On September 29, HackerOne announced the latest version of its Internet Bug Bounty (IBB) program. This initiative helped to coordinate the discovery of more than 1,000 security weaknesses in open-source software between 2013 and 2021. HackerOne’s latest version aims to expand the reach of the program even further by pooling defenses from existing bug bounties, dividing bounties in a way that awards stakeholders who contribute to the vulnerability management lifecycle, and consolidating the vulnerability submission flow to improve the experience of participating researchers.
The IBB program helps to advance supply chain security, noted HackerOne. The average application today uses 528 open-source components, providing malicious actors with plenty of vectors by which they can compromise software on which potentially thousands of organizations rely. Time is on the side of those attackers, too. ZDNet reported that most weaknesses in open source projects go undetected for four years. Hence the need for an initiative like the IBB that brings the security community together.
What Else Is New with Bug Bounty Programs?
The newest iteration of HackerOne’s initiative and the detection rate of open-source software vulnerabilities aren’t the only new developments with bug bounty programs. Provided below are five other things that are helping to shape the vulnerability management landscape.
1. Increase In Priority One (PI) Submissions
In a 2021 report, BugCrowd observed an increase in the number of Priority One (P1) submissions or reports for the most critically severe software flaws. The crowdsourced security platform received 65% more P1 submissions in 2020 compared to the previous year. (That was on top of a 50% increase for all vulnerability submissions during the same period.) In that span of time, web apps accounted for most vulnerability submissions, but that didn’t prevent hackers from turning their attention to other areas such as APIs and Android devices.
The growth for P1 submissions wasn’t uniform across all sectors in 2020. Take software as an example. BugCrowd uncovered that the number of submissions for software organizations in the first 10 months of the year overshadowed the total volume for 2019, with P1 submissions almost tripling by Halloween. It was a similar story for the financial services sector. Between the first and second quarters of 2020, buyers doubled their payouts for P1 vulnerabilities affecting organizations in this industry.
2. Increase In the Number of Hackers Submitting Bug Reports
The 2021 Hacker Report from HackerOne reveals that more hackers submitted bug reports in 2020 than during previous years. The number of hackers who submitted reports through the vulnerability coordination and bug bounty platform grew 63% in 2020. That’s a growth of 143% compared to the volume of hackers who participated in 2018.
Most hackers didn’t rely on submitting vulnerability reports as their main source of income back in 2020, according to HackerOne. The majority (82%) self-identified as part-time hackers. Meanwhile, 35% said they had a full-time job.
3. Many Bug Bounty Seekers Hack to Learn
Plenty of respondents to HackerOne’s report saw hacking as their future. A third told the bug bounty platform that they had already leveraged their skills to secure a job. Just under a quarter of security researchers said that they were looking to pursue a career in information security by landing a role on an internal security team.
But not everyone has the same aspirations…or motivations, for that matter. Sure, three-quarters of participating hackers said that they hacked to find bounties. But an even greater proportion (85%) of individuals explained that they were doing it merely to learn and expand their skills. Six in 10 respondents pointed out that they were using hacking to advance their careers, while about half indicated that they were interested in hacking as a means to defend businesses and individuals against threats.
BugCrowd found something similar in its own report. As quoted by the crowdsourced security platform:
Just like those early adopters and trailblazers, modern hackers are young, with 53% aged 18-24, and are often driven by a pronounced moral compass. Most disregard lucrative financial rewards for vulnerabilities on the black and gray market in favor of applying their talents to improving security and dedicate some of their time to giving back to the community.
More than that, BugCrowd observed that some researchers had used their hacking experiences to build their own personal brands. Some started out as novices, but as they continued to hack, they started attracting followers and growing their reputations. Maybe some produced video and streaming content to promote their experience, becoming entrepreneurial thought leaders in the process.
4. Increase In Reports of Misconfigurations (and Human Error)
Per HackerOne’s report, hackers are increasingly submitting reports on misconfiguration issues. The vulnerability coordination platform said that reports of misconfigurations increased by 310% in 2020. That being said, misconfigurations did not make the list of the most popular types of vulnerabilities discovered by hackers during that period.
5. Lack of a Clear Reporting Process
Finally, hackers don’t always see their work through due to the lack of a clear reporting process. Half of the security researchers told HackerOne that they had chosen to not disclose a vulnerability at one point or another. Approximately a quarter of that sub-group said that it was because they lacked a clear channel through which they could report the security flaw. About the same proportion attributed their decision to an unresponsive host company. 19% of hackers indicated that they had not disclosed a flaw because a bounty was not available for their work.
What Organizations Can Do with These Findings
Organizations can use the findings discussed above to strengthen their digital security efforts. They can do this in several ways. First, it’s apparent that bug bounty programs are becoming more and more effective. Organizations should therefore consider making bug bounty programs a part of their larger vulnerability management strategy if they haven’t done so already. They can create a program internally, or they can work with a provider like HackerOne or BugCrowd to manage it for them.
Second, organizations can use the findings of misconfigurations to focus on eliminating instances of human error. One of the ways they can do that is by using awareness training to educate their employees and other personnel about their security policies and relevant best security practices.
Finally, infosec teams can use best practices to make their bug bounty programs as clear as possible. This will help to ensure that researchers have an avenue through which they can work with an organization and contribute to its vulnerability management program over time.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...