View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Poor IoT Security is Manna from Heaven for Bug Bounty Hunters, But Web Apps Still Dominate

"Crowdsourced pen testing and vulnerability disclosure are growing at breakneck pace "

By CBR Staff Writer

While IoT vulnerabilities provided increasingly low-hanging fruit for bug bounty hunters in 2018, with payouts increasing by a massive 384 percent on the previous year, bugs in web applications still account for over 90 percent of all submissions.

This is according to the annual Priority One Report issued by San Francisco-based bounty hunter platform Bugcrowd, which highlights an overall 92 percent increase in total vulnerabilities reported over the previous year.

Average payouts for critical vulnerabilities were up 27 percent to $2,669.92 meanwhile — arguably still a hugely low price point for a critical vulnerability that could result in major reputational damage or fines if exploited.

Bugcrowd said its “no surprise” that the web is still the highest target for hunters as it provides the largest attack surface, but noted the surge in IoT reports.

The Bugcrowd report points to an array of reasons for this dramatic increase, such as more open bounty programmes, and more devices being connected.

IoT Bug BountiesYet, the report points out that while IoT vulnerabilities “capture our attention for their novelty and fear factor, they are still and by far outnumbered by vulnerabilities in web applications.”

Roughly 80 percent of the top rated bugs, ones that could have significant impact, are by their nature difficult for automated security tools to discover.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The vulnerabilities discovered by researchers tend to revolve around broken access controls, server security misconfiguration, sensitive data exposure and broken authentication & session management –  all of which, the report notes, are “systemic issues with critical impact, and very few programming frameworks out there that protect against them. The ones that do are far from perfect.”

(The top five vulnerabilities typically discovered during 2018 are all on the OWASP Top 10 list: a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risk).

Financial Services Industry Steps Up

IoT Bug Bounties

The industry more broadly has seen a significant increase in bug bounty pay-outs and industry-run responsible disclosure programmes.

The biggest increase was in financial services, which saw a year-on-year increase of 71 percent in available programmes, retail rose by 50 percent, while healthcare also grew by 44 percent.

The report notes: “Crowd-sourced pen testing and vulnerability disclosure are growing at breakneck pace, and the number of companies running programs for multiple years has resulted in a marked increase in the number of public programs.”

IoT is a clear winner for bounty hunters, as the average critical pay-out for the IoT sector is £7,058. In comparison web application pay-outs average out at £2,014.

IoT Bug BountiesBug bounty pay-outs are increasing. Last month Google tripled its financial reward for bugs discovered in Chrome, for example. A critical bug will now net you ($15,000). Google also doubled its pay-out for ‘high-quality’ reports from £12,377 ($15,000) to £24,757 ($30,000).

Google  said this month: “On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode.”

Bugcrowd concludes: “What doesn’t always hit the headlines are the breaches that never were — the stories of companies who “hacked themselves first” and drove up the cost of exploiting vulnerabilities in their systems by rewarding ethical hackers to identify and disclose these flaws to them, enabling these organizations to fix them before they could be exploited.”

See Also: Unauthorised Disclosures up FIVE-FOLD at the Ministry of Defence, While Device Losses Triple

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.