Ethical hackers frequently report security flaws outside of VDPs – often to no avail
Up to a third of all security flaws reported to organizations with no vulnerability disclosure policy (VDP) are not being patched due to failings in the disclosure process, a new report suggests.
Polled by Belgium-based bug bounty platform Intigriti, 12% of security researchers who reported vulnerabilities through alternative channels believed their submission was not successful in reaching security teams, while 19% were unsure about the outcome.
The Ethical Hacker Insights Report 2021 reveals that 70% of ethical hackers have discovered a vulnerability in a system not covered by a VDP.
DON’T FORGET TO READ Bug Bounty Radar // The latest bug bounty programs for June 2021
And since 12% of those said they didn’t escalate or follow up on their initial report, vendors without VDPs are potentially unaware of up to 44% of zero-day vulnerabilities detected by bug hunters.
“Investing in ethical hacking is investing in your company’s reputation,” said Intigriti CEO and founder Stijn Jans.
“Running an ethical hacking program can save companies needless security headaches and money, and will empower them to operate online with renewed confidence.”
Hit and miss
Without having a VDP in place, 50% of researchers’ vulnerability reports are routed through customer service channels, 36% of which failed to reach the security team, according to Intigriti’s survey of more than 1,000 ethical hackers from 140 countries.
“Some of the hackers indicated that their reports were closed as spam or were treated as phishing – customer service agents are not trained to handle vulnerability reports and will have a difficult time escalating them to the right person,” Inti De Ceukelaire, head of hackers at Intigriti, tells The Daily Swig.
Another 15% attempted to guess the security team’s email address, while 14% sent their findings via social media.
Perils of public disclosure
While public disclosure is deemed to be the most successful method in terms of alerting a vendor’s security team to a security issue, this also potentially exposes their sensitive findings to malicious hackers.
In addition, while just 6% of respondents opted for public disclosure, vulnerability reports of this nature still had a one-in-three (31%) chance of failing to reach the target organizations’ security teams.
“Public disclosure has shown to be the most effective method to get noticed, but is far from ideal for the affected company and the safety of its users,” says De Ceukelaire. “Direct contacts, such as through LinkedIn or a dedicated security inbox, are the most successful, as they end up with the right person straight away.”
Catch up on the latest bug bounty news
The least successful medium was sending reports through third-party services like computer emergency response teams (CERTs) – 44% of these approaches failed to reach the appropriate team.
“The less points of contact a vulnerability report needs to travel through, the better,” says De Ceukelaire. “Third party instances such as the CERT are overwhelmed with external vulnerability reports and may not have the business context to properly assess the severity of a report.
“Reaching the right person or team may also be a challenge for them, especially for larger organizations - because some product teams will not take ownership or responsibility to forward vulnerability reports for other teams within the same organization.”
Young and eager to learn
The vast majority of ethical hackers – 95% – are male, as well as digital natives, with 51% aged between 18-24 years old and only 13% over the age of 34, according to Intigriti’s latest Ethical Hacker Insights Report.
Most (80%) earn their primary income in IT roles such as penetration tester (43%), security analyst (27%), and software developer (6%). Nearly 20% of those polled had at least one of the CEH, OSCP, or OSWE infosec certifications.
Money was only the second most popular motivation for ethical hacking – an important incentive for just 63% – with learning new skills the biggest single motivation, cited by 70%.
Asked to pick the three most important variables for choosing targets, hackers most frequently chose a broad scope (68%), followed by ‘fresh’ scope (43%), and the promise of dealing with a responsive triage team (42%).
Web applications were the most popular technology to probe, followed by mobile, networks, static code analysis, then phishing/social engineering.
While hacking is generally seen as a solo endeavor, 91% of researchers said they had either collaborated with peers when bug hunting (30%) or would like to do so in the future (61%).
Intigriti also revealed that 71% of bug bounty programs receive a report of a ‘high’ or ‘critical’ severity bug within 48 hours of launch, and 37 valid bug reports within a week.
One bug hunter told Intigriti: “I think my fastest critical vulnerability find was within 10 seconds – and that was for quite a well-known company that had already done a penetration test.”
Inti De Ceukelaire is hosting a free webinar on June 22 to discuss the report.
RECOMMENDED ‘Soft skills are the most under-researched area of the bug bounty industry’ – ‘Reconless’ YouTubers on filling a gap in infosec education