Security News
Inhibitor181 is the first bug bounty hunter to earn more than $2,000,000 in bounty awards through the vulnerability coordination and bug bounty program HackerOne. HackerOne says that, so far, only 9 bug bounty hunters have earned $1 million on the platform, with Jon Colston being the ninth hacker to reach this goal after reporting over 170 vulnerabilities in government and enterprise organizations.
Vulnerability submissions have increased over the past 12 months on at least one crowdsourced security platform, with critical issue reports recording a 65% jump. This year, submissions for vulnerability submissions through Bugcrowd recorded a 50% increase, while for Priority 1 reports there was a growth of 65%. Web apps remain in the hackers' top preferences, although they are diversifying the targets to stay competitive.
Social media giant Facebook this week announced that it has paid out more than $11.7 million in bug bounties since 2011. To date, more than 50,000 researchers signed up for the company's bug bounty program, and approximately 1,500 of them, from 107 countries, have received a bug bounty reward, the company says.
You might not make a million dollars, but hackers are making good money from reporting vulnerabilities.
A team of vulnerability spotters have netted themselves a six-figure payout from Apple after discovering dozens security holes in the Cupertino giant's computer systems, some of which could have been exploited to steal iOS source code, and more. Curry said the group decided to target Apple's public-facing networks in July, a few weeks after seeing the story of Bhavuk Jain, who earned $100,000 for finding a bug in Apple's customer sign-in system.
Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million. Signups went up 59% as result of the global coronavirus crisis, while the number of submitted bug reports went up 28%. In the months immediately following the start of the COVID-19 pandemic, organizations paid 29% more bounties, with the total paid in bounties going up 87% compared to last year.
"The nature of product abuse is constantly changing," wrote Google's Marc Henson, lead and program manager for Trust & Safety, and Anna Hupa, senior strategist, in a blog this week. "The final reward amount for a given abuse risk report also remains at the discretion of the reward panel. When evaluating the impact of an abuse risk, the panels look at both the severity of the issue as well as the number of impacted users."
While the payouts are a nice figure for Microsoft to throw out there when talking up its bug bounty program, they may not be an indicator of healthy long-term security priorities. Katie Moussouris, once the architect of Redmond's bug-bounty program and now the CEO of Luta Security, fears there's a growing over-emphasis on external bug rewards - rewards for outside experts finding holes in software after it is released to the public - as opposed to investment in staff and resources to limit the release of buggy code in the first place.
In 1965, Gordon Moore published a short informal paper, Cramming more components onto integrated circuits. Based on not much more but these few data points and his knowledge of silicon chip development - he was head of R&D at Fairchild Semiconductors, the company that was to seed Silicon Valley - he said that for the next decade, component counts by area could double every year.
HackerOne announced that hackers have earned $100 million in bug bounties on the HackerOne platform. From $30,000 paid to hackers across the globe in October 2013 - the first month of bounty payments on HackerOne - to $5.9 million paid to hackers in April 2020, working with hackers has proven to be both a powerful way to pinpoint vulnerabilities across digital assets and more than just a past-time.