Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/31/2017
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Paid $3 Million To Bug Hunters In 2016

Search engine giant an example of the growing number of organizations benefiting from bug bounty programs.

Despite warnings about relying too heavily on crowdsourced bug bounty programs, these vulnerability discovery initiatives are proving successful for some companies, judging from the payouts to security researchers in recent years.

One example is Google. New data from the company this week shows that in 2016, Google paid some $3 million in rewards to 350 bug hunters from 50 countries who discovered more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.

The payout was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014. Counting last year’s awards, Google has so far awarded $9 million in bug bounties since it first introduced the Vulnerability Rewards Program (VRP) in 2010.

Google is not alone in making payouts to researchers who find vulns in their products. As of last October, Facebook had paid upwards of $5 million in rewards to bug hunters, with a majority of them in India, the US, and Mexico. In the first half of 2016 alone, Facebook received over 9,000 bug disclosure reports and paid more than $610,000 to 149 researchers.

Bugcrowd, which coordinates bug-hunting programs for enterprises, last year delivered over 9,000 validated vulnerabilities to its clients, who include the likes of Fiat Chrysler Automobiles, Western Union, and Fitbit. The actual number of bug submissions was much bigger: since January 2013, Bugcrowd has paid over $2.1 million in bounties for about 7,000 validated vulnerabilities on client networks and services.

Currently, more than 500 companies have managed bounty programs under which they offer rewards and recognition to security researchers who find security bugs in their websites and services. While some large companies like Google and Facebook manage the programs independently, many others have tapped the services of firms like Bugcrowd and HackerOne to do it for them.

A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.

"One factor is that security consultancies had gotten lazy," Pescatore says. Many of them conduct their app testing engagements using medium-skilled consultants who run off the shelf tools, add very little value and produce a cut-and-paste, largely boilerplate report.

"For the same dollars spent, [bug bounty] programs are getting much higher levels of satisfaction because they are showing more value," Pescatore says.

The most successful bounty programs are the well-managed ones that use a vetting approach to create a pool of specially picked researchers. Such programs ensure that talent from the pool is assigned to go after vulnerabilities in applications and platforms that match their individual skillsets.

"Just saying 'pound on my website, if you find something I’ll give you a prize' leads to some vulnerabilities being found, but many false positives," Pescatore notes.

With so-called hack-a-thons and ill-managed programs, there is little guarantee that discovered vulnerabilities will also not be sold to other bidders, including organized crime. "The well-managed ones have been very successful, from the point of view of both quantity of meaningful vulnerabilities found per dollar spent," Pescatore says.

In a blog post this week, Eduardo Vela Nava, technical lead of Google’s vulnerability rewards programs, pointed to the company’s continuing success with the program as a reason for expanding it. Last year, for example, Google opened up its previously invitation-only Chrome Fuzzer Program to all security researchers. The program gives security researchers an opportunity to run specific fuzzers at massive scale across Google’s hardware platform and receive rewards starting at $500 for discovering bugs in them. Some of the rewards that Google has awarded under the Chrome Fuzzer Program have exceeded $30,000.

More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub, Nava said.

"I think it is great that companies see this as essentially an extension of their security quality assurance programs," says Pete Lindstrom, an analyst with UDC. "Any opportunity to manage and contain the disclosure process is more beneficial than ad-hoc public disclosure."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
2/3/2017 | 8:58:58 AM
A double edge sword
They're a double edged sword these bug bounties. Wasn't it a young hacker out to identify iPhone vulnerabilities that ended up inadvertently flooding a number of PSAPs with bogus calls at the end of last year? Sometimes feels like what these bug bounties give with one hand is only a bit more than what they take with the other.
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.