Bug bounties - security vulnerabilities just got more valuableTuesday, March 7, 2017
Security flaws are getting harder to find, says Google, as others set to follow boost in bounty values…
Web giant Google has announced a rise in bug bounties, a move immediately paralleled by Microsoft.
Since 2010, Google has offered a range of rewards: from $100 for low severity issues, up to $20,000 USD for critical vulnerabilities once confirmed. However, the company has now uprated these, increasing the reward for “Remote Code Execution” on the Google VRP from $20,000 to $31,337 - a whopping 56.7 per cent increase. The bounty for uncovering “Unrestricted file system or database access” has jumped too, from $10,000 to $13,337 USD - an only slightly less inspiring 33.37 per cent increase.
"Because high severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant time researchers dedicate to our program, and so we're making some changes to our VRP." said Josh Armour, security program manager in a blogpost.
Microsoft meanwhile has set out its stall with a minimum payment of $500 up to a maximum of $15,000, a sliding scale based on the impact of the vulnerability.
However, to get the ball rolling, from March 1 to May 1, 2017, any eligible vulnerability submitted for Microsoft Office 365 Portal and Microsoft Exchange Online will be eligible for double rewards, so up to $30,000 if it’s submitted in the next two months.
Ilia Kolochenko, CEO of High-Tech Bridge commented: “This potential ‘pay-rise’ for white hat hackers tells something for certain - that Black Hats are paying more for vulnerabilities, and even the highest bounties offered by Google and Microsoft are no longer competitive with what cybercriminals can offer now.”
It is a matter of considerable financial risk for well-trained, competent white hat researchers - why gamble on being the first to report a security flaw when the IT security industry is suffering an enormous employment shortage. A recent report by ISACA found that more than 25 per cent of companies report that the time to fill priority cyber security and information security positions can be six months or longer, and in Europe, almost one-third of cyber security job openings remain unfilled.
"The main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants," said the report's authors. Perhaps ironically, 55 per cent of enterprises believe a key quality for cybersecurity positions is hands-on experience.
Kolochenko agreed: “The rise in bounty clearly means that talented White Hat security researchers are too busy with their well-paid daily jobs to bother spending time hunting risky bounties (even if you find a flaw, but someone has found it one minute before you - you will get $0). Increasing the bounty rates may address the issue in the short term, but longer term the industry will need to evolve…”
The issue certainly isn’t about headline spend, however, with Google spending $3m in 2016 alone on bug bounties across its platforms. Some memorable bounties include $200,000 paid out by Microsoft to Vasilis Pappas for his ‘kBouncer’ programme, which blocks any Return-Oriented Programming (ROP) attack from running, and Andrew Leonov, who scooped $40,000 from Facebook for finding a ‘remote code execution’ flaw with its open-source photo editing software, ImageMagick.
Perhaps part of the reason for the increase in headline bounties from individual enterprises is to attract security researchers away from the increasingly successful ‘community’ bug bounty platforms - such as Open Bug Bounty and HackerOne. The latter recently announced a further $40 million investment in a platform it claims has 700 customers on board, 100,000 hackers, and total payouts to date of $14m.
Whether they will be successful will be an interesting question to examine over the coming months, and will undoubtedly come down to trust in the processes as much as it will technical ability, or the scale of headline bounty payments. One thing is certain, that we’ll see other enterprises follow suit…