Bug bounties — these are security programs that pay hackers to find and report vulnerabilities — jumped 33 percent year over year with $11.7 million awarded in 2017, according to the Hacker-Powered Security Report 2018.
Some large companies and governments are now offering as much as $250,000 to find and fix security flaws, the report said. A total of 116 different bug reports earned more than $10,000 in the past year with the average payout for critical vulnerabilities rising to more than $2,000.
Hackers use the HackerOne platform to report vulnerabilities, and organizations use the company’s platform to coordinate their bug bounty programs. The new bug bounty report includes analysis of 78,275 security reports received between May 2017 and April 2018 and reported to more than 1,000 organizations through the platform.
Since the company launched in 2012, organizations have awarded hackers more than $31 million. And more than a third of that was awarded in the past year alone.
While these security programs grow in popularity worldwide — HackerOne reports bug bounties saw double- or triple-digit growth on every populated continent last year — U.S.-based organizations continue to pay the highest volume (83 percent).
Telco Bug Bounties on the Rise
Additionally, more enterprises are adopting vulnerability disclosure programs. HackerOne reports a 54 percent year-over-year increase in program launches. Still, 93 percent of the Forbes 2000 companies do not have a public-facing bug bounty.
Technology companies lead bug bounty adoption with 58 percent of total programs. Other industries such as consumer goods, financial services and insurance, government, and health care account for 43 percent of bug bounty programs.
For the fourth year in a row, these other non-tech industries increased their market share. Automotive programs increased 50 percent in the past year, and telecommunications programs increased 71 percent, the report said.
Some tech giants offer six-figure bounties, with Intel and Microsoft paying up to $250,000 and Google and Apple paying up to $200,000. Following the Meltdown and Spectre CPU flaws, Intel revamped its bug bounty, opening up the previously invite-only program to the public and upping its amount paid per valid vulnerability.
HackerOne says a technology company paid the highest bug bounty ($75,000) in 2017 for three unique vulnerabilities that could have allowed an attacker to steal credit card information, deploy ransomware, take over user accounts, and access infrastructure code.
Meanwhile, in Data Breaches…
In other security news, not only are bug bounties are increasing, but so are data breaches.
An IBM Security study published this week that found the average cost of a data breach per compromised record was $148, and it took organizations 196 days, on average, to detect a breach. Researchers examined 477 companies for this study and found the total cost, per-capita cost, and average size of a data breach (by number of records lost or stolen) all increased year over year.
The average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records.
The silver lining: there are steps businesses can take to lower the potential cost of a data breach. For the fourth year running, the study found a correlation between how quickly an organization identifies and contains a breach and the total cost. It found that an incident response team can reduce the cost of a breach by as much as $14 per compromised record from the average per-capita cost of $148. Also, extensive use of encryption can cut the cost by $13 per capita.