Enabling responsible vulnerability disclosure programs protects companies and hackers in their endeavor to squash software bugs.
Independent security research is a rather woolly endeavor, as the gig economy goes. While the payoffs can be quite lucrative, the potential that companies will renege on promises of bug bounties remains decently high, and there’s always an outside chance that a company receiving a bug report will threaten the researcher or the media with legal action for discussing it.
The landscape is improving, however, with more companies embracing third-party mediated responsible vulnerability disclosure—ensuring that researchers are duly compensated for their efforts (in money, not shirts) through platforms such as HackerOne and Bugcrowd.
SEE: 10 dangerous app vulnerabilities to watch out for (free PDF) (TechRepublic)
To that end, HackerOne’s Hacker Powered Security Report highlights the successes of their platform, noting that more than 120,000 vulnerabilities were discovered, disclosed, and fixed for more than 1,400 organizations to date. The 450,000 registered independent hackers on HackerOne earned a combined $62 million in awards for their research—of which, nearly half was awarded in the past year.
Corporate embrace of disclosure platforms has increased significantly—with participation from federal government offices growing 214% year-over-year—and the first municipal government participation starting last year. This growth is followed by automotive (113%), telecommunications (91%), consumer goods (64%), and cryptocurrency & blockchain (64%), according to the report. Likewise, six of the top 10 banks in North America are participating on HackerOne.
The quality—in this case, equivalent to severity—of vulnerabilities found are also of importance. This is not a case of hackers seeking out the lowest-hanging fruit for a quick payday. “A quarter of valid vulnerabilities found are classified as being of high or critical severity,” the report states. “When a new bug bounty program is launched, in 77% of the cases, hackers find the first valid vulnerability in the first 24 hours. That is how fast security can improve when hackers are invited to contribute.”
Likewise, the platform opens opportunities for hackers around the world. “The number of hacker-powered security programs has grown by at least 30% in each region,” the report states, “with Latin America leading the pack again with year over year growth of more than 41%,
followed by North America (34%), EMEA (32%), and APAC (30%).”
Hackers hailing from the US earned 19% of all bounties last year, followed by India (10%), Russia (6%), Canada (5%), and Germany (4%). Canada was the highest-growth country in the top 5, at 148% more bounties earned in 2018 compared to 2017. Likewise, “Prolific hackers reside in Egypt, Argentina, Sweden, and Thailand, each of which had hackers earning a combined 200% or more than in the previous year,” the report states, adding that “Thailand hackers earned 467% more than they did in 2017.”
How not to run a hacker-powered security program
Valve, the operators of the popular gaming platform Steam, came under fire earlier this month for their handling of reports by Vasily Kravets, following a dispute. Kravets discovered a privilege escalation bug, which was declared by Valve as being out-of-scope—it cannot be used by a threat actor to gain control of a remote computer, only a local one.
Though Valve initially had no intention of patching the issue, Valve and HackerOne forbade Kravets from disclosing the issue publicly, effectively preventing Steam’s 90 million monthly users from learning about it. Valve briefly banned Kravets from the bug bounty program, though reversed that decision shortly thereafter, calling it “a mistake.”
For more, check out “How the Air Force used a bug bounty program to hack its own cloud server” and “Do bug bounties help open source security?” on TechRepublic.