While IoT vulnerabilities provided increasingly low-hanging fruit for bug bounty hunters in 2018, with payouts increasing by a massive 384 percent on the previous year, bugs in web applications still account for over 90 percent of all submissions.
This is according to the annual Priority One Report issued by San Francisco-based bounty hunter platform Bugcrowd, which highlights an overall 92 percent increase in total vulnerabilities reported over the previous year.
Average payouts for critical vulnerabilities were up 27 percent to $2,669.92 meanwhile — arguably still a hugely low price point for a critical vulnerability that could result in major reputational damage or fines if exploited.
Bugcrowd said its “no surprise” that the web is still the highest target for hunters as it provides the largest attack surface, but noted the surge in IoT reports.
The Bugcrowd report points to an array of reasons for this dramatic increase, such as more open bounty programmes, and more devices being connected.
Yet, the report points out that while IoT vulnerabilities “capture our attention for their novelty and fear factor, they are still and by far outnumbered by vulnerabilities in web applications.”
Roughly 80 percent of the top rated bugs, ones that could have significant impact, are by their nature difficult for automated security tools to discover.
The vulnerabilities discovered by researchers tend to revolve around broken access controls, server security misconfiguration, sensitive data exposure and broken authentication & session management – all of which, the report notes, are “systemic issues with critical impact, and very few programming frameworks out there that protect against them. The ones that do are far from perfect.”
(The top five vulnerabilities typically discovered during 2018 are all on the OWASP Top 10 list: a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risk).
Financial Services Industry Steps Up
The industry more broadly has seen a significant increase in bug bounty pay-outs and industry-run responsible disclosure programmes.
The biggest increase was in financial services, which saw a year-on-year increase of 71 percent in available programmes, retail rose by 50 percent, while healthcare also grew by 44 percent.
The report notes: “Crowd-sourced pen testing and vulnerability disclosure are growing at breakneck pace, and the number of companies running programs for multiple years has resulted in a marked increase in the number of public programs.”
IoT is a clear winner for bounty hunters, as the average critical pay-out for the IoT sector is £7,058. In comparison web application pay-outs average out at £2,014.
Bug bounty pay-outs are increasing. Last month Google tripled its financial reward for bugs discovered in Chrome, for example. A critical bug will now net you ($15,000). Google also doubled its pay-out for ‘high-quality’ reports from £12,377 ($15,000) to £24,757 ($30,000).
Google said this month: “On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode.”
Bugcrowd concludes: “What doesn’t always hit the headlines are the breaches that never were — the stories of companies who “hacked themselves first” and drove up the cost of exploiting vulnerabilities in their systems by rewarding ethical hackers to identify and disclose these flaws to them, enabling these organizations to fix them before they could be exploited.”