We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today†
Today, the Ministry of Defense (doD) announced that the Chief Digital and Artificial Intelligence Office (CDAO), the Directorate for Digital Services and the Department of Defense Cyber Crime Center (DC3) are launching the “Hack US” bug bounty program†
The program provides financial rewards for ethical hackers and security researchers who can identify critical and very serious vulnerabilities under the DoDs vulnerability disclosure program†
To encourage researchers to participate, the DoD will offer a total of $110,000 for vulnerability disclosures. Payouts range from $1,000 for critical severity reports, $500 for high severity reports, and $3,000 for those in additional special categories.
The DoD’s decision to launch a bug bounty isn’t just because the DoD and HackerOne completed a 12-month pilot as part of the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), but as more organizations recognize that the attack surface has expanded to the point where security teams just can’t keep up.
Why bug bounties are gaining momentum
One of the main drivers behind the growing interest in bug bounties is the high number of vulnerabilities in modern business environments.
Research suggests that the average organization has about 31,066 security vulnerabilities in the attack surface, a number that a small in-house security team can’t fix on their own, even if they have access to the latest vulnerability management or attack surface management tools.
Given the sheer number of vulnerabilities, it’s no surprise that 44% of organizations report that they lack confidence in their ability to handle the risks posed by the assault resistance gap.
Bug bounties address this challenge by giving security teams access to support from an army of security researchers who can help by identifying vulnerabilities and recommending solutions.
“It takes an army of adversaries to outsmart an army of allies, and many organizations tap into the community of millions of good faith hackers around the world who are skilled, ready and willing to help” , said Bugcrowd founder and CTO Casey Ellis.
“The good folks at DoD DC3 have had a vulnerability disclosure program for many years with great dedication and success, so it makes a lot of sense to see them “upgrade” this to a paid bug disclosure program,” Ellis said. .
Of course, the DoD isn’t alone in embracing crowdsourced cybersecurity, with organizations like Microsoft† google† Apple† metaand Samsung all are experimenting with their own bug bounty programs for vulnerabilities, to ensure the security of their systems and end products.
The bug bounty move
According to researchers, the global bug bounty market is in a state of growth, estimated to reach $223.1 million in 2020, and is expected to reach $5,465.5 million by 2027.
In the past 12 months alone, the bug bounty market has seen significant investment activity, with bug bounty organizations such as HackerOne reportedly raising $49 million in financingbased in Belgium Intigrity raised $23 million as part of a series B round, and the Web3 bug bounty platform Immunefi raises $5.5 million starting capital†
At the same time, other providers have also launched new crowd research initiatives, such as: 1Passwordannouncing the launch of a $1 million bug bounty which paid out $103,000 to researchers as of April.
These solutions spark investor interest because “Effective bug bounty programs mitigate the impact of serious security vulnerabilities that could easily have compromised an organization’s customer base,” Fellow said at Synopsys Software Integrity GroupRay Kelly.
“Bug report payouts can sometimes exceed six figures, which may seem like a lot. However, the cost to an organization to remediate and remediate a zero-day vulnerability can add up to millions of dollars in lost revenue,” Kelly said.
On the other side of the fence, even infamous cyber gangs like LockBit experimenting with bug bounties, asking researchers and hackers to submit PII to high-profile individuals and web exploits in exchange for compensation of up to $1 million.
The Bug Bounty Market: Top Players and Key Differentiators
At this stage of the growth of the market, HackerOne, HackerOne is one of the leading providers, not only building a close relationship with the DoD, but also raising $160 million in total financing to date, and maintains a community of over 1,000,000 ethical hackers who have solved over 294,000 to date.
HackerOne provides a bug bounty platform that organizations can use to create an inventory of cloud, web and API assets, which other researchers can then test to see if there are vulnerabilities.
One of HackerOne’s main competitors in the market is Bugcrowd, an industry pioneer, which has itself raised $80 million in financingand provides a platform that can automatically identify vulnerabilities in an organization’s attack surface.
After detecting vulnerabilities, the platform can connect enterprises with researchers and security engineers to investigate their vulnerability findings and report directly into existing DevOps and security workflows.
Other providers on the market include European bug bounty provider Intigriti, which provides a platform for more than 50,000 researchers and has paid out more than $5 million in bounties to date.
At this stage, the main differentiator between these providers is not only the size of the pool of researchers they provide access to, but also the way they connect enterprises with the right researchers to secure their environment.
The mission of VentureBeat is a digital city square for technical decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.