Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/22/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerability Disclosure Programs See Signups & Payouts Surge

More than $44.75 million in rewards were paid to hackers over the past year, driving total payouts beyond $100 million.

Security researchers have been busy over the past year, earning more than $44.75 million in bounties for vulnerability disclosure. More organizations are adopting vulnerability disclosure programs (VDPs), experts say, and they're paying hackers more for the critical flaws they find. 

HackerOne today published its fourth annual Hacker Powered Security Report, which takes a closer look at trends in VDPs and the businesses adopting them. Hackers have discovered more than 180,000 vulnerabilities via HackerOne, and one-third of those were reported in the past year alone as more businesses pursue VDPs to better secure all parts of their environment.

Related Content:

5 Steps to Greater Cyber Resiliency

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Can Schools Pass Their Biggest Cybersecurity Test Yet?

Data indicates more organizations across industries are interested in launching these programs. VDPs are most common in computer software as well as Internet and online services, which together make up nearly half of all programs and paid more than 72% of all bounties in the past year. Now, experts see multiple industries with more than 200% program growth year-over-year: computer hardware (250%), consumer goods (243%), education (200%), and healthcare (200%). 

"They're all industries that are increasingly dependent on technology," says Alex Rice, HackerOne's co-founder and CTO. While all had demonstrated VDP growth in the past, this marks the first time that researchers have seen this level of more than 200% growth across every sector.

What's driving the surge? Rice says the increase in VDPs can largely be attributed to two key factors: normalization of VDPs and an increase in mandates from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST).

"I think the norms have been slowly shifting over the last few years," Rice says. "There was a long period of time when organizations could get away with just ignoring reports, threatening cease-and-desist letters, getting by on silence." This was usually enough to make researchers step back, but "that has been changing a lot." Now, those who have a bad disclosure experience, or see someone ignore a security report, are more comfortable coming forward.

"It's beginning to be viewed as negligence, and I think that's exactly how it should be viewed," he says of organizations that refuse to act on reported vulnerabilities.

Late last year, CISA published a binding operational directive mandating most executive branch agencies to create a vulnerability disclosure program. Following feedback, CISA recently issued the final version of BOD 20-01, in which it says VDPS are "an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems."

The increase of vulnerability programs is encouraging greater participation from the hacker community. Much of the participation spike is related to programs kicking off, especially within industries where security researchers are already active or interested.

"The biggest source of driving new hackers into these programs is brands that those hackers love sanctioning this activity," Rice says.

Remote Businesses Rethink VDP Strategy
Businesses supporting a greater number of remote employees have begun to rethink their VDPs and make wider swaths of their corporate infrastructure available to test, Rice says. And more hackers are interested: HackerOne saw new hacker signups increase 59%, and submitted bug reports grow by 28%, in the months immediately following the start of the coronavirus pandemic.

"The most interesting thing that happened over the last few months was programs have been very deliberate about what's in scope," he explains. Many have begun to expand and include attack surface that wouldn't have been included in the past. Those who opened up work-from-home or remote attack scenarios have learned the mistakes they made in transitioning quickly.

Historically, most VDPs have focused incentives on customer-facing assets and attack surface. Early efforts wanted to protect customers and users; that's where their efforts were focused. Now, they're curious about holes in third-party systems or applications meant for employees. Many programs have expanded to include back-end business support systems.

While this is a "natural evolution" of VDPs, it usually takes a long time for companies to arrive at this stage, Rice says. Before COVID-19, only a handful of HackerOne's customers, such as Facebook and Twitter, included VPN infrastructure in the scope of their VDP policies.

"It was nowhere near the norm, and that's quickly become the norm over the past few months," he continues. "Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn't quite the perimeter." 

This change is reflected in the most common types of vulnerabilities disclosed in the past year, HackerOne reports. Cross-site scripting (24%) was the most common flaw reported, taking the top spot from information disclosure (18%), which fell in second place. Other reported flaws include improper access control (10%), improper authentication (6%), and open redirect (6%).

Improper access control vulnerabilities have increased in volume and criticality, says Rice, and organizations are treating them with greater urgency. In addition, they're updating instructions for hackers in the community to communicate the risks they're currently worried about.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tucfb
50%
50%
tucfb,
User Rank: Apprentice
9/28/2020 | 10:17:03 PM
VDP is not Bug Bounty
Hi,

 

I found this website via https://bugbountycoi.org/2020/09/29/call-a-duck-a-duck-not-a-bug-bounty/ . As someone that previously ran 4 Bug Bounty programs at the same time, I can agree that VDP != Bug Bounty.

 

Tuc
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.