Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:40 PM
Connect Directly

Vulnerability Disclosure Programs See Signups & Payouts Surge

More than $44.75 million in rewards were paid to hackers over the past year, driving total payouts beyond $100 million.

Security researchers have been busy over the past year, earning more than $44.75 million in bounties for vulnerability disclosure. More organizations are adopting vulnerability disclosure programs (VDPs), experts say, and they're paying hackers more for the critical flaws they find. 

HackerOne today published its fourth annual Hacker Powered Security Report, which takes a closer look at trends in VDPs and the businesses adopting them. Hackers have discovered more than 180,000 vulnerabilities via HackerOne, and one-third of those were reported in the past year alone as more businesses pursue VDPs to better secure all parts of their environment.

Related Content:

5 Steps to Greater Cyber Resiliency

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Can Schools Pass Their Biggest Cybersecurity Test Yet?

Data indicates more organizations across industries are interested in launching these programs. VDPs are most common in computer software as well as Internet and online services, which together make up nearly half of all programs and paid more than 72% of all bounties in the past year. Now, experts see multiple industries with more than 200% program growth year-over-year: computer hardware (250%), consumer goods (243%), education (200%), and healthcare (200%). 

"They're all industries that are increasingly dependent on technology," says Alex Rice, HackerOne's co-founder and CTO. While all had demonstrated VDP growth in the past, this marks the first time that researchers have seen this level of more than 200% growth across every sector.

What's driving the surge? Rice says the increase in VDPs can largely be attributed to two key factors: normalization of VDPs and an increase in mandates from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST).

"I think the norms have been slowly shifting over the last few years," Rice says. "There was a long period of time when organizations could get away with just ignoring reports, threatening cease-and-desist letters, getting by on silence." This was usually enough to make researchers step back, but "that has been changing a lot." Now, those who have a bad disclosure experience, or see someone ignore a security report, are more comfortable coming forward.

"It's beginning to be viewed as negligence, and I think that's exactly how it should be viewed," he says of organizations that refuse to act on reported vulnerabilities.

Late last year, CISA published a binding operational directive mandating most executive branch agencies to create a vulnerability disclosure program. Following feedback, CISA recently issued the final version of BOD 20-01, in which it says VDPS are "an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems."

The increase of vulnerability programs is encouraging greater participation from the hacker community. Much of the participation spike is related to programs kicking off, especially within industries where security researchers are already active or interested.

"The biggest source of driving new hackers into these programs is brands that those hackers love sanctioning this activity," Rice says.

Remote Businesses Rethink VDP Strategy
Businesses supporting a greater number of remote employees have begun to rethink their VDPs and make wider swaths of their corporate infrastructure available to test, Rice says. And more hackers are interested: HackerOne saw new hacker signups increase 59%, and submitted bug reports grow by 28%, in the months immediately following the start of the coronavirus pandemic.

"The most interesting thing that happened over the last few months was programs have been very deliberate about what's in scope," he explains. Many have begun to expand and include attack surface that wouldn't have been included in the past. Those who opened up work-from-home or remote attack scenarios have learned the mistakes they made in transitioning quickly.

Historically, most VDPs have focused incentives on customer-facing assets and attack surface. Early efforts wanted to protect customers and users; that's where their efforts were focused. Now, they're curious about holes in third-party systems or applications meant for employees. Many programs have expanded to include back-end business support systems.

While this is a "natural evolution" of VDPs, it usually takes a long time for companies to arrive at this stage, Rice says. Before COVID-19, only a handful of HackerOne's customers, such as Facebook and Twitter, included VPN infrastructure in the scope of their VDP policies.

"It was nowhere near the norm, and that's quickly become the norm over the past few months," he continues. "Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn't quite the perimeter." 

This change is reflected in the most common types of vulnerabilities disclosed in the past year, HackerOne reports. Cross-site scripting (24%) was the most common flaw reported, taking the top spot from information disclosure (18%), which fell in second place. Other reported flaws include improper access control (10%), improper authentication (6%), and open redirect (6%).

Improper access control vulnerabilities have increased in volume and criticality, says Rice, and organizations are treating them with greater urgency. In addition, they're updating instructions for hackers in the community to communicate the risks they're currently worried about.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
9/28/2020 | 10:17:03 PM
VDP is not Bug Bounty


I found this website via https://bugbountycoi.org/2020/09/29/call-a-duck-a-duck-not-a-bug-bounty/ . As someone that previously ran 4 Bug Bounty programs at the same time, I can agree that VDP != Bug Bounty.


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.