Crowdsourced security testing—fueled by “bug bounties”—is on the rise, according to a new report from HackerOne, which hosts bug bounties on its platform.
For its study, HackerOne analyzed some 78,275 security vulnerability reports submitted between May 2017 and April 2018 by its ecosystem of hackers. Those vulnerabilities affected 1,000 organizations. “Organizations remain vastly underprepared for effective discovery, communication, remediation, and disclosure of vulnerabilities,” the organization added in its report, “as 93 percent of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world.”
Nearly a quarter of those vulnerabilities were rated “high to critical severity.” Between that and the aforementioned lack of bug-reporting structure, it’s clear that many organizations aren’t wholly prepared for a potential infiltration. However, those big bugs mean big cash for the lucky tech pros who find them: according to HackerOne’s data, the discovery of 116 critical vulnerabilities last year resulted in bug-bounty payments of more than $10,000 (each).
Moreover, bug-bounty programs have expanded from private corporations to government agencies. The U.S. Department of Defense, for example, has launched three time-constrained bug bounties, in addition to a “vulnerability disclosure policy,” and caught more than 5,000 vulnerabilities as a result. The EU Commission has spun up similar programs.
According to HackerOne’s data, some 90 percent of hackers are under the age of 35, and around 44 percent are IT professionals. Among those surveyed by the organization, some 13 percent participated in bug bounties for the money, while 15 percent did it to learn new tips and techniques, and 14 percent participated for the challenge (another 14 percent also just did it for fun).
Only 5 percent of those surveyed said that they’d learned their hacking skills in a classroom. Blend that with the data suggesting that many hackers participate in these bug bounties for the learning opportunities, and it’s clear that these tech pros are hungry for knowledge and ways to boost their skills. If you’re a company that wants to squish its security vulnerabilities, you might consider hosting a bug bounty; and if you already have security-minded tech pros on staff, you might want to consider giving them educational opportunities as an incentive, because that’s something this group evidently wants.
Speaking of security-minded staff, it’s also clear that, while bug bounties can certainly help a company discover and squish many of its vulnerabilities, not every organization can keep a tight security profile solely by crowdsourcing. Not only do tech firms need full-time security staff to deal with particularly sensitive code issues, but developers need to follow best practices to ensure that software has a minimum number of vulnerabilities in the first place.