Vulnerabilities / Threats
1/31/2017
05:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Paid $3 Million To Bug Hunters In 2016

Search engine giant an example of the growing number of organizations benefiting from bug bounty programs.

Despite warnings about relying too heavily on crowdsourced bug bounty programs, these vulnerability discovery initiatives are proving successful for some companies, judging from the payouts to security researchers in recent years.

One example is Google. New data from the company this week shows that in 2016, Google paid some $3 million in rewards to 350 bug hunters from 50 countries who discovered more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.

The payout was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014. Counting last year’s awards, Google has so far awarded $9 million in bug bounties since it first introduced the Vulnerability Rewards Program (VRP) in 2010.

Google is not alone in making payouts to researchers who find vulns in their products. As of last October, Facebook had paid upwards of $5 million in rewards to bug hunters, with a majority of them in India, the US, and Mexico. In the first half of 2016 alone, Facebook received over 9,000 bug disclosure reports and paid more than $610,000 to 149 researchers.

Bugcrowd, which coordinates bug-hunting programs for enterprises, last year delivered over 9,000 validated vulnerabilities to its clients, who include the likes of Fiat Chrysler Automobiles, Western Union, and Fitbit. The actual number of bug submissions was much bigger: since January 2013, Bugcrowd has paid over $2.1 million in bounties for about 7,000 validated vulnerabilities on client networks and services.

Currently, more than 500 companies have managed bounty programs under which they offer rewards and recognition to security researchers who find security bugs in their websites and services. While some large companies like Google and Facebook manage the programs independently, many others have tapped the services of firms like Bugcrowd and HackerOne to do it for them.

A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.

"One factor is that security consultancies had gotten lazy," Pescatore says. Many of them conduct their app testing engagements using medium-skilled consultants who run off the shelf tools, add very little value and produce a cut-and-paste, largely boilerplate report.

"For the same dollars spent, [bug bounty] programs are getting much higher levels of satisfaction because they are showing more value," Pescatore says.

The most successful bounty programs are the well-managed ones that use a vetting approach to create a pool of specially picked researchers. Such programs ensure that talent from the pool is assigned to go after vulnerabilities in applications and platforms that match their individual skillsets.

"Just saying 'pound on my website, if you find something I’ll give you a prize' leads to some vulnerabilities being found, but many false positives," Pescatore notes.

With so-called hack-a-thons and ill-managed programs, there is little guarantee that discovered vulnerabilities will also not be sold to other bidders, including organized crime. "The well-managed ones have been very successful, from the point of view of both quantity of meaningful vulnerabilities found per dollar spent," Pescatore says.

In a blog post this week, Eduardo Vela Nava, technical lead of Google’s vulnerability rewards programs, pointed to the company’s continuing success with the program as a reason for expanding it. Last year, for example, Google opened up its previously invitation-only Chrome Fuzzer Program to all security researchers. The program gives security researchers an opportunity to run specific fuzzers at massive scale across Google’s hardware platform and receive rewards starting at $500 for discovering bugs in them. Some of the rewards that Google has awarded under the Chrome Fuzzer Program have exceeded $30,000.

More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub, Nava said.

"I think it is great that companies see this as essentially an extension of their security quality assurance programs," says Pete Lindstrom, an analyst with UDC. "Any opportunity to manage and contain the disclosure process is more beneficial than ad-hoc public disclosure."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HardenStance
50%
50%
HardenStance,
User Rank: Strategist
2/3/2017 | 8:58:58 AM
A double edge sword
They're a double edged sword these bug bounties. Wasn't it a young hacker out to identify iPhone vulnerabilities that ended up inadvertently flooding a number of PSAPs with bogus calls at the end of last year? Sometimes feels like what these bug bounties give with one hand is only a bit more than what they take with the other.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.