It's been a vintage year for bug bounty hunters, says HackerOne as it boasts of $40m+ passing through its treasure chests

Big money, says CEO, but what would it cost not to find and fix these vulns?


Bounty-hunting hackers are uncovering new vulnerabilities every two minutes on average, according to bug bounty platform HackerOne.

In its latest annual Hacker Powered Security Report, the platform said it had paid out aroud $45m in bug bounties to individual "ethical hackers" - folks who prod around for security vulnerabilities in software - in the past 12 months.

"All over the world, every year, more people, more results, more activity, more variation," beamed HackerOne CEO Mårten Mickos to The Register, who added that the total paid out through the site had grown around 87 per cent, compared to 60 per cent growth between 2018 and 2019.

"If you think about this from an industry perspective," Mickos said when we asked about the annual growth in total bounty payouts, "'OK, they've paid out $44m dollars in the past year, that's a big sum of money.' But what would it cost to not find and fix the vulnerabilities? What would it cost to find out some other way that number is much, much higher?"

HackerOne is a bug bounty platform. If you, an ethical hacker, discover a vulnerability in someone's product, the idea is you submit that through HackerOne and then receive a payout (bounty) for your efforts. In a broader sense, the idea is to improve security across the board.

Mickos rejected the idea that ethical hackers deprived of a legitimate bug bounty market would instead sell newly discovered vulnerabilities to black hats for exploitation, saying: "If we didn't organise this program, the vulnerabilities would not be sold to criminals. The vulnerabilities would just not be reported. Sure, I can't guarantee the actions of every hacker, but every time when we talk to them, those who report to us would never sell to a criminal... very few vulnerabilities are tradeable like that.

"Zerodium will offer you very high prices for reporting to them zero days that they can sell to governments. But the definition of what they're ready to buy is so narrow. It's incredibly narrow. So when you look at how many valid vulnerabilities have been submitted through our platform cumulatively, it's 181,000. How many were of that zero-day quality that were tradeable? Actually not many. That's now how it happens."

Pandemic hits payouts

Average payouts per vuln came to around $3,650, a year-on-year increase of 8 per cent. Industry sectors showing greater interest in setting up bug bounty programmes through HackerOne included hardware, consumer goods vendors, education, and healthcare.

Other sectors – Mickos mentioned hospitality, aviation, and transportation – were less keen to expand their bug bounty programmes this year, something the CEO attributed to the obvious effect of the pandemic pushing them into "survival mode", though he added: "Even though one corner of our customer base has reduced spending, others have added so much more."

British companies paid out $560,000 over the last year through HackerOne, and UK-based hackers recouped around $1m. The US led the platform's spending by far with $39m passing through its coffers, and US hackers receiving $7m in bounty payouts. Hong Kong hackers also earned $1m through the platform.

The COVID-19 pandemic had an impact on bug bounty hunting, with Mickos acknowledging "an increase in activity of ethical hacking" in the early part of 2020: "We saw more hackers signing up and submitting vulnerabilities than before. And the difference was enough to give us reason to believe it was COVID causing it."

In a bit of a diversion from the report itself, Mickos also addressed the current geopolitical situation ("we don't govern geopolitics at HackerOne!"), lamenting how when geopolitical trust erodes, the general willingness to share things like software vulnerabilities declines. "If we sit there expecting somebody else to solve it, it won't get solved. That's the ethos we work to, we're not trying to be Mother Theresa here but we have a societal duty to show that with small incremental steps you cause good change over time. You actually make the world a better place."

While it is not traditional for El Reg to look on the sunnier side of cybersecurity, sometimes it's good to acknowledge the positives as well as negatives – in Mickos' words "not letting problems become the main theme". We stop short, however, of recommending the upbeat chief exec's "joyful colours" in the HackerOne report, which can be found on the corporate website. ®

Broader topics


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022