Bug Bounties Paid for Deep Testing and Less for Traditional Flaws

Written by

The number of vulnerabilities being reported and bug bounty payouts per vulnerability have increased this year. 

According to Bugcrowd’s State of Crowdsourced Security in 2019 report, there has been a 92% increase in the total number of vulnerabilities reported in the last year, while the average payout per vulnerability increased this year by 83%.

Bugcrowd said that more industries are adopting crowdsourced security programs, and crowdsourced pen testing and vulnerability disclosure “are growing at breakneck pace and the number of companies running programs for multiple years has resulted in a marked increase in the number of public programs.”

David Baker, CSO and VP of operations at Bugcrowd, told Infosecurity that “this is both a good thing and proof there are always more bugs to be found.”

“More bugs are not the result of a lack of testing or poor SDLC [software development life cycle], but the shift to cloud, push to mobile apps and adoption of IoT,” he said. “Ultimately, the fact that the crowd is finding more and more P1s means that these critical bugs are being identified and resolved sooner. Finding bugs is a good thing; promoting better defense through a better offense is a great SDLC strategy.”

Bugcrowd also said that the average payout for critical vulnerabilities reached $2,669.92, a 27% increase over the last year. However, it claims that “researchers are no longer going after things like XSS, CSRF, and SSI as those are fairly easy to find by many scanners out there today” and are now doing deep testing, leading to the top five vulnerabilities over the past year as: 

  1. Broken access control
  2. Sensitive data exposure
  3. Server security misconfiguration
  4. Broken authentication and session management
  5. Cross-site scripting

Speaking to Infosecurity, Luta Security CEO Katie Moussouris said that “broken access control” is a very broad category “that absolutely can still be quantified as low-hanging fruit” and if an organization places no authentication at all on an asset or API, that's a simple mistake, not at all indicative of deeper or more sophisticated bugs. “Same goes for information disclosure findings that lead to data exposure, the second one in that list.” 

Moussouris said that even organizations with a lot of general process maturity and a strong secure development life cycle see basic XSS bugs crop up, especially in third-party developed websites.

“The fact of the matter is that while bug bounty hunting can help out," she said, "organizations cannot use them or any other external testing mechanism as a checkbox to excuse complacency in prevention of common classes of bugs, like authentication bugs.”

Moussouris went on to say that in the main some organizations view bug bounties “as a way to look busy and responsive in security, when it's actually masking underlying security negligence” and the classes of bugs most often found in bug bounties are still on the lower end of sophistication.

“Most organizations should be actively trying to prevent and detect those themselves, not outsource their detection to the luck of the bug bounty draw.”

What’s hot on Infosecurity Magazine?