaged is one part of it," he says. "Apart from that, there is the idea that more critical issues continue to be more rare and more difficult to find and exploit."

The latest boost to Google's bounties is a sign of that, he says. 

$5 Million in Bounties

Google was among the first major companies to offer rewards for information on its vulnerabilities. The company, whose program started in 2010, has paid out more than $5 million to date for over 8,500 bug reports in its Chrome browser and operating system. In 2018, 51% of the vulnerabilities reported to Google were Web-based issues, Artur Janc, staff information security engineer at Google, said a May 2019 presentation at the Google IO developer conference.

"The majority of the vulnerabilities that we see at Google ... are Web issues— flaws that allow an attacker to attack users who are logged into our services and extract or modify some of the data that they have," Janc said.

Like Bugcrowd and HackerOne, Google is seeing an accelerating marketplace for vulnerability information. In 2018, all three companies gave out their highest amount of awards. In 2018, Google awarded $3.4 million in bug bounties to 317 researchers for 1,319 different vulnerabilities. For comparison, the Google Vulnerability Rewards Program paid out $15 million over the past 10 years. 

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...