Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:40 PM
Connect Directly

Vulnerability Disclosure Programs See Signups & Payouts Surge

More than $44.75 million in rewards were paid to hackers over the past year, driving total payouts beyond $100 million.

Security researchers have been busy over the past year, earning more than $44.75 million in bounties for vulnerability disclosure. More organizations are adopting vulnerability disclosure programs (VDPs), experts say, and they're paying hackers more for the critical flaws they find. 

HackerOne today published its fourth annual Hacker Powered Security Report, which takes a closer look at trends in VDPs and the businesses adopting them. Hackers have discovered more than 180,000 vulnerabilities via HackerOne, and one-third of those were reported in the past year alone as more businesses pursue VDPs to better secure all parts of their environment.

Related Content:

5 Steps to Greater Cyber Resiliency

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Can Schools Pass Their Biggest Cybersecurity Test Yet?

Data indicates more organizations across industries are interested in launching these programs. VDPs are most common in computer software as well as Internet and online services, which together make up nearly half of all programs and paid more than 72% of all bounties in the past year. Now, experts see multiple industries with more than 200% program growth year-over-year: computer hardware (250%), consumer goods (243%), education (200%), and healthcare (200%). 

"They're all industries that are increasingly dependent on technology," says Alex Rice, HackerOne's co-founder and CTO. While all had demonstrated VDP growth in the past, this marks the first time that researchers have seen this level of more than 200% growth across every sector.

What's driving the surge? Rice says the increase in VDPs can largely be attributed to two key factors: normalization of VDPs and an increase in mandates from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST).

"I think the norms have been slowly shifting over the last few years," Rice says. "There was a long period of time when organizations could get away with just ignoring reports, threatening cease-and-desist letters, getting by on silence." This was usually enough to make researchers step back, but "that has been changing a lot." Now, those who have a bad disclosure experience, or see someone ignore a security report, are more comfortable coming forward.

"It's beginning to be viewed as negligence, and I think that's exactly how it should be viewed," he says of organizations that refuse to act on reported vulnerabilities.

Late last year, CISA published a binding operational directive mandating most executive branch agencies to create a vulnerability disclosure program. Following feedback, CISA recently issued the final version of BOD 20-01, in which it says VDPS are "an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems."

The increase of vulnerability programs is encouraging greater participation from the hacker community. Much of the participation spike is related to programs kicking off, especially within industries where security researchers are already active or interested.

"The biggest source of driving new hackers into these programs is brands that those hackers love sanctioning this activity," Rice says.

Remote Businesses Rethink VDP Strategy
Businesses supporting a greater number of remote employees have begun to rethink their VDPs and make wider swaths of their corporate infrastructure available to test, Rice says. And more hackers are interested: HackerOne saw new hacker signups increase 59%, and submitted bug reports grow by 28%, in the months immediately following the start of the coronavirus pandemic.

"The most interesting thing that happened over the last few months was programs have been very deliberate about what's in scope," he explains. Many have begun to expand and include attack surface that wouldn't have been included in the past. Those who opened up work-from-home or remote attack scenarios have learned the mistakes they made in transitioning quickly.

Historically, most VDPs have focused incentives on customer-facing assets and attack surface. Early efforts wanted to protect customers and users; that's where their efforts were focused. Now, they're curious about holes in third-party systems or applications meant for employees. Many programs have expanded to include back-end business support systems.

While this is a "natural evolution" of VDPs, it usually takes a long time for companies to arrive at this stage, Rice says. Before COVID-19, only a handful of HackerOne's customers, such as Facebook and Twitter, included VPN infrastructure in the scope of their VDP policies.

"It was nowhere near the norm, and that's quickly become the norm over the past few months," he continues. "Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn't quite the perimeter." 

This change is reflected in the most common types of vulnerabilities disclosed in the past year, HackerOne reports. Cross-site scripting (24%) was the most common flaw reported, taking the top spot from information disclosure (18%), which fell in second place. Other reported flaws include improper access control (10%), improper authentication (6%), and open redirect (6%).

Improper access control vulnerabilities have increased in volume and criticality, says Rice, and organizations are treating them with greater urgency. In addition, they're updating instructions for hackers in the community to communicate the risks they're currently worried about.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/28/2020 | 10:17:03 PM
VDP is not Bug Bounty


I found this website via https://bugbountycoi.org/2020/09/29/call-a-duck-a-duck-not-a-bug-bounty/ . As someone that previously ran 4 Bug Bounty programs at the same time, I can agree that VDP != Bug Bounty.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.