Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

8/29/2019
12:10 PM
50%
50%

Bug Bounties Continue to Rise, but Market Has Its Own 1% Problem

The average payout for a critical vulnerability has almost reached $3,400, but only the top bug hunters of a field of 500,000 are truly profiting.

Bug bounties continue to rise as more companies take part in crowdsourced challenges to attract security-minded freelancers and hackers to analyze their code, but the opportunities to profit typically fall to only a very small fraction of participants, according to security-program management firm HackerOne.

In its latest annual "Hacker-Powered Security Report," the company found the average bounty paid to bug finders jumped to $3,384 for critical vulnerabilities, a 48% increase over the previous year's average, with cryptocurrency and blockchain companies paying the most — $6,124, on average. In the past 12 months, more than 30,000 security issues were reported to HackerOne's clients, which awarded vulnerability researchers with more than $21 million. 

Yet of the more than half-million hackers that have signed up for a HackerOne-managed challenge, only about 5,000 are really doing well, says CEO Marten Mickos.

"We have this enormous hacker community of half a million who are engaged and trying and competing," he says. "It is a very small minority that rises to the top, and that is intentional."

The report underscores the success of the bug-bounty model as a way to catch vulnerabilities in products and services. More than 1,400 organizations use HackerOne's service and 1,200 use the crowdsourced security service of rival Bugcrowd, according to each firm's tally. More than a quarter of HackerOne's programs are for Internet and online services, and another 20% consist of computer software firms. However, financial services and media companies make up a significant part — more than 7% each — of the market.

Yet for the vast majority of interested researchers, the contest model does not work out. HackerOne boasts a half-dozen participants who have made more than $1 million on its platform, and another seven who have hit more than $500,000 in lifetime earnings — a tiny fraction of the more than 500,000 people who have signed up.

Mickos compares the winnowing of the competitive field to the struggle of becoming a movie star in Hollywood or going pro in basketball.

"Everyone plays basketball after school, but not everyone makes it the NBA," he says. "We need to have the broadest community to find those very few unique individuals who have the curiosity, the aptitude, the interest, the discipline to succeed."

The overall rise in bug bounties comes as no surprise. In its own report, crowdsourced-security firm Bugcrowd saw payouts for security issues through its own programs rise 83%, with bounties for critical vulnerabilities up 27% to $2,670. The most lucrative payouts in Bugcrowd's analysis were from Internet of Things manufacturers, which paid an average of $8,556 per critical vulnerability.

Part of the reason for the rise is that companies are paying more to find more difficult classes of bugs, according to both HackerOne and Bugcrowd. 

"Looking at the data, 4 out of 5 of the top VRT (vulnerability rating taxonomy) classes for 2018 revolve around vulnerabilities that are difficult, if not impossible, for any machine to find," Bugcrowd stated in its Priority One report.

Both Microsoft and Google have recently raised their bounties. In July, for example, Google raised the maximum payouts for several classes of vulnerabilities in its services and products, with the maximum baseline reward jumping to $15,000 from $5,000. And earlier this year, Zerodium, which sells exploits to governments to allow them to surveil citizens, raised its reward for an exploit chain, which strings several vulnerabilities together to compromise a particular program or operating system, to $2 million for Apple's iOS operating system.

Yet those rewards are only for finding the most lucrative vulnerabilities. Only 7% of issues found in HackerOne programs were critical, with another 18% considered to be of high severity. The vast majority of vulnerabilities — 75% — were of low or medium severity. While the average bounty across the HackerOne platform rose 65% in the past 12 months, finding those vulnerabilities are far less lucrative. 

The four industries that paid the highest bounties were cryptocurrency and blockchain companies, which paid $6,124 for critical issues; Internet and online service firms, which paid $4,973; aviation and aerospace firms, which paid $4,500; and electronics and semiconductor firms, which paid $4,398.

While rewards for most bugs continue to be low, the lure of bug-bounty competitions could play a significant role in attracting better talent to cybersecurity, which is in need of more personnel. 

"Out of that 500,000, maybe 50,000 will keep hacking, maybe 5,000 will become security professionals, and, out of that, maybe 500 will become CISOs," Mickos says. "The nice thing is it will happen automatically. We are driving it by making it very attractive to young people to learn in our ranks."

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Fuzzing 101: Why Bug-Finders Still Love It After All These Years."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32693
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
CVE-2021-32424
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
CVE-2021-32426
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
CVE-2021-32694
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
CVE-2021-32695
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...