Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

8/29/2019
12:10 PM
50%
50%

Bug Bounties Continue to Rise, but Market Has Its Own 1% Problem

The average payout for a critical vulnerability has almost reached $3,400, but only the top bug hunters of a field of 500,000 are truly profiting.

Bug bounties continue to rise as more companies take part in crowdsourced challenges to attract security-minded freelancers and hackers to analyze their code, but the opportunities to profit typically fall to only a very small fraction of participants, according to security-program management firm HackerOne.

In its latest annual "Hacker-Powered Security Report," the company found the average bounty paid to bug finders jumped to $3,384 for critical vulnerabilities, a 48% increase over the previous year's average, with cryptocurrency and blockchain companies paying the most — $6,124, on average. In the past 12 months, more than 30,000 security issues were reported to HackerOne's clients, which awarded vulnerability researchers with more than $21 million. 

Yet of the more than half-million hackers that have signed up for a HackerOne-managed challenge, only about 5,000 are really doing well, says CEO Marten Mickos.

"We have this enormous hacker community of half a million who are engaged and trying and competing," he says. "It is a very small minority that rises to the top, and that is intentional."

The report underscores the success of the bug-bounty model as a way to catch vulnerabilities in products and services. More than 1,400 organizations use HackerOne's service and 1,200 use the crowdsourced security service of rival Bugcrowd, according to each firm's tally. More than a quarter of HackerOne's programs are for Internet and online services, and another 20% consist of computer software firms. However, financial services and media companies make up a significant part — more than 7% each — of the market.

Yet for the vast majority of interested researchers, the contest model does not work out. HackerOne boasts a half-dozen participants who have made more than $1 million on its platform, and another seven who have hit more than $500,000 in lifetime earnings — a tiny fraction of the more than 500,000 people who have signed up.

Mickos compares the winnowing of the competitive field to the struggle of becoming a movie star in Hollywood or going pro in basketball.

"Everyone plays basketball after school, but not everyone makes it the NBA," he says. "We need to have the broadest community to find those very few unique individuals who have the curiosity, the aptitude, the interest, the discipline to succeed."

The overall rise in bug bounties comes as no surprise. In its own report, crowdsourced-security firm Bugcrowd saw payouts for security issues through its own programs rise 83%, with bounties for critical vulnerabilities up 27% to $2,670. The most lucrative payouts in Bugcrowd's analysis were from Internet of Things manufacturers, which paid an average of $8,556 per critical vulnerability.

Part of the reason for the rise is that companies are paying more to find more difficult classes of bugs, according to both HackerOne and Bugcrowd. 

"Looking at the data, 4 out of 5 of the top VRT (vulnerability rating taxonomy) classes for 2018 revolve around vulnerabilities that are difficult, if not impossible, for any machine to find," Bugcrowd stated in its Priority One report.

Both Microsoft and Google have recently raised their bounties. In July, for example, Google raised the maximum payouts for several classes of vulnerabilities in its services and products, with the maximum baseline reward jumping to $15,000 from $5,000. And earlier this year, Zerodium, which sells exploits to governments to allow them to surveil citizens, raised its reward for an exploit chain, which strings several vulnerabilities together to compromise a particular program or operating system, to $2 million for Apple's iOS operating system.

Yet those rewards are only for finding the most lucrative vulnerabilities. Only 7% of issues found in HackerOne programs were critical, with another 18% considered to be of high severity. The vast majority of vulnerabilities — 75% — were of low or medium severity. While the average bounty across the HackerOne platform rose 65% in the past 12 months, finding those vulnerabilities are far less lucrative. 

The four industries that paid the highest bounties were cryptocurrency and blockchain companies, which paid $6,124 for critical issues; Internet and online service firms, which paid $4,973; aviation and aerospace firms, which paid $4,500; and electronics and semiconductor firms, which paid $4,398.

While rewards for most bugs continue to be low, the lure of bug-bounty competitions could play a significant role in attracting better talent to cybersecurity, which is in need of more personnel. 

"Out of that 500,000, maybe 50,000 will keep hacking, maybe 5,000 will become security professionals, and, out of that, maybe 500 will become CISOs," Mickos says. "The nice thing is it will happen automatically. We are driving it by making it very attractive to young people to learn in our ranks."

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Fuzzing 101: Why Bug-Finders Still Love It After All These Years."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...