“Criminals will discover vulnerabilities in nearly any software”
Financial services and insurance companies are among the most tight-fisted industries when it comes to paying out bounties for software vulnerability disclosures, typically paying just one third of the global average.
That’s according to a new report by cybersecurity company HackerOne, which found that critical bug bounties average just $1,118 across the two sectors. While the figure is low, it still represents a 100 percent increase on last year’s average.
More startlingly, 93 percent of the Forbes Global 2000 have no formal vulnerability disclosure policies in place.
The highest bounty, sector-wide, awarded in 2017 via HackerOne was $75,000, to an undisclosed “tech firm”.
The top monetary amount awarded in 2018 by the financial services & insurance sectors by contrast was $18,000.
See also: The Bug Bounty Bonanza
A bug is a vulnerability within a systems software that gives threat actors an opportunity to carry out malicious activities, potentially causing severe financial and reputational damage.
Financial services and insurance companies had the second fastest average when it came to bug resolution however. The report notes that: “This reflects a desire to fix bugs as soon as possible, quickly mitigating any potential risk. It also reflects a significant increase from the previous year, nearly cutting the average in half.”
The research by HackerOne contains a detailed analysis of over 78,000 security vulnerability reports that have occurred and been reported by white and grey hats, i.e. ethical hackers, over the last year.
Vulnerability disclosure policies are a set of clear guidelines that ethical hackers can follow in order to report a bug or vulnerability
Megan Brown, Partner at Wiley Rein LLP, said in a recent webinar: “Companies that lack a clear vulnerability disclosure program are at increased risk should a security researcher find a vulnerability.”
“By recognizing that criminals will discover vulnerabilities in nearly any software, application, or network surface they access, leaders must quickly and confidently shift their security strategy to an offensive approach, enabling them to beat criminals at their own game and reduce the risk of a serious security incident,” the report states.
As part of their researcher HackerOne examined the Forbes Global 2000, an annual ranking of the top 2000 public companies. Citigroup, American Express and JPMorgan Chases all have vulnerability disclosure policies (VDP), yet 93 percent of list did not.
The issue of companies not giving ethical hackers a clear path of communication when it comes vulnerability reporting was highlighted this month when a research team at KU Leuven University found vulnerabilities in vehicle key fobs.
McLaren, Karma, Triumph and Tesla were affected by the bug, but when the researchers contacted the companies affected, only Tesla was quick to respond
Lennert Wouters, a doctoral student at the university’s Computer Security and Industrial Cryptography (COSIC), told Computer Business Review that: “It took us a very long time to get a reply from Karma and McLaren, we never managed to get a reply from anyone in Triumph or Pektron.”