Bugcrowd says that open-scope crowdsourced security programs find 10x more critical vulnerabilities. The details are contained in its annual “Inside the Platform: Bugcrowd’s Vulnerability Trends Report” (registration required).
Nick McKenzie, Chief Information & Security Officer of Bugcrowd, said, “This report offers critical context, insights, and opportunities for security leaders looking for new information to bolster their risk profiles. Looking ahead, we can use insights from this report in conjunction with other key learnings to predict what is coming next.”
What does the report show?
The report gives some fascinating insights into costs, vulnerabilities and how to setup a process for dealing with bug reports. It gives an interesting insight into the severity of vulnerabilities and what organisations are willing to pay. For example, in the most severe category, P1, payments of $50,000+ are on offer from some organisations. At the other end of the P1 scale, payments start at $3,500.
For the least important category of vulnerabilities, P4, the range of payment goes from $175 and rises to $750. For those new to bug hunting, it still offers a good reward for time spent.
Another finding from the report is around the way organisations scope their reports. Many overly limit the scope of what they are prepared to let people go hunting for. When they do that, vulnerabilities are missed and missed big time. Open scope allows bug hunters to look at all the public-facing systems an organisation has.
The report states clearly that an open scope, rather than a restricted one, finds 10x more vulnerabilities. That number is not just inflated with low-level vulnerabilities. That 10x is for P1, critical-level vulnerabilities. Given the monies on offer, it makes this a lucrative time to be doing bug hunting.
2024 will see a greater need for open-scope
One thing that McKenzie calls out is the impact of adversarial AI by threat actors. He believes that it will increase the rate of enterprise attacks. For defenders, the problem will be overload from the tools they use to log alerts. It has the potential to overwhelm them, and it could be we see that used to tie up defenders or as part of reconnaissance.
While defenders are trying to determine whether it is real or false, attackers can use that noise to slip through gaps or exploit vulnerabilities. It is another reason why having an open-scope programme delivers benefits to organisations.
McKenzie is also concerned about the “human risk factor.” He sees this as a mix of phishing, malicious insiders and employees who chose to ignore internal controls. Addressing these issues is something that organisations must prioritise. This can be through human intelligence and also behavioural analysis of individuals and systems.
Enterprise Times: What does this mean?
There are good reasons for organisations to run their own bug bounty programs. Organisations are already improving their deployment of vendor-written patches. The problem is that there is far more “enterprise” code than commercial software in an organisation that is prone to bugs.
Over the past three decades, internal investment in testing and QA of software has fallen dramatically. At the same time, the amount of code written by organisations has exploded. It means that something needs to be done to spot and remediate problems. There are two solutions, and they are not exclusive. The first is a bug bounty program, and the second is being open to taking submissions from bug hunters.
Bugcrowd has good documents on its website on how to design a bug bounty. The more challenging thing, however, is how to be open to taking reports and dealing with them. It is not uncommon for people to contact companies to file a possible report in the hope of getting a payout. Some of these are genuine, and some are not. Importantly, the report shows how to build an effective policy to work with bug submissions.
This is an interesting report that has a lot to be absorbed. It will be interesting next year to see how many organisations move to an open scope. It will also be interesting to see what increases are seen in payments and vulnerabilities found.