Hacker Halted: Government Needs to Embrace Bug Bounty Incentive

“Governments could gain a lot from this bounty model – they only stand to gain from allowing the good guys to hack”. The concept, he admitted, is “controversial. But give it time.”

Grossman suggested that websites accepting ‘security research’ (also known as crowd-sourcing vulnerability assessment or bug bounties) have “closed hundreds, if not thousands, of vulnerabilities, and protected hundreds of million users.”

Collectively, Google, Facebook, Mozilla and PayPal have paid out over five million dollars as bounty money “to those that discretely hand over vulnerabilities allowing them to fix them”, Grossman said.

Given that more code is being produced than can possibly be tested, eight out of ten websites have serious vulnerabilities, and there are 142.2 million undiscovered serious vulnerabilities on SSL websites alone (according to Grossman’s calculations: 1.8million SSL websites X 79 vulnerabilities a year), the need for such an initiative has never been stronger.

The average number of serious vulnerabilities found on websites across vertical sectors shows that retail websites are the most insecure, followed by insurance. “If PCI works, I can’t see it in the numbers”, Grossman remarked.

The biggest application security challenge today, Grossman argued, is the huge shortage of qualified application security people. “We need builders, breakers and defenders”, he said. “We certainly have a hiring issue.”

Facts and Figures presented by Jeremiah Grossman, Founder and CTO, WhiteHat Security in his presentation at Hacker Halted.
  • 50% of all serious vulnerabilities are due to cross-site scripting.
  • 14% of all serious vulnerabilities are a result of content spoofing
  • Gary McGraw (CTO, Cigital) says roughly 2% of all programmers should be software security pros or “Builders”
  • Technology is incapable of eliminating the need for people in any aspect of application security.
  • From 2010 to 2011 the overall average website Window-of-Exposure did improve, but only slightly from 233 to 231 days respectively
  • The overall Remediation Rate in 2011 was 63%, up from 53% in 2010, and almost double the rate of 35% in 2007.



What’s Hot on Infosecurity Magazine?