Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/8/2016
01:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

‘Super Hunters’ Emerge As More Companies Adopt Bug Bounties

'Super hunters' chase down vulnerabilities wherever there's a bug bounty payday...and they've become very popular with cybersecurity job recruiters, says Bugcrowd report.

As more organizations look to adopt bug bounty programs, a tier of "super hunters" is emerging, who earn hundreds of thousands of dollars in payouts. In the process, these super hunters are attracting the attention of many companies’ security team recruiting efforts, according to Bugcrowd’s latest report on the state of the bug bounty economy.

Super hunters, although not an entirely new phenomenon, are making more money than ever as more complex and high-profile bounty programs launch with higher stakes, according to findings in the second annual  State Of Bug Bounty Report.

The elite group of hunters deploy various techniques, looking for niches, such as finding and exposing vulnerabilities in staging or development servers or forgotten servers that clearly should be de-commissioned, says Jonathan Cran, vice president of operations at Bugcrowd. Other super hunters have deep understanding of the business logic or underlying infrastructure of applications.

A bug bounty is most simply defined as “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.” Bug bounties were originally uncapped “blank check” affairs, introduced by technology giants such as Facebook, Google, Yahoo, and a few others, which have spent over $10 million on bug bounty payouts to date, Cran says.

In the past year, the term “bug bounty” has become more well-known and widely publicized through popular programs such as Tesla Motors’ car hacking program, launched in mid-2015.  In March, the US Department of Defense announced “Hack the Pentagon,” in which the DoD plans to invite vetted hackers to test the department’s cybersecurity under a unique pilot program.

However, the majority of researchers (85%) participate in bug bounty programs as a hobby or part-time job, with 70% spending fewer than 10 hours a week working on bounties. But payouts are on the rise even for these part-time bug bounty hunters, Cran says. The all-time average bug reward on Bugcrowd’s platform has risen from the $200.81 cited in last year’s report, to $294.70, an increase of 47%. The average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.

Bugcrowd harnesses the power of more than 30,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. The company connects security researchers with organizations and helps them build a partnership. The second annual report consists of survey responses from approximately 500 researchers with experience in bug bounty programs from 51 different countries.

Seventy-five percent of the researchers are between the ages of 18 and 29, followed by the second-largest age group, 30 to 44, representing 19% of respondents. Additionally, 88% of the respondents have completed at least one year of college; 55% of them have graduated with a bachelor’s or postgraduate degree. All respondents had at least a high school degree.

 

Diversified Industries Adopt Programs

Bug bounty programs are being adopted by all types of organizations; from startups to enterprises, and from virtually every industry, the report states. “I see it as the evolution of security assessment in general,” Cran says. “Five or 10 years ago very few folks were doing it.” But now almost every business has become a software vendor or pushes out software-based services to customers, he notes.

Of the nearly 300 programs Bugcrowd has launched over the past three years, “we have seen growth and diversification in the makeup of our customer base from purely tech to 25% more traditional verticals such as financial services and banking,” the report states. The top two industries represented are computer software companies and internet-based companies, followed by financial services and banking, information technology and services, computer and network security, e-commerce and retail.

Larger enterprises are adopting bug bounty programs, the report states. Companies with 5,000+ employees accounted for 44% more of the total companies launching bug bounty programs over the last 12 months.

Organizations looking to start a public bug bounty program begin privately, incentivizing a smaller number of researchers while they build their response capabilities. Over time, the programs become public, allowing everyone to participate. As of March 31 2016, 63% of all Bugcrowd program launches have been private programs.

“Organizations looking to access the benefits of crowdsourcing with specific business goals, complex technologies or environments benefit from a smaller testing pool. These organizations pay higher bounties to attract and maintain interest from the best researcher talent,” the report states.

“We recommend companies to start with a short-term private program or even an ongoing private program,” Cran says. Organizations should also establish a non-incentivized bug reporting program, opening up a channel for customers and others to submit vulnerability-related information, he says.

 

XSS continues to dominate

The most commonly discovered vulnerability is still Cross-site Scripting (XSS), which represents 66% of the total vulnerabilities disclosed, followed by Cross-site Request Forgery (CSRF).

Bug bounties are often compared to traditional application security assessment methods such as penetration testing. “The biggest differences between the two are volume of testers involved and the differing reward models. Bug bounties involve thousands of researchers as opposed to a select few penetration testers, and utilize a pay for results reward model rather than for effort,” the report states.

Additionally, the volume and diversity of security researchers participating in bug bounty programs results in a diverse range of bug types, classes, and criticality of vulnerabilities, and testing is usually performed without prior knowledge of the target, according to the report.  

Related Content:

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.