Distracted by dispersing their workforce, organizations are increasingly open to crowdsourced cybersecurity

Coronavirus pandemic the key to growth in the security bug bounty market

UPDATED The Covid-19 pandemic may have fueled a surge in both demand for crowdsourced security and the supply of ethical hackers probing systems for vulnerabilities, according to a new report.

HackerOne, the world’s largest bug bounty platform, suggests that paying external security researchers for unearthing security flaws has become more appealing to organizations that have diverted internal security resources towards mobilizing a dispersed workforce amid rising numbers of cyber-attacks.

READ MORE US federal agencies required to launch security vulnerability disclosure policies

Published today (September 22), the fourth annual Hacker-Powered Security Report found that 30% of senior security professionals surveyed at large organizations around the world admitted that application security had been neglected in favor of procuring work-from-home and collaboration tools.

And while 30% observed an increase in cyber-attacks due to the pandemic, the same proportion reported reductions in the headcount of their in-house security teams. A quarter had seen their budgets cut since the pandemic triggered a wave of national lockdowns in March.

Cultural shift

A similar proportion – 30% – told HackerOne that they had become more open to accepting vulnerability reports from independent security researchers since the pandemic struck.

The number of active private HackerOne programs grew year on year by 81%, while public programs rose by 19% between May 2019 and April 2020.

The number of vulnerability disclosure programs from organizations in the education and healthcare industries – two of the hardest-hit sectors by a surge in cyber-attacks – tripled.

Computer hardware (250%) and consumer goods (243%) were the only sectors to see greater growth.

The growing attack surface for ethical hackers saw them discover around 61,000 vulnerabilities during the reporting period – more than twice as many year on year.

HackerOne hackers at San Francisco event h1-415 2020The number of hackers signing up to HackerOne has soared since the pandemic hit

Mårten Mickos, CEO of HackerOne, believes there is causation as well as correlation between the pandemic and the growing interest among organizations in bug bounty programs.

“Budget and staff cutbacks, a rise in cyber-attacks and the great rush to support remote workers have put security teams under significant pressure,” he said. “Adding to that, the need to develop new Covid-proof solutions means fresh vulnerabilities are inevitable.

“Traditional security tactics are no longer sufficient to keep up with a rapidly adapting attack surface.”

“With hackers delivering concrete results at an affordable cost, even the most traditional industries are ready to give hacker-powered security a try,” he added.

What cyber skills shortage?

Despite the global cybersecurity skills gap, the average monthly volume of hackers signing up to HackerOne across April, May, and June also increased by 56% compared to January and February, and 69% for the same period in 2019.

This was mirrored by a post-February growth in the monthly average number of incoming bug reports of 28%, a 29% rise in bounties paid, and a 24% year-on-year rise.

Mårten Mickos tells The Daily Swig that the Covid-19 may have initially fueled the surge in sign-ups because hacking is one hobby “that is not hampered by the pandemic at all”.

He also speculates that freelance hackers “may have seen a drop in their other jobs, so they decided to put more effort into ethical hacking.

“Thirdly, once schools and universities closed down, students who hack as a hobby found themselves having much more time at their hands.”

Finally “smart hackers will realise that there are new and changing attack surfaces as companies go digital and shift to WFH regimes, and those attack surfaces need protection and help by hackers.”

The growing value and number of available bounties has also helped to incentivize hackers to sign up to bug bounty programs.

More than $44 million in bounties was awarded to hackers between May 2019 and April 2020, a year-on-year increase of 86%.

The average reward paid for critical vulnerabilities rose by 8% to $3,650.

In 2019, more than 50 hackers earned over $100,000 in bug bounties through HackerOne, nine of which surpassed the $1 million mark.

This article was updated on September 25 with comments and additional statistics from HackerOne.

YOU MIGHT ALSO LIKE Critical stored XSS vulnerability in Instagram’s Spark AR Studio nets 14-year-old researcher $25,000