A HackerOne report makes it clear that bounty programs work. So why aren't more companies using them?
Hackers gonna hack, but that doesn't mean we need to hand them the keys. While no code or system connected to the internet can ever claim to be impervious to attack, one of the best ways to secure code may actually be to invite hackers in: the right kind of hacker.
As a recent report from HackerOne uncovered, "hacker-powered [bounty] programs are increasingly viewed as vital for securing digital assets for the public sector," with the US Department of Defense, among others, paying up to keep nefarious hackers out. The good news, according to the report, is that the message of bounty programs is starting to sink in and deliver tangible results.
The enemy of my enemy had better know code
According to HackerOne, "With hacker-powered security testing, organizations can identify high-value bugs faster with help from the results-driven ethical hacker community." That's the theory, anyway. While we've bickered for decades over whether proprietary or open source code is more secure, the reality is that all code is essentially not secure. Not completely, anyway.
As such, the trick isn't to write perfect code, which is impossible, but rather to write and hack code in such a way that vulnerabilities get weeded out fast. This is one reason that open source has proven to be so popular: more secure or not, it offers easier access to discover and fix bugs.
SEE Why it's time to stop blaming open source for ransomware attacks (TechRepublic)
In recent years, bug bounty programs, run by companies like HackerOne, have upped the ante, giving enterprises a safe way to invite developers to scour their code for unknown risks. The alternative - to wait for the next WannaCry to pulverize your systems - seems like a very expensive mistake.
Indeed, many of the most egregious criminal attacks on enterprise code exploit gaping holes in open source (Shellshock) or proprietary software/protocols (which is what WannaCry exploits). In many cases, systems are exposed out of sheer laziness: IT simply hasn't taken the trouble to apply the appropriate security policies, or hasn't patched uncovered bugs.
Danny Palmer called this out for ZDNet, saying, "It's this failure to patch which is enabling the likes of WannaCry - and Conficker - to continue to be a purely opportunist threat when, in many instances, it could easily be stopped." In other words, sometimes your code is buggy, and sometimes it's your security practices that stink.
Either way, allowing white hat, friendly hackers into your code (and, potentially, your network) to find problems before the black hat, malicious hackers get there is a smart business practice. HackerOne's The Hacker-Powered Security Report 2017 makes this clear.
White hats vs. black hats
Pulling data from over 800 hacker-powered security programs, while also covering disclosure data from the world's 2,000 largest companies, HackerOne's report yields a few key findings:
SEE WannaCry: Why this ransomware just won't die (ZDNet)
- It's not just for tech: While over half of bug bounty programs launched in 2016 are for technology companies, 41% are from other industries. Governments, media and entertainment, financial services and banking, and ecommerce and retail industries all showed significant growth year over year.
- Getting better all the time. The average time to first response for security issues was six days in 2017, compared to seven days in 2016. Ecommerce and retail organizations fixed security issues in four weeks, the fastest on average.
- Good programs attract the best hackers. Programs that are the fastest at acknowledging, validating, and resolving submitted vulnerabilities are the most attractive to hackers. Loyalty matters — repeat hackers are to thank for the majority of valid reports.
- The bounty money keeps flowing. The average bounty paid to hackers for a critical vulnerability was $1,923 in 2017, compared to $1,624 in 2015 — an increase of 16%. The top performing bug bounty programs award hackers an average of $50,000 a month, with some paying nearly $900,000 a year.
- Top companies still want to pretend at top secret. Despite increased bug bounty program adoption and recommendations from federal agencies, 94% of the top publicly-traded companies still do not have known vulnerability disclosure policies — unchanged from 2015.
- Companies care most about security vulnerabilities. Seventy-three percent of surveyed customers said they are concerned about unknown security vulnerabilities being exploited, while 52% said they also fear customer data and intellectual property theft.
Of these, it's actually the first point that I find most heartening. As this chart shows, the world is waking up to bounty programs:
Tech was first to understand the need for bounty programs because its business is (generally) software. But if software is truly eating the world, then every company is effectively a software company, in desperate need of ensuring its code is hacked by the white hats, not the black hats.
Clearly there's work to be done, but the trends are going in the right direction.
- Why it's time to stop blaming open source for ransomware attacks (TechRepublic)
- WannaCry: Why this ransomware just won't die (ZDNet)
- How the DoD uses bug bounties to help secure the department's websites (TechRepublic)
- HackerOne CEO: The tech industry has some 'catching up to do' on software security (TechRepublic)
- Ransomware: An executive guide to one of the biggest menaces on the web (ZDNet)