As cyberthreats mature, organizations are looking for more creative ways to find them with bug bounty programs. Awards for finding vulnerabilities increased by 33%, rising to an average award of $20,000, according to HackerOne's 2018 security report of more than 1,000 bug bounty and vulnerability disclosure programs (VDPs).
With a 143% year-over-year increase, Latin America experienced the largest increase in bug bounty and VDPs. North America and Asia Pacific saw a 37% rise, but U.S.-based organizations pay the most for their bounties, with hackers earning nearly one-fifth of all bounty-related award money.
The industries with the fastest reported time to resolution are consumer goods at 14 days, followed by financial services and insurance at 19 days and healthcare at 20 days. Technology is ranked fourth with 64 days. A faster time to resolution is an indicator of "program health" and the bounty is expected to be paid shortly after resolution or at the validation point, according to the report.
The more damaging the vulnerability, the more organizations are willing to pay for bounties.
Technology can only do so much and most security scanners cannot find a flaw it doesn't already know exists, according to the report. The report defines hackers as people who "[enjoy] the intellectual challenge of overcoming limitations" and can find flaws computers are unaware of.
Companies are now expected to broaden their perception of who hackers are and reevaluate their value. Changing the stereotype of hackers starts with veering away from the "hoodie" perception of security experts and embracing the diversity the hacker community has to offer.
Organizations need the aggressive view of technology hackers embrace. Some companies are even beginning to build their own bug bounty programs internally or at least considering program development.
By employing the mindset of a hacker, companies better equip themselves to changing the "attributes of technology" to defend against malicious actors looking to change the attributes of reality, according to Rob Fuller, a hacker who spoke at a Gartner symposium in National Harbor, Maryland in June.
If technology remains the sole defense of a company, it is missing out on the human nature of hacking and major tech companies know this. In 2017, Google paid nearly $3 million in bounties with one hacker walking away with $112,500. Shortly after the Meltdown and Spectre revelations, Intel announced a revamp of its bug bounty program, offering up to $250,000 for discovered vulnerabilities.