New Shocking Things In Bug Bounty Programs You Cannot Miss
- 09/03/2022
- Alex Smith
Updated on: 16/02/2023
713 Views | 0 Comments
The Bug Bounty Programs are an efficient initiative that helps both parties involved in it gain something out of it. The bounty hunters get rewarded as per the policies of a particular bug bounty program while the company that offers the rewards gets to know the potential flaws in the system and take immediate steps to patch it. Several companies have come up with such programs (private bug bounty programs and public bounty programs) and the number of the bug hunters are increasing day by day owing to the alluring rewards.
Before we discuss the shocking things that you will get to see these days in the bug bounty programs, we would like to talk about one of the most promising programs in bug bounty. Last year, on September 29th, one of the cybersecurity companies, HackerOne had introduced the latest version of its Internet Bug Bounty (IBB) program. This initiative involving one of the latest bug bounty programs had helped them to locate over 1,000 security flaws in the open-source software between the years 2013 and 2021.
The latest version of the bug bounty program focuses on reaching even further by pooling the defenses from the existing bug bounties, then dividing the bounties in such a way that it will effectively award the stakeholders who actively contribute in the vulnerability management lifecycle. And also consolidating the vulnerability submission flow for improving the experience of the participating researchers.
The IBB Program simply aids to advance the supply-chain security, as the company noted. They also mentioned that the average application in recent times makes use of the 528 open-source components offering the malicious actors with a plethora of vectors by means of which they can compromise software on which thousands of the companies depend.
Another cybersecurity firm reported that most of the weaknesses in the open source projects go unnoticed and undetected for years. Thus, it is important to conduct such programs that will bring the security community together.
Table of Contents
Top 5 New Shocking Things With The Bug Bounty Programs
The newest initiatives of the above mentioned firm as well as the detection rates of the open source vulnerabilities are not the sole latest developments with the bug bounty programs. Here are the top five other things that the bug bounty websites reveal and you need to consider as they are aiding in shaping the vulnerability management landscape.
1. Enhanced Priority One (P1) Submissions
In a report of 2021, a company named BugCrowd had observed a rise in the number of the Priority One (P1) Submissions or reports for the severely critical software flaws. The crowdsourced security platform had received 65% or more of the P1 submissions back in 2020 as compared to the previous year. This was on top of the 50% increase for all the vulnerability submissions that took place in the same period.
In that time span, the webapps had accounted for most of the vulnerability submissions. However, this did not prevent the hackers from deviating their attention to the other areas like the Android devices and APIs.
The P1 submission growth was not uniform across all of the sectors in 2020. For instance, consider software. The company BugCrowd in its latest BugCrowd bug bounty programs stated that the number of submissions for the software organizations in the initial 10 months of the year had overshadowed the complete volume of 2019. The P1 submissions had tripled by Halloween. It was a pretty similar story for the other sectors including the financial services sector. During the first and second quarters of 2020, the buyers had doubled their payments for the P1 vulnerabilities affecting the organizations in this industry.
2. Rise In The Number Of Hackers Submitting Bug Reports
The 2021 Hacker Report from HackerOne discloses that more of the hackers have submitted bug reports in 2020 as compared to the previous years. The number of the hackers who had submitted reports via the vulnerability coordination as well as the bug bounty platform or one of the reputed bug bounty vendors had grown 63% in 2020. That growth accounted for 143% rise as compared to the volume of the hackers who had participated way back in 2018.
However, the hackers did not depend on submitting the reports of the security vulnerabilities as their primary source of income back in the year 2020, as per the company. The majority of the hackers, to be accurate 82% had identified themselves as the part-time hackers. In the meantime, 35% of the remaining stated that they had a full-time job.
3. Many Bug Hunters Seeking Bounty Hacks To Learn
Numerous respondents of the IBB facilitated company HackerOne bug bounty programs report stated that they see “Hacking” as a most promising future for themselves. A third segment of people told that they already had leveraged their skills to secure a job. Just below a quarter of the security researchers mentioned that they had been looking to pursue a career in information security by receiving a role on an internal security team.
However, not everyone possessed the same aspirations or motivations. But the three quarters of the participating hackers stated that they hacked in order to locate the bounties. On the contrary, an even greater percentage of individuals (85%) explained that they had been doing it merely to learn and expand their skills.
Six out of ten respondents pointed out that they had been using hacking in the bid to advance their careers while around half had indicated that they had been interested in hacking as a means to defend the individuals and the businesses against the threats.
BugCrowd had observed that some researchers had utilized their hacking experiences for curating their own personal brands. Some have even started out as the novices, but as they gained experience in hacking, they started attracting the followers and thereby growing their reputations. It is possible that some might have produced video and streaming content for promoting their experience and thereby becoming entrepreneurial thought leaders in the process.
4. Expansion Of Reports Of Misconfigurations & Human Errors
As the above mentioned report, the hackers are progressively submitting their reports on the misconfiguration issues. The vulnerability coordination website had also mentioned that the reports of the misconfigurations had taken a leap by 3210% in 2020. That being said, the misconfigurations did not make the list of the most common types of the vulnerabilities that were discovered by the hackers in that period.
5. Lack Of A Clarified Reporting Process
Ultimately, the hackers do not always check their work owing to the lack of the clear reporting process. Half of the security researchers mentioned that they had chosen not to disclose the vulnerability at a certain point. Nearly a quarter of that sub-group stated that they lacked a clear channel via which they could report the security flaw.
Nearly the same proportions attributed their decisions to an unresponsive host company. 19% of the hackers indicated that they had not disclosed a flaw owing to the fact that the bounty was not available for their work.
What Can The Organizations Do With The Findings?
The organizations can make use of these findings that have been discussed above for strengthening their digital security efforts. They can also conduct this in several methods. Firstly, it is apparent that the bug bounty programs are slowly becoming more and more effective. Thus, the organizations must consider making bug bounty programs as a part of their larger vulnerability management strategy if they have not yet done it. They can also create a program internally or they can also work with a provider such as the best penetration testing company.
Secondly, the organizations can also use the findings of the misconfigurations for focusing on eliminating the instances of human error. One of the many ways they can do that is by making use of the awareness bug bounty training for educating their employees as well as the other personnel regarding their security policies and relevant best security practices.
Finally, the infosec teams can also utilize the best practices for making their bug bounty programs as clearer as possible. This will make sure that the researchers have a way through which they can work with an organization and also contribute to its vulnerability management program over the course of time.