Bug-bounty programs have become a popular way for vendors to root out security flaws in their platforms, attracting talented white-hats with the promise of big rewards. According to HackerOne’s 2020 List of the Top 10 Bug Bounty Programs on its platform, Verizon Media, PayPal and Uber are in the elite group.
“These top 10 programs are setting the standard for how transparency breeds trust in security in collaboration with a team of diverse hackers from across the globe,” HackerOne CTO and co-founder Alex Rice said in an emailed statement. “At HackerOne, Default to Disclosure is one of our values. And while this isn’t a mandate for our customers and hackers, it is something we encourage every customer to think about. By sharing where we’re vulnerable, other defenders can learn, friendly hackers can learn, and we’re all safer in the end.”
Verizon Media tops the list with $9.4 million paid out since it started its program in 2014, with its top bounty coming in at $70,000. It saw surging success this year, with awards all the way up from $1.8 million in the life of its program.
That’s only one of several notable changes from the 2019 rankings. Also new for 2020, PayPal outstripped Uber, taking on the No. 2 position and relegating the ride-share giant to third place. That said, PayPal follows as a distant second with Verizon Media in terms of bounty volume (though it’s had less time than Verizon Media to rack up payments). It has so far paid out $2.8 million with $30,000 as its top bounty, since it started a program with HackerOne in August 2018 (and $6 million in bounties overall since 2012).
“@defparam and @ngalog have stood out to the PayPal security team for their detailed reports and collaborative spirit,” wrote PayPal’s information security engineer, Ray Duran, in a recent blog post. “The best submissions are simple; support claims with evidence, and demonstrate impact. Well-written reports help reduce back-and-forth conversations, allowing us to quickly move on to remediation steps and faster bounty payouts. We also greatly appreciate researchers who are willing to assist in retesting or who quickly respond to requests for more information as our investigation unfolds.”
Uber as mentioned comes in third for 2020, with $2.4 million paid since December 2014. $50,000 ranks as its top reward on offer.
Intel ($1.9 million paid since March 2017, no info on top bounty amount) and Twitter ($1.3 million paid since May 2014 with a top reward of $20,000) round out the top five.
Also in the top 10 are GitLab, Mail.ru, GitHub, Valve and Airbnb. Notably, GitHub and Mail.ru are both new to the top 10 this year. And, GitLab leaped from No. 10 in 2019 to No. 6, hitting $1 million paid out in January.
“There’s no denying that a million dollars in bounties paid is a big milestone for our program, but what makes this especially meaningful to us is that it clearly demonstrates GitLab’s commitment to building a strong and secure product,” said Ethan Strike, security manager at GitLab, in a recent outline of the company’s program. “GitLab’s engagement with the hacker community paid dividends not only in bug reports, but in attracting dedicated hackers who returned to help again and again.”
“We’re proud that our journey to a million in paid bounties includes contributions from 768 reporters (since Jan 2014) including several of HackerOne’s all-time leading reporters,” added Strike. “We also have 227 repeat reporters.”
The list was curated using public details available in the HackerOne directory of programs, with rankings based on the total amount of each organization’s cumulative bounties awarded to hackers over the life of their public program as of April 2020.
“Hackers are attracted to programs that are responsive, pay well and pay quickly,” according to HackerOne’s list of top programs. “So the most popular programs are also, unsurprisingly, the ones listed here.”
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.