A new report from HackerOne presents data suggesting that the bug bounty business might be recession-proof, citing increases in hacker registrations, monthly vulnerability disclosures and payouts in the midst of an economic downturn caused by the coronavirus pandemic.
According to the annual Hacker-Powered Security Report, new sign-ups on the HackerOne bug bounty platform during April, May and June 2020 represented a 69 percent jump over the same time period in 2019, and a 56 percent increase compared to January and February 2020.
Also, during April through June, the monthly average of incoming vulnerability reports rose 28 percent over January and February and 24 percent over the same time period in 2019. And the number of bounty payouts also climbed by 29 percent compared to the first two months of the year.
A particularly telling statistic might help explain the trend: 30 percent of 1,400 surveyed security leaders told HackerOne they are now more open to accepting vulnerability reports from third-party researchers as a way to compensate for budgetary and staffing challenges posed by COVID-19.
This implies organizations during the ongoing COVID-19 crisis and global recession may find themselves relying more on external assistance from the greater hacking community as a way to augment their internal efforts to mitigate vulnerability risk. This, in turn, has opened up new opportunities for outside researchers.
Some companies, like Zoom, have actually found themselves riddled with even more bug disclosures than normal because the pandemic "made them rapidly grow in popularity for both users and hackers," said Katie Moussouris, founder and CEO of Luta Security, a company that has helped companies – Zoom included – build organizational readiness for vulnerability disclosure.
Brian Gorenc, senior director of vulnerability research and director of Trend Micro’s Zero Day Initiative (ZDI) program, told SC Media that he has similarly seen bug bounty activity trending upwards. In 2019, ZDI published 1,045 vulnerability advisories over the course of an entire year. This year, ZDI has already surpassed those numbers with 1,235.
“And it is not just from people familiar with ZDI. We’re also seeing an increase in new participants to our program,” said Gorenc. “We’re on pace for our busiest year ever. There are plenty of opportunities for researchers – both new and experienced – to find and report bugs.”
And while there is still relatively high demand for security talent in the workforce, it worth noting that 30 percent of the security leaders surveyed by HackerOne this summer reported having to downsize their security teams as a result of the pandemic.
With that in mind, security professionals and researchers who have lost their corporate jobs during these economic hard times perhaps might consider bug bounty hunting as a potential source of income to support themselves until the right opportunity comes along again.
For that matter, Gorenc said even full-time security researchers who are still gainfully employees may be getting in on the action, because work-from-home conditions “afford them extra time and opportunity for finding and reporting bugs. Even if their primary source of income hasn’t been impacted, the extra income is always welcome.”
Bug hunters see opportunity
HackerOne connected SC Media with a pair of independent bug bounty hunters who also affirmed that opportunities continue to abound.
Jon Colston, a prolific vulnerability researcher who has accumulated over $1 million in bug bounties via HackerOne, said his past work in the consumer finance industry was actually far more unpredictable, due to a host of external factors such as “regulation, seasonal demand, economic conditions and liquidity markets."
In his old industry, if one of those variables changed, "so followed staffing. It was one big math equation where a headline in the papers would indicate how the next six months likely played out,” said Colston, who uses the hacker handle "Mayonaise" and has discovered more than 170 vulnerabilities in enterprise and government organizations.
By comparison, “the cybersecurity industry appears to be much less volatile,” Colston said. “At the start of the pandemic, I was concerned businesses would retreat to a defensive position, protecting employees by eliminating budget for all contract positions and VDP programs. Surprisingly, I witnessed the opposite. Companies shifted payouts to incentivize researchers to focus on bugs with higher impact, a move that mirrored the increasing threat from bad actors taking advantage of the lockdown.”
Hacker Tanner Emek, who uses the handle @cache-money and has reported 374 bugs via HackerOne over his lifetime, noticed that in the beginning of the pandemic, a handful of programs diminished certain bounty payouts. But they "only did so for low and medium severity bugs, and either left high and critical payouts the same, or even increased them,” he said.
Overall, however, “The vast majority of programs left their bounty tables untouched and continued normal operations while still having occasional bonuses,” Emek continued. “I think the reaction to this reflects on how important companies see security today. They realize security is not the place to be cutting costs, since that can end up doing far more damage in the long-term.”
“I've seen many new hackers getting involved recently. With so many companies to hack, there's no shortage of bugs to be found,” Emek added. One advantage to bug bounty is that they are accessible to everyone, not only security professionals. With the free educational resources out there, Emek predicts a lot of new hackers from non-traditional backgrounds dipping their toe into the field.
Still, experts point out that it’s not easy to make a living bug hunting.
“The vast majority of bug bounty hunters in Western countries cannot make a decent income,” said Moussouris. HackerOne’s own data year-over-year demonstrates this point, she noted: Out of more than 830,000 registered hackers, only about 9,000 earned something on HackerOne. "Also, the majority of the bug bounty programs on HackerOne are private, so most hackers won’t even be invited to attempt to earn money from those programs.”
Gorenc was a little more hopeful: “It is possible to be a full-time bug hunter, but it’s rare,” he said. “It takes a lot of time and dedication to go along with a broad skillset and, most importantly, the proper mindset to make a living on bug hunting alone. Most people who report to bug bounty programs consider it more of a side hustle.”
Moussouris, who helped the U.S. Department of Defense launch the government's first bug bounty program, "Hack the Pentagon," also has a warning for organizations: Bug bounty programs should never be treated as a total replacement for in-house security expertise, even with the recession forcing various budget and staffing cuts.
“We’re seeing that the bug bounty programs and VDPs [vulnerability disclosure programs] holding up the best during the pandemic are the ones that invested more internally on security people, process, and technology,” she remarked. “Now more than ever, bug bounties should be complementary to your other security due diligence, never a replacement.
“As a former penetration tester, and creator of many of the world’s first and largest bug bounty programs… I can say that no amount of money thrown at a bug bounty program or penetration test will ever be more efficient than building security in from the ground up.”