Cybercrime or crimes committed using computers and/or the internet have rapidly evolved from what Dr. Michael McGuire of RSA guestimate as a US$1.5 trillion industry in 2018 into what Juniper Research now forecasts to be a US$2 trillion market in 2019.
The greater than 30% forecast growth, compounded by the highly publicized attacks of famous brands by hackers – anonymous or otherwise – has spawned a resurfacing on what has been a clandestine strategy many organisations used to do behind closed doors and non-disclosure agreements.
I refer to the hiring of white hat hackers or ethical hackers to perform vulnerability testing. First coined by IBM’s John Patrick, in 1995, ethical hacking has matured to become a legitimate profession.
In more recent years, the notoriety of hacking incidents, and arguably greater recognition that no one person or organisation can ever stop the hackers, has seen the proliferation of bug bounty platforms. Bug bounty is recognition and compensation given to individuals or organisations for reporting, including exploits and vulnerabilities. [Click here for a list of the 30 top bug bounty programmes in 2019]
To be fair, it can be a challenge finding and commission hackers to perform vulnerability or exploit tests of enterprise systems. This has led to the proliferation of platforms or communities that provide a one-stop-shop for identifying and hiring white hat hackers to render these services. Among the larger such platforms are names like bugcrowd, Hackerarth, HackerOne, and Synack.
FutureCIO spoke to Attley Ng, vice president for Asia Pacific, at HackerOne, to get a better understand of what is driving different industries to divvy out monies for bug bounties.
What is driving the interests for bug bounty in Asia Pacific?
Attley Ng: The number of hacker-powered security programs are rapidly growing all over the world, especially so in risk averse and highly regulated industries such as financial services, banking, insurance, healthcare and education verticals.
Bug bounty programs have increased 30% in APAC year-on-year, with society embracing the positive power of hacking. Going digital brings with it increased risk of data breaches.
Legislators and thought leaders in cybersecurity are making the point that actionable insights from hackers are useful for everyone. For example, the Cyber Security Advisory Panel of the Monetary Authority of Singapore (MAS) has recommended financial institutions adopt bug bounty programs as part of their cyber testing.
Justifying bug bounties
Cost of a Data Breach versus the Cost of a Vulnerability
| Company | British Airways | Carphone Warehouse | TicketMaster | TalkTalk |
| Cost/fine | US$320m | US$515,000 | US$6.5m | US$99m |
| Exploit | Third-party JavaScript vulnerability | Out-of-date WordPress interface | Third-party JavaScript vulnerability | SQL Injection |
| Bug bounty fee | US$3,000 – US$10,000 | US$104 – US$10,000 | US$3,000 – US$10,000 | US$5,000 – US$10,000 |
Attley Ng: The financial cost of a breach, not even considering the other cost like reputation and trust, in comparison to a bug bounty pay out, is much higher. For example, British Airways had a third-party JavaScript vulnerability exploited, and it cost them US$230 million in fines. The average bug bounty market value of a similar vulnerability through a bug bounty program averages about US$3,000 —US$10,000 in comparison.
Bug bounties – no guarantee against future exploits
Attley Ng: There is no guarantee that a company will not be hacked. All software has bugs and ignoring that is negligence. However, we cannot prevent data breaches, reduce cybercrime, protect privacy or restore trust in society without pooling our defences and asking for external help.
Every organisation must manage risk. In the digital world, risks are much harder to assess and counteract. As a result, it is difficult to earn and maintain trust with customers and stakeholders. A data breach will eradicate trust and cause enormous cost in a blink of an eye.
The challenge is identifying the security vulnerabilities that are the root cause of this risk while defining the actions necessary to fix them. The answer lies in inviting those who can think like attackers but will act as your defenders: ethical hackers hunting for security holes.
Top 3 advantages of hiring ethical hackers
The top 3 advantages of ethical hacking are speed, cost and access to a giant pool of talent from all over the world.
Speed — Working with hackers allows companies to provide security at the speed of innovation. For example, at HackerOne, when a new bug bounty program is launched on our platform, in 77% of the cases, hackers find the first valid vulnerability in the first 24 hours. That is how fast security can improve when hackers are invited to contribute. The positive power of the hacker community far exceeds the risks and the might of adversaries.
Cost —The beauty of HackerOne is the ability to scale the program, it really depends on the customer and what they hope to find. HackerOne makes recommendations on bounty standards based on industry averages, but the customer decides the final bounty price based on their own budget. This is usually dependent on the complexity and impact of the bug and how much effort it took to uncover the bug.
Talent — A company invites hackers in — to get the best and brightest minds and as many perspectives as possible looking at their infrastructure.
Security vulnerabilities are a fact of life. The benefit of working with friendly hackers is that they can think like an attacker. Teamed with the scale and diversity of a strong friendly hacker army, companies’ security teams gain the continuous security coverage necessary to defend existing assets and develop at the speed of technological innovation.
