Bounty-hunting hackers are uncovering new vulnerabilities every two minutes on average, according to bug bounty platform HackerOne.
In its latest annual Hacker Powered Security Report, the platform said it had paid out aroud $45m in bug bounties to individual “ethical hackers” – folks who prod around for security vulnerabilities in software – in the past 12 months.
“All over the world, every year, more people, more results, more activity, more variation,” beamed HackerOne CEO Mårten Mickos to The Register, who added that the total paid out through the site had grown around 87 per cent, compared to 60 per cent growth between 2018 and 2019.
“If you think about this from an industry perspective,” Mickos said when we asked about the annual growth in total bounty payouts, “‘OK, they’ve paid out $44m dollars in the past year, that’s a big sum of money.’ But what would it cost to not find and fix the vulnerabilities? What would it cost to find out some other way that number is much, much higher?”
HackerOne is a bug bounty platform. If you, an ethical hacker, discover a vulnerability in someone’s product, the idea is you submit that through HackerOne and then receive a payout (bounty) for your efforts. In a broader sense, the idea is to improve security across the board.
Mickos rejected the idea that ethical hackers deprived of a legitimate bug bounty market would instead sell newly discovered vulnerabilities to black hats for exploitation, saying: “If we didn’t organise this program, the vulnerabilities would not be sold to criminals. The vulnerabilities would just not be reported. Sure, I can’t guarantee the actions of every hacker, but every time when we talk to them, those who report to us would never sell to a criminal… very few vulnerabilities are tradeable like that.
“Zerodium will offer you very high prices for reporting to them zero days that they can sell to governments. But the definition of what they’re ready to buy is so narrow. It’s incredibly narrow. So when you look at how many valid vulnerabilities have been submitted through our platform cumulatively, it’s 181,000. How many were of that zero-day quality that were tradeable? Actually not many. That’s now how it happens.”
Pandemic hits payouts
Average payouts per vuln came to around $3,650, a year-on-year increase of 8 per cent. Industry sectors showing greater interest in setting up bug bounty programmes through HackerOne included hardware, consumer goods vendors, education, and healthcare.
Other sectors – Mickos mentioned hospitality, aviation, and transportation – were less keen to expand their bug bounty programmes this year, something the CEO attributed to the obvious effect of the pandemic pushing them into “survival mode”, though he added: “Even though one corner of our customer base has reduced spending, others have added so much more.”
British companies paid out $560,000 over the last year through HackerOne, and UK-based hackers recouped around $1m. The US led the platform’s spending by far with $39m passing through its coffers, and US hackers receiving $7m in bounty payouts. Hong Kong hackers also earned $1m through the platform.
The COVID-19 pandemic had an impact on bug bounty hunting, with Mickos acknowledging “an increase in activity of ethical hacking” in the early part of 2020: “We saw more hackers signing up and submitting vulnerabilities than before. And the difference was enough to give us reason to believe it was COVID causing it.”
In a bit of a diversion from the report itself, Mickos also addressed the current geopolitical situation (“we don’t govern geopolitics at HackerOne!”), lamenting how when geopolitical trust erodes, the general willingness to share things like software vulnerabilities declines. “If we sit there expecting somebody else to solve it, it won’t get solved. That’s the ethos we work to, we’re not trying to be Mother Theresa here but we have a societal duty to show that with small incremental steps you cause good change over time. You actually make the world a better place.”
While it is not traditional for El Reg to look on the sunnier side of cybersecurity, sometimes it’s good to acknowledge the positives as well as negatives – in Mickos’ words “not letting problems become the main theme”. We stop short, however, of recommending the upbeat chief exec’s “joyful colours” in the HackerOne report, which can be found on the corporate website. ®