The Ministry of Defence has paid out the first bug bounties to ethical computer hackers who probed web-accessible systems for vulnerabilities, according to a cheery missive from HackerOne. A month-long "Hacker security test" culminated in a couple of dozen folk being handed unspecified rewards - and marking the first public confirmation of HackerOne's UK government partnership.
Microsoft this week revealed that it paid out more than $13.6 million in bug bounties between July 1, 2020, and June 30, 2021. As part of the company's 17 bug bounty and grant programs, participating security researchers can earn awards as high as $250,000 - the highest rewards are for critical vulnerabilities in Hyper-V. More than 340 security researchers across 58 countries received payouts as part of Microsoft's bug bounty programs over the past year, with the largest single amount awarded by the company being $200,000, for a Hyper-V vulnerability.
Inhibitor181 is the first bug bounty hunter to earn more than $2,000,000 in bounty awards through the vulnerability coordination and bug bounty program HackerOne. HackerOne says that, so far, only 9 bug bounty hunters have earned $1 million on the platform, with Jon Colston being the ninth hacker to reach this goal after reporting over 170 vulnerabilities in government and enterprise organizations.
Vulnerability submissions have increased over the past 12 months on at least one crowdsourced security platform, with critical issue reports recording a 65% jump. This year, submissions for vulnerability submissions through Bugcrowd recorded a 50% increase, while for Priority 1 reports there was a growth of 65%. Web apps remain in the hackers' top preferences, although they are diversifying the targets to stay competitive.
Social media giant Facebook this week announced that it has paid out more than $11.7 million in bug bounties since 2011. To date, more than 50,000 researchers signed up for the company's bug bounty program, and approximately 1,500 of them, from 107 countries, have received a bug bounty reward, the company says.
You might not make a million dollars, but hackers are making good money from reporting vulnerabilities.
A team of vulnerability spotters have netted themselves a six-figure payout from Apple after discovering dozens security holes in the Cupertino giant's computer systems, some of which could have been exploited to steal iOS source code, and more. Curry said the group decided to target Apple's public-facing networks in July, a few weeks after seeing the story of Bhavuk Jain, who earned $100,000 for finding a bug in Apple's customer sign-in system.
Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million. Signups went up 59% as result of the global coronavirus crisis, while the number of submitted bug reports went up 28%. In the months immediately following the start of the COVID-19 pandemic, organizations paid 29% more bounties, with the total paid in bounties going up 87% compared to last year.
"The nature of product abuse is constantly changing," wrote Google's Marc Henson, lead and program manager for Trust & Safety, and Anna Hupa, senior strategist, in a blog this week. "The final reward amount for a given abuse risk report also remains at the discretion of the reward panel. When evaluating the impact of an abuse risk, the panels look at both the severity of the issue as well as the number of impacted users."
While the payouts are a nice figure for Microsoft to throw out there when talking up its bug bounty program, they may not be an indicator of healthy long-term security priorities. Katie Moussouris, once the architect of Redmond's bug-bounty program and now the CEO of Luta Security, fears there's a growing over-emphasis on external bug rewards - rewards for outside experts finding holes in software after it is released to the public - as opposed to investment in staff and resources to limit the release of buggy code in the first place.