Vulnerability Disclosure Programs See Signups & Payouts Surge

  /     /     /  
Publicated : 23/11/2024   Category : security


Vulnerability Disclosure Programs See Signups & Payouts Surge


More than $44.75 million in rewards were paid to hackers over the past year, driving total payouts beyond $100 million.



Security researchers have been busy over the past year, earning more than $44.75 million in bounties for vulnerability disclosure. More organizations are adopting vulnerability disclosure programs (VDPs), experts say, and theyre paying hackers more for the critical flaws they find. 
HackerOne today published its fourth annual Hacker Powered Security Report, which takes a closer look at trends in VDPs and the businesses adopting them. Hackers have discovered more than 180,000 vulnerabilities via HackerOne, and one-third of those were reported in the past year alone as more businesses pursue VDPs to better secure all parts of their environment.
Data indicates more organizations across industries are interested in launching these programs. VDPs are most common in computer software as well as Internet and online services, which together make up nearly half of all programs and paid more than 72% of all bounties in the past year. Now, experts see multiple industries with more than 200% program growth year-over-year: computer hardware (250%), consumer goods (243%), education (200%), and healthcare (200%). 
Theyre all industries that are increasingly dependent on technology, says Alex Rice, HackerOnes co-founder and CTO. While all had demonstrated VDP growth in the past, this marks the first time that
researchers have seen
this level of more than 200% growth across every sector.
Whats driving the surge? Rice says the increase in VDPs can largely be attributed to two key factors: normalization of VDPs and an increase in mandates from the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST).
I think the norms have been slowly shifting over the last few years, Rice says. There was a long period of time when organizations could get away with just ignoring reports, threatening cease-and-desist letters, getting by on silence. This was usually enough to make researchers step back, but that has been changing a lot. Now, those who have a bad disclosure experience, or see someone ignore a security report, are more comfortable coming forward.
Its beginning to be viewed as negligence, and I think thats exactly how it should be viewed, he says of organizations that refuse to act on reported vulnerabilities.
Late last year, CISA published a binding operational directive mandating most executive branch agencies to create a vulnerability disclosure program. Following feedback, CISA recently issued the final version of
BOD 20-01
, in which it says VDPS are an essential element of an effective enterprise vulnerability management program and critical to the security of internet-accessible federal information systems.
The increase of vulnerability programs is encouraging greater participation from the hacker community. Much of the participation spike is related to programs kicking off, especially within industries where security researchers are already active or interested.
The biggest source of driving new hackers into these programs is brands that those hackers love sanctioning this activity, Rice says.
Remote Businesses Rethink VDP Strategy
Businesses supporting a greater number of remote employees have begun to rethink their VDPs and make wider swaths of their corporate infrastructure available to test, Rice says. And more hackers are interested: HackerOne saw new hacker signups increase 59%, and submitted bug reports grow by 28%, in the months immediately following the start of the coronavirus pandemic.
The most interesting thing that happened over the last few months was programs have been very deliberate about whats in scope, he explains. Many have begun to expand and include attack surface that wouldnt have been included in the past. Those who opened up work-from-home or remote attack scenarios have learned the mistakes they made in transitioning quickly.
Historically, most VDPs have focused incentives on customer-facing assets and attack surface. Early efforts wanted to protect customers and users; thats where their efforts were focused. Now, theyre curious about holes in third-party systems or applications meant for employees. Many programs have expanded to include back-end business support systems.
While this is a natural evolution of VDPs, it usually takes a long time for companies to arrive at this stage, Rice says. Before COVID-19, only a handful of HackerOnes customers, such as Facebook and Twitter, included VPN infrastructure in the scope of their VDP policies.
It was nowhere near the norm, and thats quickly become the norm over the past few months, he continues. Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isnt quite the perimeter. 
This change is reflected in the most common types of vulnerabilities disclosed in the past year, HackerOne reports. Cross-site scripting (24%) was the most common flaw reported, taking the top spot from information disclosure (18%), which fell in second place. Other reported flaws include improper access control (10%), improper authentication (6%), and open redirect (6%).
Improper access control vulnerabilities have increased in volume and criticality, says Rice, and organizations are treating them with greater urgency. In addition, theyre updating instructions for hackers in the community to communicate the risks theyre currently worried about.
 

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vulnerability Disclosure Programs See Signups & Payouts Surge