Bug Bounty programs are more popular than ever these days. Leading companies such as Google, Mozilla, Facebook, and many others are offering bounties as high as $60,000 for hackers that can find critical vulnerabilities in their programs. Just yesterday Google increased the total reward pot to $3.14159 million for “Pwnium,” its Chrome hacking contest. It’s great to see so many organizations taking security seriously, but the question remains….
In June of 2013 this graphic was updated to include Microsoft's new bug bounty program, a mage avatar from Gaia Online was used to represent them. We take no credit for the design, refer to their website for other wicked awesome looking avatars.
Companies ranging from Google to Etsy are rushing to pay hackers to disrupt their security systems. Why? As the thinking goes, who better than a hacker to beat a hacker.
Companies with Bug Bounty Programs
Mozilla launched one of the first such bounty programs in 2004 for successful attacks against its then-fledging Firefox browser. To date, the company has paid more than $750,000 in bug bounties.
Google has paid out more than $1.2 million
Not all threats created equal
Facebook usually pays $500 per bug but has paid upwards of $10,000 for a few major bugs
Google operates several bounty programs, including "Chromiun" and "Pwnium"
Chromium pays between $500 and about $1,300 for attacks against Chrome and Chrome plug-ins
For vulnerabilities in some of its brands, such as Gmail, YouTube, and Blogger.com, it pays as much as $20,000 for an advanced bug
But Google's Pwnium contest is truly the mother lode. The program requires researchers not only to find vulnerabilities in Google programs but to submit working attacks to exploit them. The total purse was recently increased to 2 million and individual awards go for $20,000, $40,000 and $60,000 for major bugs
Some of the Internet's giants don't offer bounty programs -but that doesn't mean they don't benefit from the work of researchers who expose vulnerabilities
Adobe and Apple are three of the biggest companies that don't offer bounties
Microsoft's new BlueHat security program does pay up to $250,000 to security professionals who can develop the best counter-attacks; the company says that's better than a bounty program
Others with "Hall of Fame" or responsible disclosure websites but no bounties:
Do bounty programs help?
The companies that operate bug bounty programs certainly would argue that these programs have made their products safer and kept users' information protected
"It's a hard measurement to take, but we're seeing a fairly sustained drop-off in the number of incoming reports we're receiving from the Chromium program." - Chris Evans, Information Security Officer at Google
A majority of app vendors fail to achieve compliance/security on their first review:
62% - Enterpris Policy
70% - CWE/SANS top 25
90% - OWASP top 10
Top Flaws found in Vendor web apps
79% - Information Leakage
71% - Cross-site Scripting (XSS)
67% - Cryptographic Issues
67% - Directory Traversal
63% - CRLF Injection
51% - Time and State
48% - Insufficient Input Validation
40% - SQL Injection
Creating an effective vendor application security program
Rather than relying on bug hunters and vendors to retroactively fix their software vulnerabilities, enterprises are establishing programs to test the security of vendor supplied applications
There are a few steps enterprises should follow to create effective vendor application security programs:
Policy Definition: Create policies that outlines the goals, methodology, and timeline for testing and remediation
Communicate Requirements to Vendors: Provide vendors with a security analysis mandate that outlines the analysis options and timeline for remediation
Vendor Education: Provide written guidance and address questions from vendors. Educate vendors on entire analysis and remediation process
Communication and Execution: Use project management to minimize delays and drive vendor participation
Results Communication: Review test results and work with vendors to remediate vulnerabilities
Nate joined Veracode as a marketing specialist in early 2012. He is one of Veracode’s first co-ops from Northeastern University, where he is majoring in entrepreneurship and new venture management while minoring in music. He has various responsibilities at Veracode, including blogging, SEO, and infographic design.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.