Bug bounty hunters rake it in as incidence of cyber attacks shoots up

Last year Google paid $605,000 to ethical hackers to detect and fix vulnerabilities

As the incidence of cyber attacks shoots up, tech firms are looking to ethical hackers and independent researchers to detect vulnerabilities and fix them. For example, last year Google was able to identify and fix 2,900 security issues across Android, Chrome and Play, thanks to its Vulnerability Reward Programmes (VRPs), which incentivises ethical hackers to discover bugs.

Google awarded its highest bug bounty ever of $605,000 for a critical exploit chain report last year. And it paid a total of $12 million to researchers taking part in VRPs in 2022, which is six times higher than what it paid in 2015. Some 703 researchers from 68 countries participated in the programme.

With cybersecurity attacks having gone up multiple times, the demand for bug bounty hunters, ethical hackers, certified cyber security professionals and security researchers has gone up as well.

According to cybersecurity company HackerOne’s 2022 Hacker-Powered Security Report, hackers have now earned more than $230 million on the platform. Twenty-two hackers have earned over $1 million in bounties, up from nine who earned similar sums last year. In fact, 92 per cent of ethical hackers say they can find vulnerabilities that scanners cannot. 

According to the HackerOne report, 46 per cent of ethical hackers say they are motivated to do the job to protect businesses and their users. Though around 70 per cent of them work on this part time, 47 per cent say they are hacking more this year than they did in 2021. Sixty-eight per cent say that the money earned from hacking makes up less than half of their income. And 79 per cent say they hack to learn, while 72 per cent say that they are in it for the money. 

In the past year, the hacking community has found over 65,000 customer vulnerabilities.
 

Vulnerability types introduced by digital transformation have seen the most significant growth, with misconfigurations growing by 150 per cent and improper authorisation by 45 per cent.

Zoom Video Communications has been engaging with the HackerOne programme to attract active security talent. The company awarded $3.9 million in bounties to hundreds of researchers in the fiscal year 2023. It has spent $7 million on the programme since it began.

“We’re evolving our programme to add a companion scoring system called the Vulnerability Impact Scoring System (VISS) that analyses 13 different aspects of impact for each vulnerability reported as they relate to the Zoom infrastructure, technology, and security of customer data. With the implementation of VISS, bug bounty can focus more on measuring responsibly demonstrated impact, rather than the theoretical possibility of exploitation,” Zoom said in a statement. 

The use of bug bounty hunters to track vulnerabilities has been gaining traction with the rise in cyber attacks. The global cyber security research community is contributing to the preparedness of organisations by early detection of critical loopholes in the systems.

According to Kaspersky, a Russian multinational cybersecurity company, the second half of 2022 witnessed the highest rate of attacks against industrial sectors, with 27 per cent of computers affected in India. A rising number of attacks were carried out using malicious scripts, phishing pages (JS and HTML), and so on. Kaspersky’s security solutions blocked malware from 7,684 different families on industrial automation systems in H2 2022, it said.

Government data shows that India witnessed nearly 1.4 million cybersecurity incidents in 2022. Detection of vulnerabilities became critical, as over 45 per cent of Indian organisations hit with ransomware attacks were repeat victims, according to a study by Barracuda Networks, a cloud security company.

For Meta platforms, the focus was on connecting the bug bounty community with the Metaverse and fixing any potential bugs in virtual reality (VR) headsets and smart glasses. It also released new payout guidelines for VR technology, including bugs specific to Meta Quest Pro.

“Our bug bounty programme has been instrumental in helping us quickly detect new bugs, spot trends, and engage the best security talent outside of Meta to help us keep the platform safe,” a Meta spokesperson told Business Standard.

So far, the social media network has received more than 170,000 reports, of which over 8,500 were awarded a bounty. In 2022 it received around 10,000 reports and issued bounties on more than 750 of them. Meta awarded a total of $2 million to researchers from over 45 countries.

Apart from offering bug bounties to white hat hackers, copanies are also hiring cybersecurity platforms like HackerOne, SynAck and BugCrowd to probe their infrastructure, websites, and applications for potential vulnerabilities.