Bug bounty and vulnerability disclosure programs are becoming increasingly important to organizations and hackers alike, which is reflected in research from vulnerability coordination platform provider HackerOne.
Key findings from "The Hacker-Powered Security Report 2018" of HackerOne data from more than 1,000 bug bounty and vulnerability disclosure programs included:
- The average bounty paid for critical vulnerabilities across all industries on the HackerOne platform totaled $2,041 in 2017, which represented a 6 percent year-over-year increase.
- Across all industries, 116 individual bounties over $10,000 were awarded in 2017, up more than 30 percent year over year.
- Hackers were awarded $11.7 million as part of bug bounty programs over the past year.
- 18 countries have hackers earning a combined $500,000 or more annually, and 44 countries have hackers earning a combined $100,000 or more annually as of April 2018.
- Hunting bugs is potentially 16x more lucrative than an alternative job as a software engineer.
- Over 90 percent of hackers are under the age of 35, and 44 percent are IT professionals.
- 58 percent of hackers are self-taught, and less than 5 percent learn their skills in the classroom.
Hacker-powered security creates both opportunities and challenges for organizations, HackerOne indicated. To reap the benefits of hacker-powered security, organizations must develop and deploy best practices for starting and running bug bounty and vulnerability disclosure programs.
Key Components of a Vulnerability Disclosure Policy
A vulnerability disclosure policy (VDP) can serve as the basis for an organization's bug bounty or vulnerability disclosure program, HackerOne stated. It instructs hackers on how to submit vulnerability reports and defines how an organization will handle these reports.
HackerOne indicated a VDP should include the following components:
- Promise: Provides a "good faith commitment" to customers and other stakeholders who may be impacted by security vulnerabilities.
- Scope: Outlines the properties, products and vulnerability types that the policy covers.
- "Safe Harbor": States hackers who identify vulnerabilities in good faith will not be penalized.
- Process: Describes the process used to report vulnerabilities.
- Preferences: Establishes expectations for preferences and priorities regarding how hacker reports will be evaluated.
Ninety-four percent of the top global companies do not have a VDP in place, HackerOne pointed out. Yet a VDP is quickly becoming a best practice and regulatory expectation for businesses of all sizes and across all industries.
With an effective VDP in place, companies can strengthen their security posture, according to HackerOne. An effective VDP also mitigates the risk of unauthorized disclosure and illegal hacking and ensures an organization can optimize the value of its bug bounty or vulnerability disclosure program.