ROI for Bounties for Discovery of Application Vulnerabilities Appears Too Compelling to Ignore
Now that more organizations than ever are realizing how dependent they are on software there’s a lot more time and effort being put into discovering application vulnerabilities. But a report published this week by HackerOne, an online service for contracting hackers, notes 93 percent of the 2017 Forbes Global 2000 list still do not have a policy in place pertaining to how they receive, respond, and resolve critical bug reports submitted by third parties.
That suggests most of the work being done to discover application vulnerabilities is being done by either the team that developed the application or cybersecurity professionals that typically don’t have much in the way of application development expertise.
The HackerOne report says organizations such as Google, Microsoft and Intel are offering $250,000 bounty awards for critical issues. Obviously, most smaller companies are not going to be able to afford to reward third-party hackers for finding vulnerabilities. But arguably hackers that specialize in finding vulnerabilities are going to be both more efficient and effective as discovering those vulnerabilities. The average bug bounty paid for a critical vulnerability in the past year was $2,000, the report finds. Obviously, that’s a lot less expensive than the cost of remediating an application after a vulnerability has been exploited.
In fact, the HackerOne report finds based on 72,000 security vulnerabilities that were resolved in the last year, the number of high or critical severity vulnerabilities being resolved increased 24 percent. The total number of high or critical severity vulnerabilities increased 22 percent, according to the report. Overall, a full 80 percent of submitted and qualified reports were deemed to be valid.
The report also notes consumer goods, financial services and insurance, government, and telecommunications account for 43 percent of today’s bug bounty programs. Automotive programs increased 50 percent in the past year and telecommunications programs increased 71 percent. Enterprises across industries saw a 54 percent increase in year over year adoption. That means usage of vulnerability bounty programs is now expanding well beyond developers of packaged application destined to be deployed on-premises or in the cloud.
Much of the focus in application development circles these days is rightly focused on employing DevSecOps processes to eliminate vulnerabilities before an application gets deployed in a production environment. But as laudable as those efforts are it doesn’t take much in the way of human error for a software component with known vulnerabilities to find its way into a production application. In fact, at the time that component was deployed in a production environment it’s probable that vulnerabilities didn’t emerge until after the fact. However, because of flawed patch management processes, any number of those vulnerabilities were never addressed. It’s often only a matter of time before those vulnerabilities are then exploited to laterally inject malware across the entire IT environment.
HackerOne reports $11.7 million in bug bounties were paid to security researchers on its platform over the course of 2017. Relative to the amount of potential economic damage that could arise for those vulnerabilities being compromised, it would appear the return on investment (ROI) associated with providing bounties for discovering application vulnerabilities more than pays for itself.