Bug Bounty Programs. PHOTO: Cybercrime Magazine.

State Of Bug Bounty Programs In 2017

Security researchers are in high demand as approximately two billion lines of new code are released every week

Kacy Zurkus

Menlo Park, Calif. – Aug. 17, 2017

Bug Bounty programs have existed for decades with the first recorded bug bounty reward dating back to 1983. Hunter & Ready, Inc. offered a VW Bug in exchange for the discovery of a bug in its VRTX real-time operating system.

The technology industry saw the advent of bug bounty programs when in 1995 Netscape started offering cash rewards to anyone who found bugs in their software.

Still, bug bounty programs have only experienced notable growth over the past few years. The 21st century has given rise to the digital enterprise, and organizations large and small are growing more reliant on applications and devices in order to efficiently offer their services.

Only two years ago, leaders in the bug bounty platform space were talking about the impact security was having on the increasing supply and demand for skilled security researchers. At that time, organizations outside of the technology industry were a bit skeptical of inviting ethical hackers into their networks.

Despite the continued adoption of bug bounty programs beyond the technology industry, HackerOne’s, The Hacker-Powered Security Report 2017, notes that vulnerability disclosures lag behind, given that 94 percent of the Forbes Global 2000 companies do not have reporting disclosure policies.

2016 saw more organizations realizing the benefits of building a relationship with security researchers, giving rise to the development of bug bounty programs in industries outside of technology.

HackerOne also found that the cash reward offered for disclosure increased by 16 percent in 2016.

Of the new programs launched in 2016, 41 percent were from non-technology industries. The companies that embraced hacker-powered security ranged from Starbucks to Facebook and Nintendo.

In 2017, security researchers are in high demand as approximately two billion lines of new code are released every week, with an estimated 111 billion lines of new software code generated every year.

2017 has seen a growth in platform adoption and program awards as well as faster reporting time, with 77 percent of all bug bounty programs having their first vulnerability reported in the first 24 hours. The Army’s first vulnerability was reported in only 5 minutes.

According to Bugcrowd’s 2017 State of Bug Bounty report, the group of security researchers on their platform doubled as of March 2017 and continued to grow by another 10% between March and June 2017.

Also on the rise are the payouts for security researchers along with an increased criticality of submissions. Advances in technology have delivered us to increasingly interconnected world, where the attack surface has also grown and will continue to grow.

Public versus private programs

Most platforms offer different types of bug bounty programs broken down into the following categories as defined by HackerOne:

  • Vulnerability Disclosure Policy (VDP): an organization’s formalized method for receiving vulnerability submissions from the outside world. This often takes the form of a “security@” email address. The practice is de ned in ISO standard 29147.
  • Public bug bounty program: an open program any hackers can participate in for a chance at a bounty reward.
  • Private bug bounty program: a limited access program that select hackers are invited to participate in for a chance at a bounty reward.
  • Time-bound bug bounty: a program with a limited time frame. In most cases hackers will register or be invited.

Qualifying vs non-qualifying vulnerabilities

Not every vulnerability can be exploited, which is why there are a range of qualifiers used to categorize the risks. Each bug bounty platform may use a different label. Though what they use to distinguish the degree of risk may differ from one platform to another, the categories are prioritized in gradations from informational to critical.

Many programs, like that of Google’s Vulnerability Reward Program (VRP), offer a list of reward-worthy disclosures, those that affect the confidentiality or integrity of user data.

Rewards for researchers

Bugcrowd reported that the total payouts for companies with programs on their platform has surpassed $6 million, an increase of 211 percent since 2016. The average payout has also grown from $295 in 2016 to $451 in 2017.

Over the course of 2016, Google paid out $3 million dollars to security researchers. On average Google’s bug rewards range from $100 to $31,337.

In the second quarter of 2017, Google’s cash offering of up to $200,000 to a security researchers topped the charts for bug bounty rewards.

Only one month later, Microsoft is making headlines for their offer of up to $250,000 with its new Bug Bounty Program for Windows.

In 2016, Hack the Pentagon paid out $75,000 in bounty rewards for all legitimate vulnerabilities.

The Tor Project has kept its average payout at $4,000 for critical vulnerabilities, while paying between $500-$2,000 for medium severity and $100 for low severity bugs.

Some of the organizations on HackerOne’s platform pay researchers an average of $15,000 for critical vulnerabilities, which represent only 1% of rewards.

More common are the 60% of organizations that pay an average of $1,000 for critical vulnerabilities.

Still, through May 2017, organizations on HackerOne have paid out over $17 million in bounty rewards.

Intel offers a range of rewards with up to $7,500 for critical vulnerabilities in Intel software and up to $30,000 for critical vulnerabilities in Intel hardware.

Starbucks has paid over $100,000 in bounties, with the average bounty at $250 and a top bounty range of $2,000-$6,000.

There are far too many bug bounty programs to list the rewards of each, but the HackerOne directory offers a list of known bug bounty programs on the internet.

Rules for engagement

Developing a relationship with any organization demands that the hacker and the organization deal in good faith. To that end, most of the rules of engagement, regardless of program or platform, will require that researchers act responsibly and avoid privacy violations along with efforts to gain access to accounts, data, and PII.

Third party platforms, like Bugcrowd and HackerOne have code of conduct rules. Bugcrowd expects their researchers to—among other things—be kind, respectful, helpful, and ethical.

HackerOne also requires that their researchers must never attempt social engineering or physical attacks.

In addition to outlining the specific rules and a list of qualifying and non-qualifying vulnerabilities, companies, like Google, will also outline the scope of the policy.

Most companies will have guidelines, similar to those of the Department of Defense, that express clearly limited activities.

Along with a clear description of the scope of the bounty, they will also provide specific instructions on how to report a bug.

Proof of concept and disclosures

The research team at HackerOne took the results of their findings to task and searched the internet for the vulnerability disclosure policies an ethical hack might use to contact a company upon discovering a vulnerability.

Their findings included the following statistics:

  • Only 2 of 24 airlines, United Airlines and Lufthansa, have vulnerability disclosure policies.
  • 54 percent of the top software/programming companies do have a VDP.
  • Only three out of 21 auto and truck manufacturers have policies
  • Starbucks is the only restaurant on their list to have a VDP or bug bounty program.
  • Only six out of 64 major banks do have a VDP.

The leaders on HackerOne’s all time leaderboard made their way to the top by building a solid reputation. In order to make a living as an ethical hacker, it’s critical that all reports are valid, which means providing a proof of concept.

A proof of concept requires a detailed description of the type of vulnerability and its potential impact without exploiting the real target. This information is included in the vulnerability report which should also include visual images of the researchers work along with the tools used in the research.

Different organizations may have varying guidelines for disclosing vulnerabilities. Third party platforms, like Bugcrowd, may also have a “nondisclosure” clause which means that at no time can the researcher publicly disclose the submission.

What the future holds

Bug bounty programs have grown exponentially over the past two years and will continue to grow as the attack surface widens. As stories of breaches continue to be reported and the amount of code developed increases, it will be critical to explore the benefits of hacker-powered security, particularly for the global enterprise.

Growing also in popularity are online trainings to learn how to be an ethical hacker.

What holds many companies back from building relationships with ethical hackers is mostly a conservative mindset, which holds that it’s not a good idea to allow a stranger to penetrate their business. There are many benefits to a bug bounty program, the most important of which is improved security.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

The Bug Bounty Report — sponsored by HackerOne — provides bug bounty platform and program trends, statistics, and resources for chief information security officers (CISOs), security researchers, and IT security staff.