White-hat hackers find record number of vulnerabilities

White-hat hackers have earned $11.7m by enabling organisations to resolve 27,000 vulnerabilities in the past 12 months, according to HackerOne, currently the world’s largest bug bounty and vulnerability disclosure platform, which connects organisations with a community of about 200,000 ethical hackers.

Hackers are finding more severe vulnerabilities than ever before, the 2018 Hacker-powered security report shows, with critical vulnerabilities earning higher bounties.

The total number of high or critical severity vulnerabilities increased by 22% in 2017, with 24% of resolved vulnerabilities being classified as high to critical severity across industries.

As a result, the average award for a critical vulnerability jumped by 33% to $20,000 for the top awarding programmes, the report said. A total of 116 unique critical vulnerabilities earned more than $10,000 each in the past year.

The top bounty awarded for a single report reached $75,000 in 2017, with the most competitive programmes, such as Google, Microsoft and Intel, offering $250,000 bounty awards for critical issues.

Meanwhile, the report said false positives are becoming a relic of the past, with 80% of submitted and qualified reports being valid.

“Crowdsourced security testing is rapidly approaching critical mass and adoption is expected to be rapid,” said Gartner.

Governments are leading the way with adoption globally, the report shows. In the past year, there has been a 125% increase in bug bounty programme launches in the public sector, with the European Commission and Singapore’s ministry of defence joining the US Department of Defense on HackerOne.

Proposed legislation such as the Hack the Department of Homeland Security Act and the Hack Your State Department Act and the US Department of Justice’s Vulnerability Disclosure Framework further demonstrate public sector support for hacker-powered security, according to HackerOne.

The report shows that in addition to the public sector, adoption of hacker-powered security is growing in the consumer goods, financial services and insurance, telecommunications and automotive sectors.

Automotive industry bug bounty programmes rose by 50% in the past year and telecommunications programmes increased by 71%.

Overall, there was a 54% increase in enterprise vulnerability disclosure policy adoption in the past year, with the likes of Goldman Sachs, Toyota and American Express adopting such policies.

But despite this increased adoption, HackerOne said leading organisations still remain vastly underprepared for effective discovery, communication, remediation and disclosure of vulnerabilities because 93% of the 2017 Forbes Global 2000 list do not have a policy to receive, respond and resolve critical bug reports submitted by third parties.

“The world is embracing the highly skilled and creative hacker community to help reduce cyber risk,” said Marten Mickos, CEO of HackerOne. “A model once reserved for the largest, tech-advanced companies in the world, is now being implemented by organisations of any size, industry and connected corner of the globe.”

Organisations in the US continue to pay the highest volume of bounties to hackers around the globe (83%), followed by Canada, while organisations in the UK have risen to third place from sixth in 2016.

The report also shows that hackers in the US earned 17% of all bounties awarded, with India (13%), Russia (6%), the UK (4%) and Germany (3%) rounding out the top five highest-earning countries. Hackers in Germany are on a roll, earning 157% more in 2017 than in 2016.

Private bug bounty programmes currently make up 79% of all bug bounty programmes on HackerOne, down from 88% in 2017 and 92% in 2016, which means more programmes are going public on HackerOne. 

The majority of public bug bounty programmes are from the technology sector (63%), followed by financial services and banking (9%), and media and entertainment (9%). By contrast, nearly 100% of programmes are private in the consumer goods, healthcare and telecommunications industries.

Taking a close look at the top 15 vulnerability types reported on HackerOne, cross-site scripting (XSS) continued to be the most common vulnerability across all industries, apart from healthcare and technology. For these industries, most reports related to information disclosure.

The latest hacker-powered security report is based on data collected from more than 1,000 bug bounty and vulnerability disclosure programmes around the world.

The report also includes analysis of nearly 72,000 resolved vulnerabilities and vulnerability disclosure programme data from Forbes Global 2000 companies, plus insight from HackerOne’s community of more than 200,000 registered hackers.