As seven-figure vulnerability rewards continue to hit headlines, what is driving bug bounty inflation?
Bug bounty rewards have breached the $1 million mark, and there are reports of even higher payouts within the ethical hacking community.
But are these ‘mega bounties’ good for security researchers, and the firms that offer them? And are they truly achievable for those partaking?
In early 2022, a security researcher named ‘satya0x’ earned $10 million for discovering a vulnerability in crypto platform Wormhole. The reward was paid through Immunefi and – so far, at least – stands as the largest bug bounty payout so far.
Although another eight-figure bounty reward has yet to be awarded, there is clearly a trend of growing payouts. For example, another Immunefi user, ‘pwning.eth’, recently earned $6 million for reporting a critical vulnerability in the Aurora crypto service.
More and more tech giants are also offering significant sums.
Apple is reported to have paid out $20 million via its bounty program, and the vendor offers up to $2 million for reports of vulnerabilities that bypass “the specific protections of Lockdown Mode” on its devices, although bounties more typically range from $5,000 to $250,000.
Intel also operates an in-house bounty program, and views offering larger rewards as evidence that a firm is taking security seriously.
“Intel offers bug bounty rewards up to $100,000 for eligible vulnerabilities submitted through the Intel Bug Bounty Program,” Katie Noble, Intel’s director for the product security incident response team and bug bounty program, told The Daily Swig.
“In my experience, high bounty award offers tend to show a company’s commitment to the bug bounty and wider security community,” The company is open about the extent of its program, the researchers who have contributed, and the areas they reported.
Bounty inflation factors
The trend of ever-larger payouts is not just a result of organizations’ greater focus on security. There is also growing competition between bug bounty programs, with the best researchers in high demand.
“Increasing bug bounty payouts are likely the result of market forces, as some researchers may split between two companies’ programs or work on both,” says Intel’s Noble.
“It is also likely a reflection of inflation and the attempt to close the underground market and incentivize ethical, coordinated vulnerability disclosure.”
Competition is especially intense among web 3.0 and crypto platforms, which are also offering the largest rewards. But these also demand the most specialist expertise.
And some organizations may simply be looking for positive PR. A large potential bounty generates publicity, but costs nothing if it is never awarded.
“It is quite easy to have a program with high bounties that are impossible to reach, creating false perceptions or for PR only,” Florian Badertscher CTO and co-founder of Bug Bounty Switzerland, told The Daily Swig.
Rewards obviously tend to track with severity, but also reflect how much unethical researchers could earn from selling vulnerabilities on the black market.
“Some of the larger bounties, which certainly seemed to be justified when you see the severity of the issue, are very rare in comparison to the normal payments that most people are getting,” Quentyn Taylor, CISO at Canon Europe, told The Daily Swig.
“It is the vulnerabilities that would have alternative marketability that seem to attract the highest bounty payouts.”
Dane Sherrets, senior security architect at HackerOne, agrees. He points out that the largest bug bounties are in the crypto space due to the financial risks those vulnerabilities pose.
“It is worth noting that in the Web3 world, bug bounty programs often serve a different function than in the more traditional Web2,” Sherrets told The Daily Swig.
“If a smart contract that has $100 million of cryptocurrency locked in it has a critical vulnerability, then that means an attacker could steal or destroy all $100 million. But, if a program offers a $1 million bug bounty, it may encourage the attacker to just report the issue and collect the bounty legally and cleanly.”
For some of the best paying bounties, finding vulnerabilities does demand particularly niche skills. This is most common in Web 3.0 environments.
“Honestly, if we look at all the bug bounty platforms and the rewards they offer, by far the biggest rewards are paid by Immunefi, which is a crypto bug bounty platform (Web 3.0)”, Marius Avram, a consultant at Pentest People, told The Daily Swig.
“However, it should be noted that in order to participate and find vulnerabilities on these Web 3.0 applications, it is necessary to have a high level of skill.”
Finding bounties in those environments is beyond the scope of scanning tools, he says.
“It has become extremely difficult to find any vulnerabilities unless you’re an elite hunter,” explains Avram. “There are a lot of participants on these platforms who scan these sites day and night, so there is close to zero chance of finding something by scanning the sites with automated vulnerability scanners such as Burp [Suite], Nessus, and the like.
“And even then, you just have to do the work by hand and that requires skill and experience. Also, let’s not forget there are some types of vulnerabilities that cannot be discovered by automated scanners.”
Invitation-only bounty programs also offer some of the largest rewards. As Avram explains, for the first phase of these private programs only ‘elite’ hunters are invited – those “with the best reputation” for reporting “quality” vulnerabilities.
Some bug hunters have formed into teams, increasing their prospects of finding significant bugs, sometimes at the expense of individual researchers.
So, should researchers go after “mega” bounties? Much will depend on the individual’s skill set, time, and career ambitions.
A lucky few researchers will achieve significant payouts, a greater number will earn a small but useful second income, and more still will gain valuable hacking experience but earn usually modest bounties only intermittently.
As Canon Europe’s Quentyn Taylor points out, there will always be far more smaller rewards on offer, despite the lure of the larger bounties.
“Certainly whilst I believe it is possible to make a living from bug bounties, I don’t believe there’s a huge number of people doing more than supplementing their current income,” he cautions.
“I suspect the researchers doing vulnerability research as an intellectual exercise probably focus more on the individual single high value vulnerabilities. But remember that vulnerability research is all about coming first. There is no prize for second.
“If during the course of your research somebody else finds the same vulnerability and reports it, all of the time that you have spent researching that vulnerability will not be paid out,” adds Taylor.
“Discovering rewardable bugs is a hard task,” agrees Liam Follin, a senior consultant ant Pentest People.
“I have personally reported at least 10 bugs across a range of websites, only to be informed that they had already been reported and are therefore ineligible for reward. It is unsurprising that this is the case as many of these researchers spend 12 hours a day or more chasing these findings.”
Some hackers, too, are less motivated by financial reward and may be satisfied with mere public acknowledgement of their work.
This theory is backed by research – HackerOne’s 2021 Hacker-Powered Security Report found that the median price for a critical bug across the board was $3,000, and $1,000 for a high-severity vulnerability, $500 for a medium flaw, and just $150 for a low-severity issue.
Risk and reward
Nonetheless, six or seven-figure rewards are here to stay and more eight-figure payouts are surely inevitable. Firms continue to invest in bounties as a way to supplement their internal security capabilities and to show that they take vulnerabilities seriously.
“Personally, I think it helps to think about bug bounty programs and hackers as market participants in an ‘attention economy’,” says HackerOne’s Sherrets.
“As companies harden their assets, or develop business critical assets with novel technology, they will have an increased demand for hackers with the skills to find vulnerabilities on those assets.
“There’s a limited supply of hackers with the specialized skillset to hack hardened or novel assets, so higher payouts help incentivize hackers to spend time with the program.”
And, as Intel’s Katie Noble suggests, increased security spending will increase bug bounties too.
“Bug bounty programs are one piece of an organization’s larger cyber defense tool kit,” she says. “One motivation for increased resourcing in this area may be driven by increased resourcing in the entire cyber defense ecosystem.”