View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 13, 2018

Vulnerability Disclosure Not a Priority for 93% of Forbes Global 2000

"Criminals will discover vulnerabilities in nearly any software"

By CBR Staff Writer

Financial services and insurance companies are among the most tight-fisted industries when it comes to paying out bounties for software vulnerability disclosures, typically paying just one third of the global average.

That’s according to a new report by cybersecurity company HackerOne, which found that critical bug bounties average just $1,118 across the two sectors. While the figure is low, it still represents a 100 percent increase on last year’s average.

Bug Bounties - The cost of fixing bugs throughout the SDLCMore startlingly, 93 percent of the Forbes Global 2000 have no formal vulnerability disclosure policies in place.

The highest bounty, sector-wide, awarded in 2017 via HackerOne was $75,000, to an undisclosed “tech firm”.

The top monetary amount awarded in 2018 by the financial services & insurance sectors by contrast was $18,000.

See also: The Bug Bounty Bonanza

A bug is a vulnerability within a systems software that gives threat actors an opportunity to carry out malicious activities, potentially causing severe financial and reputational damage.

Financial services and insurance companies had the second fastest average when it came to bug resolution however. The report notes that: “This reflects a desire to fix bugs as soon as possible, quickly mitigating any potential risk. It also reflects a significant increase from the previous year, nearly cutting the average in half.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Vulnerability Disclosure

The research by HackerOne contains a detailed analysis of over 78,000 security vulnerability reports that have occurred and been reported by white and grey hats, i.e. ethical hackers, over the last year.

Vulnerability disclosure policies are a set of clear guidelines that ethical hackers can follow in order to report a bug or vulnerability

Megan Brown, Partner at Wiley Rein LLP, said in a recent webinar: “Companies that lack a clear vulnerability disclosure program are at increased risk should a security researcher find a vulnerability.”

Vulnerability Disclosure

“By recognizing that criminals will discover vulnerabilities in nearly any software, application, or network surface they access, leaders must quickly and confidently shift their security strategy to an offensive approach, enabling them to beat criminals at their own game and reduce the risk of a serious security incident,” the report states.

See also: Tesla’s Keys Hacked and Cloned: Who Else is Affected?

As part of their researcher HackerOne examined the Forbes Global 2000, an annual ranking of the top 2000 public companies. Citigroup, American Express and JPMorgan Chases all have vulnerability disclosure policies (VDP), yet 93 percent of list did not.

The issue of companies not giving ethical hackers a clear path of communication when it comes vulnerability reporting was highlighted this month when a research team at KU Leuven University found vulnerabilities in vehicle key fobs.

McLaren, Karma, Triumph and Tesla were affected by the bug, but when the researchers contacted the companies affected, only Tesla was quick to respond

Lennert Wouters, a doctoral student at the university’s Computer Security and Industrial Cryptography (COSIC), told Computer Business Review that: “It took us a very long time to get a reply from Karma and McLaren, we never managed to get a reply from anyone in Triumph or Pektron.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.