Bug bounties just got another boost.
On July 18, Google announced it had raised its payout for vulnerabilities found in its Web services, Chrome operating system, and Android software, including tripling the maximum baseline reward to $15,000 from $5,000 and doubling the maximum reward for "high quality report" to $30,000, from $15,000.
The company also bumped up its top reward — for a complete chain of exploits that results in code execution on a Chromebook — to $150,000.
Google is not alone. Other companies are either raising their bounties or facing a trend of needing to increase bounties to attract researchers. The average vulnerability payout increased by 83%, with critical vulnerability payouts reaching and average of $2,700, according to Casey Ellis, chief technology officer with vulnerability research crowdsourcing firm Bugcrowd.
"From a numbers standpoint, things are continuing to trend up and to the right in terms of the average severity of the issues and in terms of the incentives that are being used to attract those issues," he says.
A decade ago, companies argued over the appropriateness of paying hackers and security researchers a reward for reporting vulnerabilities. Now, the payouts for security security issues regularly surpass $1,000 and often exceed $10,000.
In 2018, for example, ethical hackers made $19 million through HackerOne's vulnerability-program management platform, compared to $11.7 million the prior year. Among those companies that launched their first bounty programs in the last year are Hyatt Hotels and Postmates, the company said.
"We continue to see more bug bounty programs launching and with that increased hacker engagement as some are motivated by higher bounties awards," says Miju Han, director of product management for HackerOne.
More recent research has shown that bug bounties can help companies improve their security. In a paper presented at the Workshop on the Economics of Information Security in June, two researchers created a model that showed two significant benefits of bug bounty programs: diverting certain types of hackers away from attack their systems, and convincing attackers to cooperate with the company.
An important finding is that a bug bounty program only works to recruit white-hat hacker talent if the company also has an in-house security program aimed at protecting its assets. If the organization cuts back too much on security, then the bug bounty program will not be able to make up the difference. In addition, companies with valuable assets may not be able to dissuade hackers from going after their digital goods, the researchers found.
"[T]he bug bounty program is not a one-size-fits-all solution," Jiali Zhou and Kail-Lung Huii, both researchers from Hong Kong University of Science and Technology, stated in the paper. "Firms do need to evaluate their own security environment, the value and vulnerability of their systems, and in-house protection strategies to make better use of bug bounty programs."
Yet, the reason behind the roughly annual doubling of average bounties — up 73% last year and 83% this year, according to Bugcrowd — is unclear. While platformssuch as Microsoft Windows operating system and Google's Chrome OS have been hardened over the years and thus are much more difficult to plumb for system-compromising security issues, other new software frameworks have become targets for hackers and, thus, good candidates for bug bounties.
The end result is a marketplace that has not yet found its equilibrium point, or even neared it, Bugcrowd's Ellis says.
"Supply and demand and making sure the marketplace is attractive enough and liquid enough to keep everyone happy and engaged is one part of it," he says. "Apart from that, there is the idea that more critical issues continue to be more rare and more difficult to find and exploit."
The latest boost to Google's bounties is a sign of that, he says.
$5 Million in Bounties
Google was among the first major companies to offer rewards for information on its vulnerabilities. The company, whose program started in 2010, has paid out more than $5 million to date for over 8,500 bug reports in its Chrome browser and operating system. In 2018, 51% of the vulnerabilities reported to Google were Web-based issues, Artur Janc, staff information security engineer at Google, said a May 2019 presentation at the Google IO developer conference.
"The majority of the vulnerabilities that we see at Google ... are Web issues— flaws that allow an attacker to attack users who are logged into our services and extract or modify some of the data that they have," Janc said.
Like Bugcrowd and HackerOne, Google is seeing an accelerating marketplace for vulnerability information. In 2018, all three companies gave out their highest amount of awards. In 2018, Google awarded $3.4 million in bug bounties to 317 researchers for 1,319 different vulnerabilities. For comparison, the Google Vulnerability Rewards Program paid out $15 million over the past 10 years.