Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/4/2019
08:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018

Organizations signed up with the vulnerability disclosure platform shelled out a record $19 million for bug discoveries in their systems.

Security researchers from around the world last year reported over 100,000 valid vulnerabilities in software and systems belonging to organizations signed up with the HackerOne crowdsourced vulnerability disclosure platform.

Together the researchers earned more than $19 million in bounties in 2018 — or nearly the same amount as the combined total paid out to hackers over the past six years under the HackerOne program.

A survey-based report that HackerOne released Friday shows the number of white-hat hackers registered under the program doubled year over year to 300,000. Hackers from the US and India alone accounted for some 30% of the total and were once again among the top earners in the HackerOne community as in previous years.

However, the number of ethical hackers signing up from other countries, most notably from Africa, grew dramatically last year as well. In total, at the end of 2018, HackerOne had security researchers from as many as 150 countries registered for the program.

"One of the most striking takeaways from this year’s survey is the international growth in the number of bug-bounty hackers," says Luke Tucker senior director of community and content at HackerOne. "India and the US remain the top hacker locations year over year, but their majority is decreasing as hackers across the globe sign up for bug-bounty programs."  

The data is the latest to highlight the growing influence of crowdsourced bug-bounty programs in vulnerability discovery and remediation. HackerOne, like other bug-bounty platforms such as Bugcrowd and Synack, uses crowdsourced ethical hackers from around the world to help clients discover security vulnerabilities in their systems.

In recent years, thousands of private- and public-sector organizations have signed up with such platforms in a bid to uncover security vulnerabilities they might have missed otherwise. Last year, bug-bounty programs accounted for some 8% of all publicly disclosed vulnerabilities — up substantially from 5.8% in 2017, according to a recent report from Risk Based Security. In fact, the SECURE Technology Act (HR 7327), which President Trump signed into law last December, even authorizes the US Department of Homeland Security to establish a program that will let ethical hackers report bugs in federal government systems.

HackerOne's data shows that American and Canadian organizations are the most active users of such programs, at least based on share of bounties paid so far. They are followed by entities in the UK, Germany, Russia, and Singapore.

US government organizations have been especially enthusiastic users of the program, Tucker says. "In the realm of hacker-powered security, governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity," he says.

Tucker points to US Department of Defense programs, such as Hack the Pentagon and Hack the Army, which are conducted in partnership with HackerOne, as examples of the types of initiatives government organizations are taking with the crowdsourced vulnerability model.

It's not just enterprise organizations that are benefiting from the programs. Bug-bounty platforms are proving to be a very effective way for countless independent ethical hackers around the world to monetize their enthusiasm for bug hunting, as well.

Some top hackers in HackerOne's programs are making 40 times the median annual wage for security engineers in their home countries, according to the company. In the US, top earners last year made over six times the median annual salary of a software engineer based on salary estimates derived from PayScale.

A few researchers in the HackerOne program earned as much as $100,000 for disclosing a single critical bug. One hacker became the first under the program to top $1 million in bug bounties. Dozens of HackerOne clients also have hired security researchers they met through the program.

"We found that bug-bounty hackers are not in it just for the money, but we know those that are can make an impressive living," Tucker says.

Bug-bounty programs offer competitive rewards but are not focused on competing with other markets on price alone, he says. Bug discoverers can sometimes make substantially more money sharing their information with so-called gray market buyers, which can include intelligence agencies and government.

"[But] the hackers that report vulnerabilities to bug-bounty programs are in it for the resume they can build, the relationships, the challenge, and the recognition," Tucker says. "You lose all of this and gain a lot of uncertainty with other markets."

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13643
PUBLISHED: 2019-07-18
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the...
CVE-2019-13644
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
CVE-2019-13645
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.
CVE-2019-13646
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.
CVE-2019-13647
PUBLISHED: 2019-07-18
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.