Bug Bounties Surge as Firms Compete for Talent

  /     /     /  
Publicated : 23/11/2024   Category : security


Bug Bounties Surge as Firms Compete for Talent


Companies such as GItLab, which today increased its payment for critical bugs by 75%, are raising bounties and bonuses to attract top-notch researchers.



DevOps platform firm GitLab has increased its payout for critical vulnerabilities by 75% with a new commitment to pay between $20,000 and $35,000 for critical issues, and raise the top payout for other severities by 50%, the company said on Nov. 22.
The company joins a host of other firms raising their payouts for researchers who find and report software vulnerabilities to be fixed by developers. In the last two years, Microsoft, Google, and Atlassian have all raised their rewards for researchers who report bugs. The market has heated up as companies recognize that bug bounties supplement their in-house security programs, reduce risk, and ultimately lower the cost of identifying vulnerabilities, says Johnathan Hunt, vice president of security for GitLab.
Which ends up being both good and bad, says Hunt. It is good in the way that we are improving our application security; ... we are shifting security left and finding vulnerabilities before they become public. But that said, it also does kind of discourage researchers from spending extra time on our platform.
Thus, the companys 
increase in bounties for vulnerabilities
.
This trend in bug bounty programs underscores the difficult balance that companies have to strike between engaging with researchers and simultaneously adopting tools and processes that make vulnerabilities less likely. Overall, researcher interest in bug bounty programs has grown: Bug bounty management firm HackerOne claims 63% more researchers submitted vulnerabilities in 2020 than during the previous year. However, security issues in mature products are generally harder to find, especially the critical vulnerabilities that result in the highest bounties.
As tools improve and companies become better at application security, the easiest to find vulnerabilities — so-called low-hanging fruit — disappear and
only hard-to-find issues
 are left. This means as the bug bounty ecosystem matures, maintaining the interest of researchers requires larger bounties, says Casey Ellis, founder and CTO of crowdsource vulnerability firm Bugcrowd.
When an organization has their incentives set at a certain level and the velocity of valid reports starts to calm down, its almost a graduation of sorts: Time to increase rewards and progress to the next level, he says. Doing so activates hackers who might not have been as interested in a lower bounty, and also has the effect of encouraging greater focus from all participants.
By increasing its bounties, GitLab keeps pace with many other software-focused companies. A year ago, Microsoft boosted its
top Windows bounty to $100,000
, adding high-impact bonuses
over the past year
to a variety of applications and cloud services. Microsoft runs 17 different bug bounty programs, across which 341 researchers submitted a total of 1,261 qualifying reports,
earning a combined $13.6 million
 in the year ending June 2021. Google almost doubled the amount it paid out to bug hunters in 2020,
awarding $6.7 million to 662 researchers
, with a top award of $132,500 for a single vulnerability.
Atlassian
doubled its own top reward
to $10,000 in May 2021 for its core cloud products. GitHub, a competitor to both GitLab and Atlassians Bitbucket,
paid out more than $524,000
to researchers for 203 reported vulnerabilities. GitLabs maximum payout is now $5,000 more than GitHubs cited maximum, but GitHub maintains it has an open-ended policy and could pay more for especially serious vulnerabilities.
Competition between companies will likely result in greater demand for researchers, GitLabs Hunt says.
By raising our rewards, we are trying to increase the excitement and engagement and focus on our program, he says. We are trying to attract a broader set of talent and skill sets globally. Honestly, it really is getting more difficult to find vulnerabilities on our platform. That is some of the feedback we have received.
GitLab and other companies are still working on the right strategy for attracting the most suitable researchers to analyze their platforms. But paying more in bounty money for the most critical flaws is not necessarily the way to go, says Hunt.
In our case, we could have increased our bug bounties to $100,000, but there are only a couple of those that are found every year, so if we only did that, we would only probably be paying two people a lot of money, he says. Most people dont catch the P1s [priority 1 issues], and that discourages the rest from participating in the program. We are tying to increase engagement across the board.
In addition, the population of bugs will likely never be exhausted because new software is being created — and updated — all the time, says Bugcrowds Ellis. More than 15 years after hacker Samy Kamkar found a cross-site scripting (XSS) vulnerability in the social media service MySpace, demonstrating the potential for XSS to be a major issue, similar vulnerabilities of the same class are easy to find because they are hard to prevent and an easy error for developers to make.
While the super hunters might get the most lucrative payouts, consistent bug finders are common and will continue to have material to work with, Ellis says.
Within all groups, there are people who focus on complicated attack chains and business logic exploitations, then there are those who look for simpler issues but usually in ways that others haven’t thought of before, he says. It really does take a crowd.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Bug Bounties Surge as Firms Compete for Talent