Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/23/2019
02:55 PM
50%
50%

Bug Bounties Continue to Rise as Google Boosts its Payouts

Reward for vulnerability research climbed 83% in the past year.

Bug bounties just got another boost.  

On July 18, Google announced it had raised its payout for vulnerabilities found in its Web services, Chrome operating system, and Android software, including tripling the maximum baseline reward to $15,000 from $5,000 and doubling the maximum reward for "high quality report" to $30,000, from $15,000.

The company also bumped up its top reward — for a complete chain of exploits that results in code execution on a Chromebook — to $150,000.

Google is not alone. Other companies are either raising their bounties or facing a trend of needing to increase bounties to attract researchers. The average vulnerability payout increased by 83%, with critical vulnerability payouts reaching and average of $2,700, according to Casey Ellis, chief technology officer with vulnerability research crowdsourcing firm Bugcrowd. 

"From a numbers standpoint, things are continuing to trend up and to the right in terms of the average severity of the issues and in terms of the incentives that are being used to attract those issues," he says.

A decade ago, companies argued over the appropriateness of paying hackers and security researchers a reward for reporting vulnerabilities. Now, the payouts for security security issues regularly surpass $1,000 and often exceed $10,000. 

In 2018, for example, ethical hackers made $19 million through HackerOne's vulnerability-program management platform, compared to $11.7 million the prior year. Among those companies that launched their first bounty programs in the last year are Hyatt Hotels and Postmates, the company said. 

"We continue to see more bug bounty programs launching and with that increased hacker engagement as some are motivated by higher bounties awards," says Miju Han, director of product management for HackerOne.

More recent research has shown that bug bounties can help companies improve their security. In a paper presented at the Workshop on the Economics of Information Security in June, two researchers created a model that showed two significant benefits of bug bounty programs: diverting certain types of hackers away from attack their systems, and convincing attackers to cooperate with the company. 

An important finding is that a bug bounty program only works to recruit white-hat hacker talent if the company also has an in-house security program aimed at protecting its assets. If the organization cuts back too much on security, then the bug bounty program will not be able to make up the difference. In addition, companies with valuable assets may not be able to dissuade hackers from going after their digital goods, the researchers found. 

"[T]he bug bounty program is not a one-size-fits-all solution," Jiali Zhou and Kail-Lung Huii, both researchers from Hong Kong University of Science and Technology, stated in the paper. "Firms do need to evaluate their own security environment, the value and vulnerability of their systems, and in-house protection strategies to make better use of bug bounty programs."

Yet, the reason behind the roughly annual doubling of average bounties — up 73% last year and 83% this year, according to Bugcrowd — is unclear. While platformssuch as Microsoft Windows operating system and Google's Chrome OS have been hardened over the years and thus are much more difficult to plumb for system-compromising security issues, other new software frameworks have become targets for hackers and, thus, good candidates for bug bounties. 

The end result is a marketplace that has not yet found its equilibrium point, or even neared it, Bugcrowd's Ellis says.

"Supply and demand and making sure the marketplace is attractive enough and liquid enough to keep everyone happy and engaged is one part of it," he says. "Apart from that, there is the idea that more critical issues continue to be more rare and more difficult to find and exploit."

The latest boost to Google's bounties is a sign of that, he says. 

$5 Million in Bounties

Google was among the first major companies to offer rewards for information on its vulnerabilities. The company, whose program started in 2010, has paid out more than $5 million to date for over 8,500 bug reports in its Chrome browser and operating system. In 2018, 51% of the vulnerabilities reported to Google were Web-based issues, Artur Janc, staff information security engineer at Google, said a May 2019 presentation at the Google IO developer conference.

"The majority of the vulnerabilities that we see at Google ... are Web issues— flaws that allow an attacker to attack users who are logged into our services and extract or modify some of the data that they have," Janc said.

Like Bugcrowd and HackerOne, Google is seeing an accelerating marketplace for vulnerability information. In 2018, all three companies gave out their highest amount of awards. In 2018, Google awarded $3.4 million in bug bounties to 317 researchers for 1,319 different vulnerabilities. For comparison, the Google Vulnerability Rewards Program paid out $15 million over the past 10 years. 

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.