Bug bounty is a bountiful business
We are now in the era of internet of safety and security. Countless companies are offering bug hunters the opportunity to solve flaws in their products and get paid while preventing black hat hackers from damaging services, cars and virtually anything that can be hacked.
Fiat Chrysler Automobiles (FCA) US has just published a bounty program on Bugcrowd, a community for cybersecurity researchers, and is ready to pay anywhere between $150 and $1500 per bug. According to the official announcement, FCA, the seventh-largest automaker in the world, promises not to take any legal action against the hackers “nor ask law enforcement to investigate researchers participating in the program provided their compliance with a list of Responsible Disclosure Guidelines. This program is focused on the security of FCA’s connected vehicles, including the systems within them; the external services and applications that interact with them.”
Top trends in bug bounty
Bugcrowd has just launched its second annual State of Bug Bounty Report, which offers a sneak peek into the emerging trends of bug bounties. Bug bounties skyrocketed after Tesla launched its car hacking program in mid-2015 and the Pentagon introduced its “Hack the Pentagon” program.
The report revealed that even though the number of bug bounty programs has increased, 63 percent of all programs have been private. There’s also been a boost in average priority per vulnerability (up from what they reported in the last Bugcrowd report); plus, the all time average bug reward on this community’s platform has grown to almost $300 from just over $200 in their first annual report.
According to the data collected by Bugcrowd, 75 of researchers were between the ages of 18 and 29. Almost 90 percent of them have completed at least one year of college and 55 percent have graduated with a bachelor’s or postgraduate degree. The majority of researchers sign ups came from India (28.2 percent) and the United States (24.4 percent). In terms of submission volume, India is also the No.1 submitting country, followed by the United States, Pakistan, the United Kingdom, the Philippines and Germany.
Bugcrowd’s State of Bug Bounty Report revealed that the top ten paid out researchers have made (in total) 23 percent of total payouts. One of the world’s most famous super hunters is Shahmeer Amir, a young Pakistani who ranked third on the DarkReading’s top bug hunters list. He has found 876 bugs in total, has an acceptance rate of just over 90 percent and has also contributed greatly to charity bug bounties.
Hari Haran from India occupies the first position, followed by the United States’ Luke Young. DarkReading revealed that Hari has found 333 bugs and tops the India region with an acceptance rate of 98.17 percent. Meanwhile, Luke has a flawless acceptance rate (100 percent) and 87 bugs found.