Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/23/2019
02:55 PM
50%
50%

Bug Bounties Continue to Rise as Google Boosts its Payouts

Reward for vulnerability research climbed 83% in the past year.

Bug bounties just got another boost.  

On July 18, Google announced it had raised its payout for vulnerabilities found in its Web services, Chrome operating system, and Android software, including tripling the maximum baseline reward to $15,000 from $5,000 and doubling the maximum reward for "high quality report" to $30,000, from $15,000.

The company also bumped up its top reward — for a complete chain of exploits that results in code execution on a Chromebook — to $150,000.

Google is not alone. Other companies are either raising their bounties or facing a trend of needing to increase bounties to attract researchers. The average vulnerability payout increased by 83%, with critical vulnerability payouts reaching and average of $2,700, according to Casey Ellis, chief technology officer with vulnerability research crowdsourcing firm Bugcrowd. 

"From a numbers standpoint, things are continuing to trend up and to the right in terms of the average severity of the issues and in terms of the incentives that are being used to attract those issues," he says.

A decade ago, companies argued over the appropriateness of paying hackers and security researchers a reward for reporting vulnerabilities. Now, the payouts for security security issues regularly surpass $1,000 and often exceed $10,000. 

In 2018, for example, ethical hackers made $19 million through HackerOne's vulnerability-program management platform, compared to $11.7 million the prior year. Among those companies that launched their first bounty programs in the last year are Hyatt Hotels and Postmates, the company said. 

"We continue to see more bug bounty programs launching and with that increased hacker engagement as some are motivated by higher bounties awards," says Miju Han, director of product management for HackerOne.

More recent research has shown that bug bounties can help companies improve their security. In a paper presented at the Workshop on the Economics of Information Security in June, two researchers created a model that showed two significant benefits of bug bounty programs: diverting certain types of hackers away from attack their systems, and convincing attackers to cooperate with the company. 

An important finding is that a bug bounty program only works to recruit white-hat hacker talent if the company also has an in-house security program aimed at protecting its assets. If the organization cuts back too much on security, then the bug bounty program will not be able to make up the difference. In addition, companies with valuable assets may not be able to dissuade hackers from going after their digital goods, the researchers found. 

"[T]he bug bounty program is not a one-size-fits-all solution," Jiali Zhou and Kail-Lung Huii, both researchers from Hong Kong University of Science and Technology, stated in the paper. "Firms do need to evaluate their own security environment, the value and vulnerability of their systems, and in-house protection strategies to make better use of bug bounty programs."

Yet, the reason behind the roughly annual doubling of average bounties — up 73% last year and 83% this year, according to Bugcrowd — is unclear. While platformssuch as Microsoft Windows operating system and Google's Chrome OS have been hardened over the years and thus are much more difficult to plumb for system-compromising security issues, other new software frameworks have become targets for hackers and, thus, good candidates for bug bounties. 

The end result is a marketplace that has not yet found its equilibrium point, or even neared it, Bugcrowd's Ellis says.

"Supply and demand and making sure the marketplace is attractive enough and liquid enough to keep everyone happy and engaged is one part of it," he says. "Apart from that, there is the idea that more critical issues continue to be more rare and more difficult to find and exploit."

The latest boost to Google's bounties is a sign of that, he says. 

$5 Million in Bounties

Google was among the first major companies to offer rewards for information on its vulnerabilities. The company, whose program started in 2010, has paid out more than $5 million to date for over 8,500 bug reports in its Chrome browser and operating system. In 2018, 51% of the vulnerabilities reported to Google were Web-based issues, Artur Janc, staff information security engineer at Google, said a May 2019 presentation at the Google IO developer conference.

"The majority of the vulnerabilities that we see at Google ... are Web issues— flaws that allow an attacker to attack users who are logged into our services and extract or modify some of the data that they have," Janc said.

Like Bugcrowd and HackerOne, Google is seeing an accelerating marketplace for vulnerability information. In 2018, all three companies gave out their highest amount of awards. In 2018, Google awarded $3.4 million in bug bounties to 317 researchers for 1,319 different vulnerabilities. For comparison, the Google Vulnerability Rewards Program paid out $15 million over the past 10 years. 

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...