Bug bounties continue to rise as more companies take part in crowdsourced challenges to attract security-minded freelancers and hackers to analyze their code, but the opportunities to profit typically fall to only a very small fraction of participants, according to security-program management firm HackerOne.
In its latest annual "Hacker-Powered Security Report," the company found the average bounty paid to bug finders jumped to $3,384 for critical vulnerabilities, a 48% increase over the previous year's average, with cryptocurrency and blockchain companies paying the most — $6,124, on average. In the past 12 months, more than 30,000 security issues were reported to HackerOne's clients, which awarded vulnerability researchers with more than $21 million.
Yet of the more than half-million hackers that have signed up for a HackerOne-managed challenge, only about 5,000 are really doing well, says CEO Marten Mickos.
"We have this enormous hacker community of half a million who are engaged and trying and competing," he says. "It is a very small minority that rises to the top, and that is intentional."
The report underscores the success of the bug-bounty model as a way to catch vulnerabilities in products and services. More than 1,400 organizations use HackerOne's service and 1,200 use the crowdsourced security service of rival Bugcrowd, according to each firm's tally. More than a quarter of HackerOne's programs are for Internet and online services, and another 20% consist of computer software firms. However, financial services and media companies make up a significant part — more than 7% each — of the market.
Yet for the vast majority of interested researchers, the contest model does not work out. HackerOne boasts a half-dozen participants who have made more than $1 million on its platform, and another seven who have hit more than $500,000 in lifetime earnings — a tiny fraction of the more than 500,000 people who have signed up.
Mickos compares the winnowing of the competitive field to the struggle of becoming a movie star in Hollywood or going pro in basketball.
"Everyone plays basketball after school, but not everyone makes it the NBA," he says. "We need to have the broadest community to find those very few unique individuals who have the curiosity, the aptitude, the interest, the discipline to succeed."
The overall rise in bug bounties comes as no surprise. In its own report, crowdsourced-security firm Bugcrowd saw payouts for security issues through its own programs rise 83%, with bounties for critical vulnerabilities up 27% to $2,670. The most lucrative payouts in Bugcrowd's analysis were from Internet of Things manufacturers, which paid an average of $8,556 per critical vulnerability.
Part of the reason for the rise is that companies are paying more to find more difficult classes of bugs, according to both HackerOne and Bugcrowd.
"Looking at the data, 4 out of 5 of the top VRT (vulnerability rating taxonomy) classes for 2018 revolve around vulnerabilities that are difficult, if not impossible, for any machine to find," Bugcrowd stated in its Priority One report.
Both Microsoft and Google have recently raised their bounties. In July, for example, Google raised the maximum payouts for several classes of vulnerabilities in its services and products, with the maximum baseline reward jumping to $15,000 from $5,000. And earlier this year, Zerodium, which sells exploits to governments to allow them to surveil citizens, raised its reward for an exploit chain, which strings several vulnerabilities together to compromise a particular program or operating system, to $2 million for Apple's iOS operating system.
Yet those rewards are only for finding the most lucrative vulnerabilities. Only 7% of issues found in HackerOne programs were critical, with another 18% considered to be of high severity. The vast majority of vulnerabilities — 75% — were of low or medium severity. While the average bounty across the HackerOne platform rose 65% in the past 12 months, finding those vulnerabilities are far less lucrative.
The four industries that paid the highest bounties were cryptocurrency and blockchain companies, which paid $6,124 for critical issues; Internet and online service firms, which paid $4,973; aviation and aerospace firms, which paid $4,500; and electronics and semiconductor firms, which paid $4,398.
While rewards for most bugs continue to be low, the lure of bug-bounty competitions could play a significant role in attracting better talent to cybersecurity, which is in need of more personnel.
"Out of that 500,000, maybe 50,000 will keep hacking, maybe 5,000 will become security professionals, and, out of that, maybe 500 will become CISOs," Mickos says. "The nice thing is it will happen automatically. We are driving it by making it very attractive to young people to learn in our ranks."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Fuzzing 101: Why Bug-Finders Still Love It After All These Years."