How much did you spend on bug bounties last year?
Probably much less than Google - the company's Vulnerability Rewards Program paid out £3m, a significant rise on the last two years.
Do you know how much you spent on bug bounties last year? No? Well Google has released its figures for the Google Vulnerability Rewards Program, which dispensed an impressive £3m in 2016 to more than 350 individual researchers.
They reported more than 1,000 bugs in Google's apps and services in total, while Android and Chrome platforms had nearly $1m spent on them apiece. The largest single reward topped $100,000, nearly triple the highest single pay-out last year.
The total amount of bounties paid each year has risen from around $2m in 2015, and $1.5m in 2014, out of a running total of more than $9m today. If nothing else, these figures show an exponential rise in cost, with a third of the total spend of Google’s bug bounty programs occurring in 2016 alone.
This could well be connected to Google increasing their minimum pay-outs last year with some rising a full 50 per cent. The programs have been running since 2010 under slightly differing names. “We created our Vulnerability Rewards Program in 2010 because researchers should be rewarded for protecting our users. Their discoveries help keep our users, and the internet at large, as safe as possible” said Eduardo Vela Nava, VRP Technical Lead, in a blogpost.
Although Google’s Project Zero has ruffled some feathers (most memorably at Microsoft late last year), the company’s bug bounty programs have been well-received by the industry as a whole, and have arguably played a part in encouraging wider adoption of well-resourced bug bounty operations. The Pentagon has trialled the strategy, and major corporations from Apple through Facebook and Yahoo have adopted them too - albeit not always smoothly, as Yahoo demonstrated in what became known as the ‘t-shirt gate’ incident.
Unusually, the big corporates are playing catch-up in this case, with the non-profit, open archive Open Bug Bounty launching back in 2010. The concept being that security researchers can report vulnerabilities including SQL Injection, Open Redirect, Iframe Injection and Cross-Site Scripting (or XSS) vulnerabilities on any website, getting full credit for the report, and can create both private submissions and public submissions, which are verified and then reported to allow the company in question to patch the vulnerability and subsequently provide coordinated disclosure.
The site claims that over 17,500 websites, including companies like Microsoft, Amazon and Apple, as well as the WhiteHouse.gov have fixed security vulnerabilities based on Open Bug Bounty reports. The XSSPosed Open Bug Bounty can be given to a website visitor, journalist or a security company that manages the protection of the website.
Ilia Kolochenko, CEO of High-Tech Bridge, said that the: “Open Bug Bounty programme is a pretty interesting idea. Today, the majority of Bug Bounties that I know are still far from being perfect. Enabling all concerned parties to participate in the Bounty programme can change standard approaches to Bug Bounties. I think it has a lot of potential for growth.”
High-Tech Bridge researchers have found that many private bug bounty programs are suffering from ‘bug bounty fatigue’, which occurs when researchers have already found all simple and easily detectable vulnerabilities, and finding more advanced vectors of attack begins to become exponentially more expensive in time and expertise.
Ilia Kolochenko continued: “In our web security testing practice, it’s fair to say that 9/10 companies with public or private bug bounty programs have at least two high or critical risk vulnerabilities detected in less than three days of professional auditing, and missed by the crowd due to detection and exploitation complexity.”
On a lighter note, Google researchers picked out this XSS submission in payments.google.com for special praise in their 2016 rollcall, stating: “Check out this video Frans Rosén sent us. It’s perfectly synchronized to the background music! We hope this trend continues in 2017 ;-)”
Perhaps a special Google Vulnerability Rewards Program bounty of ‘best trance-based mouse control in XSS demo’ could be created in Mr Rosén’s honour…