Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/4/2019
08:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018

Organizations signed up with the vulnerability disclosure platform shelled out a record $19 million for bug discoveries in their systems.

Security researchers from around the world last year reported over 100,000 valid vulnerabilities in software and systems belonging to organizations signed up with the HackerOne crowdsourced vulnerability disclosure platform.

Together the researchers earned more than $19 million in bounties in 2018 — or nearly the same amount as the combined total paid out to hackers over the past six years under the HackerOne program.

A survey-based report that HackerOne released Friday shows the number of white-hat hackers registered under the program doubled year over year to 300,000. Hackers from the US and India alone accounted for some 30% of the total and were once again among the top earners in the HackerOne community as in previous years.

However, the number of ethical hackers signing up from other countries, most notably from Africa, grew dramatically last year as well. In total, at the end of 2018, HackerOne had security researchers from as many as 150 countries registered for the program.

"One of the most striking takeaways from this year’s survey is the international growth in the number of bug-bounty hackers," says Luke Tucker senior director of community and content at HackerOne. "India and the US remain the top hacker locations year over year, but their majority is decreasing as hackers across the globe sign up for bug-bounty programs."  

The data is the latest to highlight the growing influence of crowdsourced bug-bounty programs in vulnerability discovery and remediation. HackerOne, like other bug-bounty platforms such as Bugcrowd and Synack, uses crowdsourced ethical hackers from around the world to help clients discover security vulnerabilities in their systems.

In recent years, thousands of private- and public-sector organizations have signed up with such platforms in a bid to uncover security vulnerabilities they might have missed otherwise. Last year, bug-bounty programs accounted for some 8% of all publicly disclosed vulnerabilities — up substantially from 5.8% in 2017, according to a recent report from Risk Based Security. In fact, the SECURE Technology Act (HR 7327), which President Trump signed into law last December, even authorizes the US Department of Homeland Security to establish a program that will let ethical hackers report bugs in federal government systems.

HackerOne's data shows that American and Canadian organizations are the most active users of such programs, at least based on share of bounties paid so far. They are followed by entities in the UK, Germany, Russia, and Singapore.

US government organizations have been especially enthusiastic users of the program, Tucker says. "In the realm of hacker-powered security, governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity," he says.

Tucker points to US Department of Defense programs, such as Hack the Pentagon and Hack the Army, which are conducted in partnership with HackerOne, as examples of the types of initiatives government organizations are taking with the crowdsourced vulnerability model.

It's not just enterprise organizations that are benefiting from the programs. Bug-bounty platforms are proving to be a very effective way for countless independent ethical hackers around the world to monetize their enthusiasm for bug hunting, as well.

Some top hackers in HackerOne's programs are making 40 times the median annual wage for security engineers in their home countries, according to the company. In the US, top earners last year made over six times the median annual salary of a software engineer based on salary estimates derived from PayScale.

A few researchers in the HackerOne program earned as much as $100,000 for disclosing a single critical bug. One hacker became the first under the program to top $1 million in bug bounties. Dozens of HackerOne clients also have hired security researchers they met through the program.

"We found that bug-bounty hackers are not in it just for the money, but we know those that are can make an impressive living," Tucker says.

Bug-bounty programs offer competitive rewards but are not focused on competing with other markets on price alone, he says. Bug discoverers can sometimes make substantially more money sharing their information with so-called gray market buyers, which can include intelligence agencies and government.

"[But] the hackers that report vulnerabilities to bug-bounty programs are in it for the resume they can build, the relationships, the challenge, and the recognition," Tucker says. "You lose all of this and gain a lot of uncertainty with other markets."

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.