With cybercrime on the rise, companies are always looking for new ways to ensure they are protected. What better way to beat the hackers than to have those same hackers work FOR you. Over the past few years, corporations have turned to Bug Bounty programs as an alternative way to discover software and configuration errors that would’ve otherwise slipped through the cracks. These programs add another layer of defense, allowing corporations to resolve the bugs before the general public is made aware or harmed by the bugs.
Bug Bounty programs allow white-hat hackers and security researchers to find vulnerabilities within a corporation’s (approved) ecosystem and are provided recognition and/or monetary reward for disclosing them. For the corporation, this is a cost-effective way to have continuous testing, and when a vulnerability is found, the monetary reward can still be significantly less than a traditional pen test.
Hunter & Ready started the first known bug bounty program in 1983, adopting the motto “Get a bug if you find a bug”; Anyone who found a vulnerability would receive a Volkswagen Beetle. In 1995, Netscape Communications Corporation coined the phrase ‘Bug Bounty’ when they launched a program, which offered rewards to anyone who could find flaws in their Netscape Navigator 2.0 Beta.
The idea of a bug bounty program didn’t immediately take off. It took Google launching their program in 2010 to really kickstart the trend, but according to HackerOne, by the end of 2018, over 100,000 total vulnerabilities have been submitted and $42 million has been paid out. In 2018 alone, an estimated $19 million was rewarded, which is more than all of the previous years combined. The vulnerability that was reported the most was cross-site scripting, followed by improper authentication, with a high number of big payouts recorded in the financial services and insurance sectors and information disclosure vulnerabilities rounds out the top three, with most of these bugs being reported in the electronics and semiconductor industry.
Today, about 6% of the Forbes 2000 global companies have Bug Bounty programs, including companies like Facebook, United Airlines, and AT&T. AT&T was the first telecommunication company to announce the launch of their program in 2012. AT&T’s Bug Bounty program has a fairly wide scope, allowing almost any vulnerability found within their environment to be eligible for a reward. As other telecommunication companies started their program, AT&T was used as a resource to provide insight on what works well and what doesn’t.
While there are hundreds of bug bounty programs, no two programs are exactly alike. There has been a big shift away from internally managing these programs to outsourcing to third parties. Although these programs are most talked about in the technology industry, organizations of all sizes and industries have started having Bug Bounty programs, including political entities.
Both the European Union and the US Department of Defense have launched programs in recent years. The EU launched their program in January 2019, inviting ethical hackers to find vulnerabilities in 15 open source projects that the EU institutions rely on, providing a 20% bonus if the hacker provides a solution for the vulnerability they reported. The DoD Defense Digital Services team launched ‘Hack the Pentagon’ in 2016 for all public facing sites, rewarding $75,000 for 138 vulnerabilities.
Bug Bounty Rewards typically range from a few hundred to a few thousand dollars, but there are higher rewards available. In 2019, the first researcher reached $1 million total in earnings, and the average payout for a critical bug increased 6% from 2017 to $2,041. The payouts vary greatly depending on the type of vulnerability, the exploitable information, and the company. Multi-factor Authentication (MFA) Bypass is one of the most lucrative vulnerability, with payouts up to $100,000, and the government was the highest paying industry.
It is anticipated that payouts will continue to rise, reaching $100 million by 2020. As hackers continue to get smarter, it’s critical that companies utilize all options to avoid a security breach. Bug Bounty Programs have become a great option for corporations of all sizes.