Security researchers have been busy over the past year, earning more than $44.75 million in bounties for vulnerability disclosure. More organizations are adopting vulnerability disclosure programs (VDPs), experts say, and they're paying hackers more for the critical flaws they find.
HackerOne today published its fourth annual Hacker Powered Security Report, which takes a closer look at trends in VDPs and the businesses adopting them. Hackers have discovered more than 180,000 vulnerabilities via HackerOne, and one-third of those were reported in the past year alone as more businesses pursue VDPs to better secure all parts of their environment.
Data indicates more organizations across industries are interested in launching these programs. VDPs are most common in computer software as well as Internet and online services, which together make up nearly half of all programs and paid more than 72% of all bounties in the past year. Now, experts see multiple industries with more than 200% program growth year-over-year: computer hardware (250%), consumer goods (243%), education (200%), and healthcare (200%).
"They're all industries that are increasingly dependent on technology," says Alex Rice, HackerOne's co-founder and CTO. While all had demonstrated VDP growth in the past, this marks the first time that researchers have seen this level of more than 200% growth across every sector.
What's driving the surge? Rice says the increase in VDPs can largely be attributed to two key factors: normalization of VDPs and an increase in mandates from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST).
"I think the norms have been slowly shifting over the last few years," Rice says. "There was a long period of time when organizations could get away with just ignoring reports, threatening cease-and-desist letters, getting by on silence." This was usually enough to make researchers step back, but "that has been changing a lot." Now, those who have a bad disclosure experience, or see someone ignore a security report, are more comfortable coming forward.
"It's beginning to be viewed as negligence, and I think that's exactly how it should be viewed," he says of organizations that refuse to act on reported vulnerabilities.
Late last year, CISA published a binding operational directive mandating most executive branch agencies to create a vulnerability disclosure program. Following feedback, CISA recently issued the final version of BOD 20-01, in which it says VDPS are "an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems."
The increase of vulnerability programs is encouraging greater participation from the hacker community. Much of the participation spike is related to programs kicking off, especially within industries where security researchers are already active or interested.
"The biggest source of driving new hackers into these programs is brands that those hackers love sanctioning this activity," Rice says.
Remote Businesses Rethink VDP Strategy
Businesses supporting a greater number of remote employees have begun to rethink their VDPs and make wider swaths of their corporate infrastructure available to test, Rice says. And more hackers are interested: HackerOne saw new hacker signups increase 59%, and submitted bug reports grow by 28%, in the months immediately following the start of the coronavirus pandemic.
"The most interesting thing that happened over the last few months was programs have been very deliberate about what's in scope," he explains. Many have begun to expand and include attack surface that wouldn't have been included in the past. Those who opened up work-from-home or remote attack scenarios have learned the mistakes they made in transitioning quickly.
Historically, most VDPs have focused incentives on customer-facing assets and attack surface. Early efforts wanted to protect customers and users; that's where their efforts were focused. Now, they're curious about holes in third-party systems or applications meant for employees. Many programs have expanded to include back-end business support systems.
While this is a "natural evolution" of VDPs, it usually takes a long time for companies to arrive at this stage, Rice says. Before COVID-19, only a handful of HackerOne's customers, such as Facebook and Twitter, included VPN infrastructure in the scope of their VDP policies.
"It was nowhere near the norm, and that's quickly become the norm over the past few months," he continues. "Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn't quite the perimeter."
This change is reflected in the most common types of vulnerabilities disclosed in the past year, HackerOne reports. Cross-site scripting (24%) was the most common flaw reported, taking the top spot from information disclosure (18%), which fell in second place. Other reported flaws include improper access control (10%), improper authentication (6%), and open redirect (6%).
Improper access control vulnerabilities have increased in volume and criticality, says Rice, and organizations are treating them with greater urgency. In addition, they're updating instructions for hackers in the community to communicate the risks they're currently worried about.