Swelling bug bounty programs sees an upshot in ethical hackers

Bug bounty programs are becoming increasingly popular among organizations around the world. While having adequate cybersecurity protection is still a prerogative for all organizations, bug bounty programs help organizations discover vulnerabilities in their system which may not discover by cybersecurity solutions.

In fact, bug bounty platform YesWeHack reported that its community of ethical hackers (often characterized as ‘white hat hackers’)  has grown by three-quarters to over 35,000 hackers now operating on the platform. On average, YesWeHack has about 1200-to-1300 researchers joining them each month. The revenue growth has also doubled in Europe, with Asia growing by a substantial 200%.

Over the past 12 months, YesWeHack noted a doubling in the number of bugs identified by its hackers. Of these, 35% were considered ‘critical’ or ‘high’, meaning many business systems and applications could have been severely impacted if these bugs were not found and remedied.

The increasing number and impact of vulnerabilities discovered in 2021 such as SolarWinds and Log4J have led companies to intensify their investments in crowdsourced security. In 2021, the online aggregator FireBounty.com, created by YesWeHack, counted a total of nearly 24,000 vulnerability disclosure policies.

In terms of the type of vulnerabilities detected, implementation and design flaws (Secure Design, Access Control) remain the leading type of bugs for the second year in a row. This trend can be explained by the increasing complexity of the applications deployed.

Bug bounty adoption by sector

The adoption of bug bounty programs continues to grow across several industries with YesWeHack seeing a 100% increase in the number of active programs available on its platform. But is it really the best way for organizations to discover vulnerabilities and weaknesses in their systems?

For YesWeHack, the tech sector represents 44% of all programs on their platform, followed by the financial services and insurance sector, which accounted for 18% of all bug bounty programs on the platform in 2021.

At the same time, it is also important to note that these sectors are the ones that require the most stringent cybersecurity protection. For example, the tech sector deals with a lot of data and continues to be heavily targeted by cybercriminals. The financial services and insurance sectors have strict regulatory compliance to adhere to, which is probably a reason why they are actively seeking bug bounty services.

As the pandemic continues to disrupt the world, many other sectors have also accelerated their digital transformation journey to meet the changing needs of their users. This is especially relevant in the public sector, where many administrations and local authorities are continuing to digitize their services and have therefore launched bug bounty programs to protect their data.

Record year for bug bounty rewards

With demand for bug bounty programs increasing, the rewards for ethical hackers have also increased. For example, Apple rewarded US$100,000 to a cybersecurity student who discovered a vulnerability on Mac webcams.

Meanwhile, Intel is applying a 12-month bonus incentive to bug bounty rewards on select lines of hardware and firmware, which lifts the payout ceiling for most critical bugs from US$100,000 to US$150,000. ExpressVPN has updated its bug bounty program to make it more inviting to white hats — now offering a one-time $100,000 bug bounty to whoever can compromise its systems.

YesWeHack has seen a 140% year-on-year growth in the total amount of rewards paid out to hackers. In 2021, the largest payout amounted to €40,000. Last year also saw YesWeHack release the Swiss Post e-voting public bug bounty program, offering the platform’s largest-ever reward available to its hacker community at €230,000.

One of the reasons for YesWeHack’s growing popularity, among ethical hackers and customers alike, is its ongoing commitment to the smooth running and efficient quality of its programs. For example, in 2021, 78% of vulnerabilities were rewarded within 24 hours of being accepted, while 89% were paid within 28 days of submission, and 60% of vulnerabilities were remediated within a month.

Crowdsourced security will continue to grow

Romain Lecoeuvre, CTO and co-founder of YesWeHack, warns that the acceleration of digitalization induced by the pandemic should not lead companies to relax their security efforts. “Many developers are under pressure to deliver applications as quickly as possible in order to maintain or gain a competitive advantage. As a result, speed is prioritized over security. For this reason, development and security teams must work in tandem, with the help of ethical hackers, to engage in a DevSecOps-like approach,” he said.

For Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack, crowdsourced security is a great way for companies to get into data privacy compliance. “Over the years, the general public has become more and more sensitive to how to protect their data. In the interests of transparency, many organizations are now working with ethical hackers to find vulnerabilities in their systems, and to provide assurances to their users.

“Indeed, unauthorized access to personal data is one of the main risks identified in the programs available on our platform and has traditionally offered the highest rewards. In this context, crowdsourced security is not only the most effective way to discover vulnerabilities in code but also to reassure consumers about the security of a product or service and the privacy of their data,” commented Vassault-Houlière.