Technology firms' engagement with ethical hackers at all-time high

Last year Google was able to identify and fix 2,900 security issues across Android, Chrome, and Play – thanks to its Vulnerability Reward Programs (VRPs), which incentivise ethical hackers for discovering bugs. As cyberattacks shoot up, tech firms are engaging with independent researchers more than ever.

Google awarded its highest bug bounty ever worth $605,000 for a critical exploit chain report last year. The tech giant awarded a total of $12 million to the researchers taking part in VRPs in 2022, which is six times higher than what it paid in 2015. Some 703 researchers from 68 countries participated in the program.

Zoom Video Communications, Inc., which offers virtual meetings software, has been engaging with the HackerOne program to attract active security talent. The company awarded $3.9 million in bounties to hundreds of researchers in the fiscal year 2023. It has spent $7 million to date on the program since the time it began.

“We’re evolving our program to add a companion scoring system called the Vulnerability Impact Scoring System (VISS) that analyzes 13 different aspects of impact for each vulnerability reported as they relate to the Zoom infrastructure, technology, and security of customer data. With the implementation of VISS, Bug Bounty can focus more on measuring responsibly demonstrated impact, rather than the theoretical possibility of exploitation,” Zoom said in a statement. 

Zoom’s Bug Bounty program is also implementing a new vulnerability impact scoring system to help researchers improve bug detection apart from the widely accepted Common Vulnerability Scoring System (CVSS).

“Beyond identifying vulnerabilities, outside researchers’ support has helped us make other forms of progress at Zoom. We used these reports to demonstrate items that needed attention, flag root-level causes for issues, create better cross-functional alignment, and find potential threats before they become a problem. As a result, our time to resolve bug bounty reports has significantly improved over the past two years,” the company said in a statement.

The use of bug bounty hunters to track vulnerabilities within the system has been gaining traction with the rise in cybersecurity attacks. The global cybersecurity research community is contributing to organisations’ preparedness by early detection of critical loopholes in the systems.

According to Kaspersky, the second half of 2022 witnessed the highest rate of attacks against industrial sectors with 27 per cent of computers affected in India. A rising number of attacks were carried out using malicious scripts, phishing pages (JS and HTML), etc. Kaspersky security solutions blocked malware from 7,684 different families on industrial automation systems in H2 2022, the Russian multinational cybersecurity company said.

Data shared by the government shows that India witnessed around 13.91 Lakh cyber security incidents in 2022. Detection of vulnerabilities became increasingly crucial as over 45 per cent of Indian organisations hit with ransomware attacks were repeat victims, as per a study by cloud security company Barracuda Networks.

For Meta Platforms, the focus was on connecting the bug bounty community with the Metaverse and fixing any potential bugs in virtual reality (VR) headsets and smart glasses. It also released new payout guidelines for VR technology, including bugs specific to Meta Quest Pro.

“Since 2011, we have encouraged security researchers to responsibly disclose potential issues so we can fix the bugs, and publicly recognize and reward their work. Our bug bounty program has been instrumental in helping us quickly detect new bugs, spot trends, and engage the best security talent outside of Meta to help us keep the platform safe,” a Meta spokesperson told Business Standard.

So far, the social media network has received more than 170,000 reports, of which more than 8,500 were awarded a bounty. In 2022 it received around 10,000 reports and issued bounties on more than 750 reports. Meta awarded a total of $2 million to researchers from more than 45 countries.

Apart from companies offering a bug bounty to white hat hackers, many are also hiring platforms like HackerOne, SynAck, or BugCrowd to probe their infrastructure, website, and applications for potential vulnerabilities. Hackers who are members of the platform are given the opportunity to discover vulnerabilities, which are then passed back to the hiring company.