Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

checkLoop 1checkLoop 2checkLoop 3
1/31/2017
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Paid $3 Million To Bug Hunters In 2016

Search engine giant an example of the growing number of organizations benefiting from bug bounty programs.

Despite warnings about relying too heavily on crowdsourced bug bounty programs, these vulnerability discovery initiatives are proving successful for some companies, judging from the payouts to security researchers in recent years.

One example is Google. New data from the company this week shows that in 2016, Google paid some $3 million in rewards to 350 bug hunters from 50 countries who discovered more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.

The payout was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014. Counting last year’s awards, Google has so far awarded $9 million in bug bounties since it first introduced the Vulnerability Rewards Program (VRP) in 2010.

Google is not alone in making payouts to researchers who find vulns in their products. As of last October, Facebook had paid upwards of $5 million in rewards to bug hunters, with a majority of them in India, the US, and Mexico. In the first half of 2016 alone, Facebook received over 9,000 bug disclosure reports and paid more than $610,000 to 149 researchers.

Bugcrowd, which coordinates bug-hunting programs for enterprises, last year delivered over 9,000 validated vulnerabilities to its clients, who include the likes of Fiat Chrysler Automobiles, Western Union, and Fitbit. The actual number of bug submissions was much bigger: since January 2013, Bugcrowd has paid over $2.1 million in bounties for about 7,000 validated vulnerabilities on client networks and services.

Currently, more than 500 companies have managed bounty programs under which they offer rewards and recognition to security researchers who find security bugs in their websites and services. While some large companies like Google and Facebook manage the programs independently, many others have tapped the services of firms like Bugcrowd and HackerOne to do it for them.

A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.

"One factor is that security consultancies had gotten lazy," Pescatore says. Many of them conduct their app testing engagements using medium-skilled consultants who run off the shelf tools, add very little value and produce a cut-and-paste, largely boilerplate report.

"For the same dollars spent, [bug bounty] programs are getting much higher levels of satisfaction because they are showing more value," Pescatore says.

The most successful bounty programs are the well-managed ones that use a vetting approach to create a pool of specially picked researchers. Such programs ensure that talent from the pool is assigned to go after vulnerabilities in applications and platforms that match their individual skillsets.

"Just saying 'pound on my website, if you find something I’ll give you a prize' leads to some vulnerabilities being found, but many false positives," Pescatore notes.

With so-called hack-a-thons and ill-managed programs, there is little guarantee that discovered vulnerabilities will also not be sold to other bidders, including organized crime. "The well-managed ones have been very successful, from the point of view of both quantity of meaningful vulnerabilities found per dollar spent," Pescatore says.

In a blog post this week, Eduardo Vela Nava, technical lead of Google’s vulnerability rewards programs, pointed to the company’s continuing success with the program as a reason for expanding it. Last year, for example, Google opened up its previously invitation-only Chrome Fuzzer Program to all security researchers. The program gives security researchers an opportunity to run specific fuzzers at massive scale across Google’s hardware platform and receive rewards starting at $500 for discovering bugs in them. Some of the rewards that Google has awarded under the Chrome Fuzzer Program have exceeded $30,000.

More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub, Nava said.

"I think it is great that companies see this as essentially an extension of their security quality assurance programs," says Pete Lindstrom, an analyst with UDC. "Any opportunity to manage and contain the disclosure process is more beneficial than ad-hoc public disclosure."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
2/3/2017 | 8:58:58 AM
A double edge sword
They're a double edged sword these bug bounties. Wasn't it a young hacker out to identify iPhone vulnerabilities that ended up inadvertently flooding a number of PSAPs with bogus calls at the end of last year? Sometimes feels like what these bug bounties give with one hand is only a bit more than what they take with the other.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...
checkLoop 4