Loading ...
Techceler...
Other
Other
12
0
Try Now
Log In
Pricing
the study on the hacker- powered security ecosystem hack for good // JESSET H E 4 T H A N N U A L HACKER POWERED SECURITY REPORT 2 T H E 4 T H A N N U A L h a c k e r p o w e r e d s e c u r i t y r e p o r t 3 B ut what does that path look like? In the physical world, COVID-19 is ravaging the international community. Negative externalities are flowing into the digital space, as well. This year, organizations across the globe have made unexpected changes to their operations. Businesses are figuring out how to contend with accelerated digital transformation and a surge in digital transaction volume. Many have had to expedite their decision to move to the cloud. Companies are hurrying to support hundreds or thousands of employees who are suddenly working remotely. To adapt to changing spending patterns, companies have launched new digital products and revenue streams, fighting to keep revenue flowing during a global recession. EXECUTIVE SUMMARY This is a time of unprecedented challenges. We face never-before- seen threats in the digital and physical worlds. If this past year has taught us anything, it is this: we need to leave behind our old tools, mindsets, and methods to create a path ahead. In doing so, organizations are opening up new attack surfaces they are unprepared to protect. Protection efforts are left in the hands of security teams who are not staffed to cope. The result? Losses that can be measured in data, revenue, reputational damage, operational disruption, and churn. For organizations that operate in the digital space, there’s no such thing as business-as-usual anymore— which means that business-as-usual security can no longer suffice. Security leaders are starting to ask some tough questions. If you’re facing resource constraints, how do you design software that’s secure from the start? How can you protect software applications as they move to the cloud? How do you scale security on a constantly-evolving attack surface? Is there a way to maintain brand trust and mitigate risk of a breach with such a sharp increase in digital transactions? And with everything else on fire, what about the nuts-and-bolts of compliance and regulations? 4 hackers aren’t just for tech companies: they are a critical part of any mature security strategy. THE ANSWER IS HACKERS. For years, organizations have turned to hackers to look for vulnerabilities before bad actors can exploit them. Quite simply, hackers are people who enjoy the challenge of creatively overcoming limitations. But they’re much more than that. Hacker-powered security has become a best practice for many organizations, embraced by risk-conscious entities like the U.S. Department of Defense and Goldman Sachs. Security and business leaders are learning that hackers aren’t just for tech companies: they are a critical part of any mature security strategy. Today’s challenges demand scalability, creativity, and adaptability on an unprecedented scale, and hackers are prepared to meet those demands. The Fourth Annual Hacker-Powered Security Report offers an incisive look at today’s security landscape and the hackers who are pushing the envelope. This report tells a story that’s happening every day: security leaders are partnering with hackers to make the internet a safer place. CISOs are augmenting security frameworks with hackers’ human creativity and always-on security efforts. New options and continued deployment have propelled all global regions to double digit year-over-year program growth, with Asia-Pacific (APAC) adding 93% more programs and Latin and South America (LATAM) adding 29%. Combined, all global programs awarded 87% more bounties year-over-year. Around the world, the hacker community has grown in size and sophistication. 9 hackers (from 7 different countries!) surpassed the $1 million / €850,000 / ¥7 million mark in the past year. Hundreds of thousands more use hacking to build valuable skills, advance their career, earn extra money, challenge their curiosity, and hang out with like-minded individuals. 5 Against a backdrop of unparalleled obstacles, security leaders have gained newfound appreciation for hacker- powered security as a nimble, scalable, and cost- effective solution. During global lockdowns, hackers reported 28% more vulnerabilities per month than immediately before the pandemic took hold. For many researchers, hacking has become a reliable source of supplemental income during the pandemic. Even before the pandemic, hackers were devoting their time and skills to make the world a better place. The altruistic attitude sparked Hack for Good, a HackerOne program that provides an easy way to donate bounty earnings to a worthy cause. The World Health Organization, the first cause chosen by the hacker community this past spring, received $30,000 in donations from hackers to help fight the COVID-19 pandemic. In this report, we’ll explore these trends and their ramifications for businesses and consumers worldwide. The short version: security has become synonymous with hacking. The future belongs to hackers and the organizations that embrace them. And that future starts right here. 6 CONTENTSEXECUTIVE SUMMARY _____________________________________________ 3 Important Concepts _________________________________________________ 8 INTRODUCTION _________________________________________________ 10 Key Findings ________________________________________________________12 GLOBAL IMPACT _________________________________________________ 14 Who’s Paying Bounties _____________________________________________ 18 How COVID-19 is Impacting Security ________________________________ 20 Who’s Earning Bounties ____________________________________________ 22 Nations Across the Globe Are Getting Involved _____________________ 26 Bounty Flow _______________________________________________________ 28 Market Spotlight ___________________________________________________ 30 INDUSTRY SCORE-CARDS ________________________________________ 34 How Each Industry Stacks Up _______________________________________ 36 The Biggest Brands Still Lag: Forbes Global 2000 Breakdown ________ 38 Creating A Vulnerability Disclosure Policy ___________________________ 40 Industry Adoption ___________________________________________________41 The Pace of Resolution Varies by Industry ___________________________ 42 Continuous Development Needs Continuous Security_______________ 44 7 BOUNTY TRENDS ________________________________________________ 46 Region Spotlight ___________________________________________________ 52 Average Bounty Payout Per Industry for Critical Vulnerabilities ______ 56 Average Bounty Payout by Severity _________________________________ 57 Reported Vulnerabilities by Type ____________________________________ 58 Virtual Live Hacking Events _________________________________________ 60 Customer Spotlight: AT&T __________________________________________ 64 Go Beyond Compliance with Hacker- Powered Pentests _____________ 66 The Validated ROI of Hacker-Powered Pentests _____________________ 68 Customer Spotlight: PayPal ________________________________________ 70 HACKERS ________________________________________________________ 72 Customer Spotlight: Costa Coffee __________________________________ 76 Who are the Hackers and Why Do They Hack? _______________________ 78 Customer Spotlight: LINE Corporation ______________________________ 82 Hacker Spotlight ___________________________________________________ 84 How Tomorrow’s Hackers Learn ____________________________________ 86 The Largest Hacker-Powered Security Conference __________________ 88 Million Dollar Hackers ______________________________________________ 90 Security Leaders Seeing Outbreak of Cybercrime During Pandemic __ 92 CLOSING THOUGHTS ____________________________________________ 94 METHODOLOGY & SOURCES _____________________________________ 96 ABOUT HACKERONE _____________________________________________ 98 IMPORTANT CONCEPTSHACKER: One who enjoys the intellectual challenge of creatively overcoming limitations. HACKER-POWERED SECURITY: Any security- enhancing activity resulting from voluntary work performed by external experts, i.e. hackers. Common examples include private bug bounty programs, public bug bounty programs, time-bound bug bounty programs, hacker-powered penetration testing for compliance, and vulnerability disclosure policies. With hacker-powered security testing, organizations can identify high-value bugs faster with help from the results-driven ethical hacker community. VULNERABILITY: A weakness in software, business logic, hardware, internal rules, or online services that can be exploited. HACKTIVITY: Hacker activity published on the HackerOne platform. VULNERABILITY DISCLOSURE POLICY (VDP): An organization’s formalized method for receiving vulnerability submissions from the outside world, sometimes referred to as “Responsible Disclosure.” This often takes the form of a “security@” email address. The practice is outlined in the NIST Cybersecurity Framework and defined in ISO standard 29147. BUG BOUNTY PROGRAM: Encourages hackers, through the use of incentives, to identify and report potential security vulnerabilities before they can be exploited. A public program allows any hacker to participate for a chance at a bounty reward. A private program limits access to select hackers who are invited to participate. Focused programs can also be time-bound, or run as virtual or in-person live events. HACKER-POWERED PENTEST: A bespoke program where select hackers apply a structured testing methodology and are rewarded for completing security checks, and security teams receive instant results and compliance-ready reports. 8 /// OVERVIEW 9 Total registered hackers Reports resolved in 2019 Bounties paid over the past 12 months Total valid vulnerabilities submitted Total bounties paid $ per resolved report 181K+ $107M+ $979 830K+ 37,259 $44,754,742 EMEA Latin america APAC business IMPACT north america 10 INTRODUCTIONIn the face of global changes, hackers are bringing ever-increasing scale to organizations’ security efforts. There are more hackers, with more skills, from more countries than ever before, offering continuous coverage for continuous development. Hackers have reported over 181,000 valid vulnerabilities and have earned over $100 million / €85 million / ¥696 million in the process. These trusted hackers, 53% of whom have been hacking for over 3 years and 43% of whom are self-taught, are augmenting and supporting security teams for organizations large and small. They bring talent, creativity, and diverse skill sets to the table. Security vulnerabilities are a fact of life. You can’t opt out. That’s why organizations are on the hunt for cost- effective solutions. The business value placed on each found vulnerability is, on average, $979 / €835 / ¥6,820. That’s a small price to pay compared with the legal, brand, and engineering impact of a security breach, which the Ponemon Institute and IBM Security estimate to be $3.86 million / €3.29 million / ¥26.87 million. Hackers are the future of cybersecurity. As we face unprecedented changes, business and security leaders are leaving behind old methods and ideas to search for new solutions. It’s our mission to empower the world to build a safer internet. This report is a glimpse into how hackers and organizations are doing just that. EVERY ONE HUNDRED AND EIGHTY SECONDS, A HACKER REPORTS A VULNERABILITY. 11 Average cost of a valid vulnerability Global average total cost of a data breach in 2020 $979 $3.86M 12 The average bounty paid for critical vulnerabilities increased to $3,650 / €3,100 / ¥25,460 in the past year, up 8% year-over-year. The average amount paid per vulnerability of any severity level is $979 / €831 / ¥6,834, up 9% from last year’s average. More than $44.75 million / €38.2 million / ¥313.3 million in bounties were awarded to hackers across the globe over the past year. That’s a year-over- year increase of 87% in total bounties paid, and helped drive total bounties past $100 million / €85 million / ¥696 million in May 2020. The United States remains the top payer of bounties, with over 87% of the total, but that share is decreasing as every global region increased awards by at least 68%. Individual countries saw massive growth. Spain increased year-over-year bounty awards by 4,324%, Brazil by 1,843%, China by 1,429%, and 4 countries paid bounties for the very first time. 100 countries saw an increase in year-over-year hacker earnings, with the biggest increases seen in China (582%), Spain (307%), France (297%), and Turkey (214%). In a dozen countries, hackers started earning awards for the first time. 1 2 3 4 KEY FINDINGS 13 9 individual hackers have now earned $1 million / €850,000 / ¥7 million in bounties on the HackerOne platform. And, in a reflection of the global reach of hacker-powered security, these 9 reside in 7 different countries. Hackers now hail from 226 countries and territories. Guinea-Bissau, Central African Republic, Montserrat, Comoros, Holy See, and San Marino have all been added to this list in the past year. Through Hack for Good, hackers donated $30,000 to The World Health Organization (WHO) COVID-19 Solidarity Response Fund, the program’s first recipient. The global coronavirus outbreak was followed by a surge in hacktivity. New hacker signups increased 59%, submitted bug reports increased 28%, and organizations paid 29% more bounties in the months immediately following the start of the pandemic. Bounties paid for Improper Access Control, the most awarded weakness type, increased by 130%. Information Disclosure fell to second place this year from first last year, yet still saw a 60% increase in bounties awarded. 5 6 7 8 9 14 H acker-powered security is a global phenomenon regardless of how you measure it. The sheer growth in global security programs is stunning, with 34% of all programs on the HackerOne platform launched in the past year. North America remains the largest region, with 69% of all programs, but it’s being challenged by all other regions. EMEA alone accounted for 20% of all new programs launched in the past year, and year-over-year growth in APAC was 93%—nearly doubling in total number of programs in that region. Regions within APAC showing particularly strong program growth, and reflecting the diversity of this rapidly maturing market, include Singapore, with program growth of 164%, China (67%), and New Zealand (40%). New programs were also added in Japan, South Korea, and Thailand. GLOBAL IMPACT CHAPTER 1 // 15 Number of vulnerabilities reported Amount paid to hackers in the past year $44.75 MILLION 180,000+ 16 Bounties paid and earned have also shown extraordinary global growth. In May 2020, total bounties paid reached $100 million / €85 million / ¥696 million. In the past year alone, more than $44.75 million / €38.2 million / ¥313.3 million has been paid by security-conscious organizations to creative, skillful hackers across the globe. That’s a year-over-year increase of 87% in total bounties to hackers. NEW PROGRAMS BY REGION TOTAL PROGRAMS BY REGION But the number of programs is just one measure of the global impact of hacker-powered security. Overall, hackers have reported more than 180,000 valid vulnerabilities, with one- third of those reported in just the past year alone. GLOBAL IMPACT LATAM APAC EMEA N. America Figure 1: New and total programs by region.69% 24% 6% 6% 20% 72% 1.5% 2% 17 PROGRAM GROWTH YOY GROWTH BY REGION APAC N. AMERICA EMEA LATAM 02 55 07 5 100 93% 72% 41% 29% Total Bounties to hackers has Increased 87% Year over Year Figure 2: Year-over-year program growth, all by global region. U.S. amount paid to hackers over past year $39.1 MILLION Of public bug bounty programs receive their first vulnerability report within 24 hours 77% united � states CANADA RUSSIA UK singapore 1 2 3 4 5 Countries at the top maintained their status as biggest payers, with Russia ($887,000), the United Kingdom ($559,000), Singapore ($506,000), and Canada ($497,000) rounding out the top five. Russia moved up from sixth place last year to push Germany into sixth place with $363,000 in bounties paid. 18 WHO’S PAYING BOUNTIES THE UNITED STATES REMAINS THE TOP PAYER OF BOUNTIES, with over $39.1 million / €33.4 million / ¥273.7 million, or 87% of the total, awarded to hackers in the past year. However, other countries and regions are adopting hacker-powered security at an impressive rate. Latin America increased bounty awards by 371%, while all other regions increased awards by at least 68%. Spain increased year-over-year bounty awards by 4,324%, Brazil increased by 1,843%, China 1,429%, and Panama by 1,394%. That growth is even more impressive considering the scale, as those three countries combined paid out more than $380,000 / €324,000 / ¥2,660,000 in bounties in the past year. Other countries had massive increases in bounties awarded, as well, like Argentina (723%), the Netherlands (388%), and the United Arab Emirates (318%). And four countries—Luxembourg, Dominican Republic, South Africa, and Samoa—paid bounties for the very first time. GLOBAL IMPACT 0% 100% 200% 300% 400% Total APAC EMEA North America LATAM 371% 93% 86% 68% 87% 19 Figure 3: Year-over-year bounty award growth in respective regions.BOUNTY AWARDS YOY GROWTH BY REGION countries at the top maintained their status as biggest payers, with Canada, Russia, the United Kingdom, and Singapore rounding out the top five. ?@ COVID-19 has thrown the entire world into chaos. We will feel the digital and physical ramifications of the pandemic for decades. Criminals thrive on chaos. Organizations worldwide were forced to go digital with their product offerings and services. Businesses scrambled to find new revenue streams, creating digital offerings for customers whose lifestyles had dramatically changed. Tens of millions of workers had to work remotely. With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs—while ensuring the security of existing systems and newly-acquired collaboration tools. Security teams were pushed to the limit. They struggled to maintain existing security measures while working to close newly-opened gaps. To better understand how COVID-19 has impacted security, HackerOne surveyed security leaders about their challenges during the pandemic. We found that 64% of global security leaders believe their organization is more likely to experience a data breach due to COVID-19, and 30% have seen more attacks as a result of COVID-19. Unfortunately, 30% have seen their security teams reduced due to the pandemic, and a quarter have seen their budgets reduced. The overall chaos and uncertainty has stressed even the most robust security teams. SPOTLIGHT 20 HOW COVID-19 IS IMPACTING SECURITY To adapt to changing attack surfaces, many are turning to hacker-powered security. And hackers are stepping up. Even during the global recession, hacking has remained a consistent and stable source of income. This past year, new hackers have joined the community at an accelerated rate. Compared with January and February of 2020, as the pandemic took hold, the average number of new hacker signups on the HackerOne platform increased by 56% across April, May, and June. Year over year, April, May, and June of 2020 saw 69% more new hacker signups than the same period in 2019. Hackers are also more prolific than ever with the monthly average number of incoming bug reports in April, May, and June of 2020 increasing by 28% over January and February, and increasing 24% over the previous year. Organizations have responded to this much-needed help by awarding 29% more bounties per month, on average, during the April-June period than during January and February. To learn more, see how HackerOne can help address quickly changing security needs. THIS IS AN ENTIRELY DIFFERENT BALLGAME. “It suddenly thrust us into what some people would say is just a healthcare issue, but it’s not. It’s an everything issue, isn’t it. It’s really just changing the way that the world operates and even how hackers operate as well, and I think that’s what we’re starting to see more and more of.” TERESA WALSH Global Head of Intelligence, Financial Services ISAC, During ISAC webinar 2020 21 WHO’S EARNING BOUNTIES Anyone can hack, anytime, and from nearly anywhere. While they do it to earn money, they also do it to learn in-demand skills, advance their career, or simply for the challenge. Many also pursue hacking as a career. 40% of hackers surveyed for our 2020 Hacker Report hack as their primary occupation. 53% earn more than half their total yearly earnings from hacking, according to the HackerOne 2020 Hacker Report. Hackers around the world increased their earnings this past year, with Asia Pacific realizing 131% growth year-over-year. EMEA earnings nearly doubled, with 90% growth, and North America and Latin America both increased earnings by more than 60%. Of hackers hack as their full-time job Earn more than half their total income from hacking 40% 53 % 22 GLOBAL IMPACT B OU N T Y E A R N I NG S YoY Growth by Region Hacker earnings grew in every region on earth. Figure 4: Year-over-year bounty earnings growth in respective regions. 0% 50% 100% 150% Total N America LATAM EMEA APAC 90% 131% 60% 60% 87% 23 B y country, hackers in the U.S. remain the top bounty earners, commanding $7.2 million / €6.1 million / ¥50.4 million over the past year. That’s a 63% increase over the past year, but nowhere near the growth of countries like China (582%), Spain (307%), France (297%), and Turkey (214%). Across the globe, 100 countries with hackers had year-over-year earnings growth. The top five countries from which hackers earn their awards, in addition to the U.S. are China, India, Russia, and Germany. China’s huge growth pushed Canada down into sixth place this year. In a dozen countries, hackers earned awards for the first time over the past year, including hackers from Benin, Comoros, Costa Rica, Gambia, Luxembourg, Malta, Oman, Paraguay, Senegal, the State of Palestine, Uganda, and Venezuela. Hacking is giving people in all corners of the globe opportunity to learn and earn while helping improve the security of organizations in faraway countries. Amount hackers in the U.S. earned over the past year Number of countries where hackers had YoY earnings growth $7.2 MILLION 100 24 GLOBAL IMPACT THE TOP FIVE COUNTRIES FROM WHICH HACKERS EARNED THEIR AWARDS WERE THE U.S., CHINA, INDIA, RUSSIA, AND GERMANY. 25 NATIONS ACROSS THE GLOBE ARE GETTING INVOLVED The DoD also resolved over 12,000 valid vulnerabilities exclusively through the organization’s VDP this past year. In July, 2020, the DoD processed 1,835 vulnerability reports via its VDP, nearly 500 more than their previous monthly record. Since the DoD became the first government organization to leverage hacker-powered security, governments and related agencies across the globe have deployed hacker-powered security to identify and resolve vulnerabilities in their systems. Hack the Pentagon in 2016 was the first ever federal bug bounty program, pioneered by the U.S. Department of Defense’s (DoD) Defense Digital Service (DDS) and HackerOne. In the following two years, hackers worked with the Army, Air Force, Marines, and other U.S. DoD agencies to find more than 5,000 valid vulnerabilities through HackerOne. In 2019 alone, the U.S. federal government received 5,121 distinct vulnerability reports through their VDP and focused, time-constrained HackerOne Challenge events. To date, the DoD has launched 10 hacker-powered Challenges, including “Hack the Proxy,” “Hack the Army 2.0,” and “Hack the Air Force 4.0”. As a result, they have awarded a total of $672,610 to 625 hackers. 26 GLOBAL IMPACT T he European Commission (EC), long a champion of free and open source software, launched the European Union Free and Open Source Software Audit (EU FOSSA) to find vulnerabilities in its most used open source apps. The initial program’s success prompted the European Commission to launch EU-FOSSA 2, and the team subsequently worked with hackers to reveal a 20-year undiscovered vulnerability, fix 133 vulnerabilities, and pay out a total of €87,990 in bounties to hackers. In total, the E.U. has launched two bug bounty programs for 15 open source projects with HackerOne since its first program in 2017. In the U.K., the National Cyber Security Centre uses HackerOne to enable its VDP and the easy reporting of vulnerabilities found across all U.K. government online services. In the Asia-Pacific region, this past year has seen impressive growth in hacker-powered security programs. The Ministry of Defence, Singapore (MINDEF) has expanded its hacker- powered security programs since starting with a time-bound bug bounty challenge in 2018. That program resulted in 35 resolved vulnerabilities and prompted a second program, which invited 300 hackers (one-quarter of whom are local to Singapore). That second program resulted in 31 validated vulnerabilities, which earned hackers $25,950. In late 2019, Singapore’s Government Technology Agency (GovTech), supported by the Cyber Security Agency of Singapore (CSA), ran a third program that resulted in 33 valid security vulnerabilities and $30,800 in earned bounties. All together, 189 hackers have earned $74,250 in exchange for reporting 625 distinct security weaknesses across five Singaporean government challenges. This past year, the European Commission announced the launch of a new bug bounty initiative involving open source software on a much larger scale. The latest 2019 bug bounty program run by the EU-Free and Open Source Software Auditing (EU-FOSSA 2) project aims to help E.U. institutions better protect their critical software. Since the program launched, EU-FOSSA 2 has worked with hackers to fix 133 vulnerabilities and pay out a total of €87,990 in bounties to hackers. This is on the heels of the U.K.’s National Cyber Security Centre (NCSC), which launched a VDP with HackerOne in December 2018. In total, the E.U. has launched two bug bounty programs and 15 open source projects with HackerOne since its first program in 2017. 27 Figure 5: Visualization of the bounty flow of the top 10 countries showing, on the left, where the organizations paying bounties are located and, on the right, where hackers earning bounties are located. BOUNTY FLOW BY COUNTRY $44,754,742US A : $ 7,2 0 4 ,2 9 9 C H IN A : $ 5 , 3 5 5 ,68 3 INDI A : $4 ,4 0 1 , 2 51 RUS SI A : $ 3, 0 8 3, 9 7 3 G E R MAN Y: $ 1 , 9 2 0 , 4 5 2 C ANAD A : $ 1 , 6 5 3 , 3 13 UK : $ 1 , 4 30 , 886 F R A NC E : $ 1 ,223 ,23 1 HONG K ONG : $ 1, 0 4 0 , 3 4 7 A R G E N T IN A: $985 , 6 8 1 SWEDEN: $ 152 ,413 ISRAEL : $229,138 SWITZERLAND: $231,605 GERMANY: $363,404 NETHERLANDS: $414 ,8 17 CANADA : $497,495 SINGAPORE: $505,522 UK : $559,2 15 RUSSIA : $887,236 USA : $39,125,265 OTHER: $ 1 ,788,632 OTHER: $ 16,455,626 28 GLOBAL IMPACT 29 MARKET SPOTLIGHT spotlight NORTH AMERICA TOTAL BOUNTIES AWARDED $39,622,760 GROWTH YOY 93% BOUNTIES EARNED $8,859,363 GROWTH YOY 93% REGIONAL SHARE OF NEW PROGRAMS 72% REGIONAL PROGRAM GROWTH YOY 72% EMEA TOTAL BOUNTIES AWARDED $3,724,385 GROWTH YOY 86% BOUNTIES EARNED $18,915,495 GROWTH YOY 86% REGIONAL SHARE OF NEW PROGRAMS 20% REGIONAL PROGRAM GROWTH YOY 41% 30 APAC TOTAL BOUNTIES AWARDED $881,586 GROWTH YOY 68% BOUNTIES EARNED $14,457,828 GROWTH YOY 66% REGIONAL SHARE OF NEW PROGRAMS 6% REGIONAL PROGRAM GROWTH YOY 93% LATIN AMERICA TOTAL BOUNTIES AWARDED $418,323 GROWTH YOY 371% BOUNTIES EARNED $1,848,670 GROWTH YOY 371% REGIONAL SHARE OF NEW PROGRAMS 2% REGIONAL PROGRAM GROWTH YOY 29% 31 I n many countries, hackers can earn several times the median salary of a local software engineer. These hackers are not just making the internet safer, they’re also giving back to their local and global communities. In The 2020 Hacker Report, 27% of hackers said they donated at least a portion of their earnings to charitable organizations. The impact of COVID-19 prompted an unprecedented amount of support from hackers who volunteered to help relief efforts across the world. The community itself has created new initiatives, for example Marc Rogers’ CTI League, which combats hacks against medical facilities and other frontline responders, and the US Digital Response, which provides experienced technologists to help governments deliver critical services. Individual hackers even raised their hands to help healthcare providers deal with incoming threats. The dedication and genuine care shown by this community has inspired HackerOne to create Hack for Good. Launched during #h1-2004, a 13-day virtual bug bounty event for Verizon Media, Hack for Good gives hackers an easy way to donate their bounty earnings to a worthy cause. The first recipient—receiving $30,000 from generous hackers—was The World Health Organization (WHO) COVID-19 Solidarity Response Fund. Donations were used to support WHO and their global partners in their pandemic fight. With Hack for Good, hackers now have the ability to easily donate full or partial amounts of their bounties to community-selected charities that rotate each quarter. HACK FOR GOOD DOES GOOD spotlight Hackers have earned $45 million / €38 million / ¥314 million in the past year from the nearly two thousand organizations they’ve helped. 32 33 H acker-powered security comes in many flavors, from simply providing a clear path for anyone to alert you to a potential risk, to integrating hacker- powered methods directly into your security, testing, and software development processes. Programs can be open to anyone or limited to trusted, vetted hackers; free or pay-for-results; customized or turnkey; run internally or completely managed by experts. They can even be used to assess security measures, retest bug fixes, increase the security awareness of development, and more. With this flexibility, hacker-powered security can meet the security needs of any organization. Public programs have 5x the number of hackers reporting valid vulnerabilities as private programs 5X INDUSTRY SCORE- CARDS of programs started in the past year were in Computer Software and Internet & Online Services 40% 34 Chapter 2 // 81% 19% Private PROGRAMS Public PROGRAMS Bug bounty programs are dominated by companies in Computer Software and Internet & Online Services Most organizations begin with a vulnerability disclosure policy (VDP). It offers an easy, open process for anyone who spots a potential vulnerability to report it to an organization’s appropriate teams. Pentests put continuous hacker talent and creativity to work for compliance and other requirements. The bug bounty program is the most advanced form of hacker-powered security, and has a wide range of applications and approaches. It gives hackers a monetary incentive— the bounty—to search for and report vulnerabilities. Bounty programs can be public or private, continuous or time-bound, and even used during in-person and virtual events. Public bug bounty programs, like those of Starbucks, AT&T, Hyatt, and Goldman Sachs, are open to everyone, while private programs require that individual hackers are invited or accepted via an application process to participate. Public programs are open to the widest range of hacker diversity and therefore produce superior results. On average, public programs have nearly five times the number of hackers reporting valid vulnerabilities versus private programs. Similar to past years, private programs make up 81% of all bug bounty programs on HackerOne and public programs make up the remaining 19%. Figure 6: Percentage of public vs private programs. 35 HOW EACH INDUSTRY STACKS UP When you dig into industry-specific data, things get a bit more interesting. Cryptocurrency & Blockchain organizations, for example, have the highest share of public programs when compared to other industries at 43%. On the other end of the spectrum, Healthcare and North American state and local governments run only private programs. Other industries with few public programs are Computer Hardware & Peripherals (7%) and Travel & Hospitality (8%). Bug bounty programs are extremely common in Computer Software and Internet & Online Services, with those industries accounting for nearly half of the total programs and 40% of all new programs started in the past year, and paying more than 72% of the total bounties awarded in the past year. But others are quickly adopting hacker-powered security. Industries with year-over-year program growth of 200% or greater include Computer Hardware (250%), Consumer Goods (243%), Education (200%), and Healthcare (200%), while Media & Entertainment grew by 164%, Retail & eCommerce doubled, and Financial Services and Computer Software each grew by more than 75%. Other industries are paying more bounties to more hackers, too. Industries paying more than $1 million / €850,000 / ¥7 million in bounties in the past year include Telecommunications ($2,497,042), Financial Services ($2,286,351), Media & Entertainment ($1,826,974), and Automotive ($1,048,090). 36 Industry Scorecards PRIVATE PUBLIC SHARE OF TOTAL SHARE OF NEW 2019 % OF TOTAL Computer Hardware & Peripherals 93% 7% 3% 1% $415,994 0.9% Computer Software 82% 18% 20% 16% $16,263,982 36.3% Consumer Goods 98% 2% 2% 4% $253,763 0.6% Cryptocurrency & Blockchain 57% 43% 4% 2% $518,565 1.2% Electronics & Semiconductor 76% 24% 1% 0% $381,250 0.9% Financial Services & Insurance 87% 13% 8% 9% $2,286,351 5.1% Government International 65% 35% 1% 1% $134,729 0.3% Government NA Federal 90% 10% 1% 2% $667,228 1.5% Government NA Local 100% 0% 0% 0% $19,583 0.0% Healthcare 100% 0% 1% 1% $104,050 0.2% Internet & Online Services 79% 21% 27% 24% $16,079,195 35.9% Media & Entertainment 80% 20% 7% 7% $1,826,974 4.1% OTHER 74% 26% 11% 19% $1,525,877 0.5% Professional Services 84% 16% 3% 3% $256,229 0.6% Retail & eCommerce 87% 13% 4% 3% $1,004,045 2.2% Telecommunications 88% 12% 1% 1% $2,497,042 5.6% Travel & Hospitality 93% 8% 2% 1% $519,885 1.2% Overall 81% 19% $44,754,742 BOUNTY PROGRAMS BOUNTY AWARDS 37 38 Industry Scorecards THE BIGGEST BRANDS STILL LAG: FORBES GLOBAL 2000 BREAKDOWNEach year, HackerOne analyzes the Forbes Global 2000 list of the world’s most valuable public companies as one benchmark for public VDP adoption. Based on the 2020 Forbes Global list, 82% of the Forbes Global 2000 do not have a known policy for vulnerability disclosure as of July 2020. That’s a huge improvement compared to 93% on the 2017 list and 94% of the 2016 list, but shows that less than 1 in 5 of the world’s most valuable public companies are utilizing this important security mechanism. Figure 7: Share of Forbes Global 2000 companies in various countries that have a known VDP. Of Fortune Global 2000 companies do not have VDPs Of global organizations require IT suppliers to have a VDP 82% 63% united states 28% HAVE A KNOWN VDP 25% HAVE A KNOWN VDP 26% HAVE A KNOWN VDP 19% HAVE A KNOWN VDP 22% HAVE A KNOWN VDP 0% HAVE A KNOWN VDP GERMANY australia United kingdom singapore FRANCE 39 VDP adoption varies widely across industries and regions. Only 13% of Global 2000 Transportation companies have VDPs, including Toyota, General Motors, Lufthansa, Tesla, American Airlines. Just 21% of Healthcare companies have a known VDP. Approximately one-third of those in Telecommunications & Media (35%) and Financial Services (32%) have known VDPs, including AT&T, Citigroup, JPMorgan Chase, and ING. Computer Software leads in the deployment of VDPs with 69% adoption. The pace of adoption is extremely slow and organizations continue to push for more progress. In North America, the U.S. Department of Justice offers a framework and the U.S. Department of Homeland Security provides a template and issued a Binding Operational Directive requiring agencies to establish a VDP. In EMEA, the European Union Agency for Cybersecurity (ENISA) has a “good practices guide” and the National Cyber Security Centre in Netherlands publishes guidelines. In APAC, the Singapore Infocomm Media Development Authority acts as a central point of disclosure for the country’s telecommunications industry, and the “Standards for Handling Software Vulnerability Information and Others” has been offered by the Japan Ministry of Economy, Trade and Industry since 2004. Continued encouragement and guidance are vital to reducing risk, as nearly 1 in 4 hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it. Having a VDP in place reduces the risk of a security incident and places the organization in control of what would otherwise be a chaotic workflow. Promise Demonstrate a clear, good faith commitment to customers and other stakeholders potentially impacted by security vulnerabilities. Scope Indicate what properties, products, and vulnerability types are covered. “Safe Harbor” Assures that reporters of good faith will not be unduly penalized. Process The process finders use to report vulnerabilities. Preferences A living document that sets expectations for preferences and priorities regarding how reports will be evaluated. 5 CRITICAL COMPONENTS FOR EVERY VDP PROGRAM 40 Spotlight CREATING A VULNERABILITY DISCLOSURE POLICY Relying only on your internal security team to keep your company safe isn’t just unreasonable, it’s impossible. Your team doesn’t have enough hours in the year to possibly search for, detect, and investigate every possible security risk across your business. Sometimes, they don’t have the skill sets or expertise. So, enlisting everyone’s help in plugging security gaps isn’t just good for security, it’s good for your brand, your reputation, and your customers’ trust. It’s also a best practice and a regulatory expectation. A Vulnerability Disclosure Policy (VDP) is the first step in helping protect your company from an attack or premature vulnerability release to the public. It gives hackers and security researchers clear guidelines for reporting security vulnerabilities to the proper person or team within your company. VDPs are often referred to as the “see something, say something” of the internet. When a skillful eye spots a potential risk, you want to make it as easy and straightforward as possible for them to make you aware. Without it, those vulnerabilities remain unknown, unfixed, and potentially unleashed to people outside your organization, exposing your business and your brand to unnecessary risk or disastrous consequences. But the VDP paradox is that, even though 63% of global organizations say they require their IT suppliers to have a VDP, more than 82% of the Fortune Global 2000 companies do not have VDPs of their own! Security is a business imperative, and actively encouraging hackers to alert you to vulnerabilities is good business. HackerOne has revolutionized VDPs to make it easy to work directly with trusted hackers to resolve critical security vulnerabilities. Our VDP structure is based on the recommended practice outlined in the Cybersecurity Framework by the United States’ National Institute of Standards and Technology (NIST). Since 2012, HackerOne has partnered with thousands of organizations to unlock the security value of the global hacking community. Now, HackerOne has become the only hacker-powered security vendor to receive FedRAMP authorization. Figure 8: Industry adoption early adopter follower Government-Federal Automotive Healthcare Financial Services Retail & Commerce Telecommunications Aerospace business value of adoption 41 INDUSTRY ADOPTION In 77% of cases, public bug bounty programs receive their first vulnerability report within the first 24 hours. For the U.S. Army, it only took five minutes. Once a customer has confirmed the vulnerability is valid, they have the opportunity to reward the hacker and fix the issue. HackerOne tracks the time-to-vulnerability resolution for all programs. A speedy resolution significantly reduces the risk of a breach. Speed is also important to hackers, who prefer a fast first response to their vulnerability report submissions. This lets hackers know that their report was received and is being investigated. Once a report is validated, hackers prefer to be awarded their earned bounty as quickly as possible. Nearly all industries respond to hackers in less than one day, with the fastest being Automotive and Media & Entertainment companies. Both sectors have median first response times of less than 4 business hours. Time to resolution and time to bounty award vary widely across the industries: Cryptocurrency & Blockchain (11.7 days) and Professional Services (16.0 days) are among the fastest, while Telecommunications (40.3) and Government Federal NA (39.0) are the slowest. For time to bounty, the fastest industries are Financial Services & Insurance (0.9), and Retail & eCommerce (1.6). Government Federal NA is, by far, the slowest to pay bounties, with a median time to bounty of 27.1 days. The next slowest is Telecommunications, which pays nearly twice as fast, with a median time to bounty of 13.6 days. 42 Industry Scorecards THE PACE OF RESOLUTION VARIES BY INDUSTRY APAC 0.53 18.3 3.7 North America 0.68 22.8 5.3 EMEA 0.73 18.0 3.1 LATAM 0.66 32.8 2.1 TIME TO RESPONSE, RESOLUTION, BOUNTY (DAYS, MEDIAN) TIME TO FIRST RESPONSE (HOURS) TIME TO RESOLUTION (DAYS) TIME TO BOUNTY (DAYS) Computer Hardware & Peripherals 0.9 30.6 9.2 Computer Software 0.8 22 4.8 Consumer Goods 0.7 20.1 2 Cryptocurrency & Blockchain 0.8 11.7 3.1 Electronics & Semiconductor 0.4 17.2 4.3 Financial Services & Insurance 0.8 16.2 0.9 Government International 0.6 20.8 3.0 Government NA Federal 0.6 39 27.1 Government NA Local 1.5 7.6 0.2 Healthcare 0.9 24.8 2.3 Internet & Online Services 0.7 18.9 5.7 Media & Entertainment 0.4 25.1 6 OTHER 1.7 17.9 6.2 Professional Services 1.2 16 1.7 Retail & eCommerce 0.6 20.4 1.6 Telecommunications 0.9 40.3 13.6 Travel & Hospitality 0.6 19.6 1.6 Overall 5.4 21.8 4.8 Nearly all industries respond to hackers in less than one day. 43 CONTINUOUS INTEGRATION AND CONTINUOUS DELIVERY have become the new benchmark for DevOps teams. Applications are delivered faster, code changes are automatically pushed into production, and teams are developing in-house apps without external feedback. The speed of development now matches the speed of innovation. This fast pace and frequent release cycles, coupled with emerging languages, has kept CISOs on their toes as companies grow and corners are cut to get releases out the door. It’s also pushed more teams to “shift left” on their security efforts: improving coding practices, identifying and eliminating vulnerabilities during development, and reducing risk as code moves into production. THE BEST COMPLEMENT FOR CONTINUOUS DEVELOPMENT IS CONTINUOUS SECURITY. While building security into your software development lifecycle (SDLC) without slowing down development is a challenge, hacker-powered security can help. Bug bounty programs empower companies to build a more security-aware engineering team who can work to close gaps before they’re released. By pushing security and vulnerability intelligence to the left in a SDLC, continuous security helps protect future releases against threats. It prevents new products and applications from going into production with vulnerabilities. And it maximizes bounty program value to the organization and reduces the risk of future breaches. In other words, the same vulnerability reports used to drive improvements in your software production process can also ensure future code is continuously more secure. Ship code, not bugs. As organizations begin a bounty program, they rightly focus on fine tuning the basic bugs in, bugs out process. When welcoming outside hackers into your security operations is still new, there is a lot to get right—things like effective communications with hackers, triage, reproducing reported vulnerabilities, severity classification, bounty amounts, resolution process, and more. HackerOne has multiple resources available to help, from guides to our expert professional services team. Read how Verizon Media used a bug bounty program to “shift left” in the SDLC. 44 Spotlight CONTINUOUS DEVELOPMENT NEEDS CONTINUOUS SECURITY SECURITY IS NOT A ONE-TIME THING, BUT A CONTINUOUS CYCLE. “We know that there are always going to be bugs in software development. As we develop, and as we iterate, we want to make sure security is an active part of that process, and never a roadblock to innovation. The HackerOne bug bounty program allows us to put another cog in the wheel of security.” PETE YAWORSKI Senior Application Security Engineer, Shopify 45 46 By studying the trends and statistics of vulnerability reports, organizations can better prepare security and engineering teams for incoming report submissions. Benchmarking against industry standards also helps improve everyone’s vulnerability disclosure and bug bounty programs. And, looking at trends on severity classifications and vulnerability types helps organizations, and the community as a whole, understand shifting areas of risk and prioritization. BOUNTY TRENDS CHAPTER 3 // BY VULNERABILITY SEVERITY AND TYPE 47 Median value paid for critical vulnerabilities on HackerOne Average bounty paid for critical vulnerabilities on HackerOne $2,500 $3,650 48 I ncoming vulnerability reports are categorized by the vulnerability type and severity. To determine the type, HackerOne uses a vulnerability taxonomy mapped to the industry standard Common Weakness Enumeration (CWE). For severity, HackerOne uses the Common Vulnerability Scoring System (CVSS), an industry standard calculator used to determine bug severity. The hacker can either choose a severity level based on their own judgment, or they can use the CVSS. Although customers themselves set bounty tables, HackerOne offers recommendations and insights, similar to this report, to help organizations benchmark their offered bounties against similar companies . Severity is particularly useful for structuring bounty ranges. When combined with the vulnerability type, this information streamlines the resolution process, allowing teams to integrate vulnerability reports with existing bug tracking systems. It also helps set hacker expectations on potential report resolution and bounty payouts. Bounty Trends // Severity 40% 34% 18% 8% LOW MEDIUM HIGH CRITICAL Critical vulnerabilities make up just 8% of all reports. Medium severity bugs account for 40%, while low severity (34%) and high severity (18%) make up the remainder. The median value paid for critical vulnerabilities on HackerOne was $2,500 / €2,120 / ¥17,400, which is up 25% from the 2019 median of $2,000, and double the $1,250 median of 2017. Critical vulnerabilities carry the most potential risk, so bounty values are generally much higher. The median value of a critical bug bounty is 2.5 -times that of a bug of high severity, and more than 6-times that for a bug of medium severity. As organizations fix more vulnerabilities and harden their attack surface, bounty values naturally increase over time, since vulnerabilities become more difficult to identify, thus requiring more skill and effort to discover. The average bounty paid for critical vulnerabilities across all industries on HackerOne rose to $3,650 / €3,100 / ¥25,460 in the past year, up from $3,384 in 2019, $2,281 in 2017, and $1,977 in 2016. VULNERABILITIES BY SEVERITY Figure 9: Percentage of vulnerabilities categorized by critical, high, medium, or low severity. Data from 2018-2019. critical high Medium Low 49 MEDIAN BOUNTY VALUE BY SEVERITY AVERAGE BOUNTY FOR CRITICAL VULNERABILITIES OVER TIME Figure 11: Average bounty values for critical vulnerabilities over time. Figure 10: Median bounty values by severity. The median value of a critical bug bounty is 2.5X Higher than a bug of high severity, and more than 6X Higher than a bug of medium severity. 0 $1,000 $2,000 $3,000 $2,500 Critical high Medium low $1,000 $400 $150 0 $2,000 $4,000 2016 2017 2018 2019 2020 50 Bounty Trends // Regional MEDIAN BOUNTY PAID BY SEVERITY BY REGION AVERAGE BOUNTY PAID BY SEVERITY BY REGION Figure 12: Median and average bounty values for vulnerabilities, by region and severity type. 0 $1000 $2000 $3000 N. America LATAM EMEA APAC 0 $1000 $2000 $3000 $4000 $5000 N. America LATAM EMEA APAC critical high Medium Low 51 52 XSS INFORMATION DISCLOSURE IMPROPER ACCESS CONTROL - GENERIC IMPROPER AUTHENTICATION - GENERIC OPEN REDIRECT VIOLATION OF SECURE DESIGN PRINCIPLES PRIVILEGE ESCALATION BUSINESS LOGIC ERRORS INSECURE DIRECT OBJECT REFERENCE CROSS-SITE REQUEST 4% Note: The remaining percentage that is omitted consists of any additional types of vulnerabilities that did not make the top ten. Region Spotlight NORTH AMERICA TOP 10 VULNERABILITY TYPES Critical bug bounty average Critical bug bounty median $4,263 $3,000 Regional bug bounty values vary as well. The average bounty paid for a critical bug in North America was $4,263 over the past year. That average was $1,547 in EMEA, $1,893 in APAC, and $2,567 in Latin America. 53 XSS INFORMATION DISCLOSURE IMPROPER ACCESS CONTROL - GENERIC IMPROPER AUTHENTICATION - GENERIC VIOLATION OF SECURE DESIGN PRINCIPLES INSECURE DIRECT OBJECT REFERENCE OPEN REDIRECT BUSINESS LOGIC ERRORS CROSS SITE REQUEST BRUTE FORCE EMEA TOP 10 VULNERABILITY TYPES Critical bug bounty average Critical bug bounty median $1,547 $1,000 54 XSS INFORMATION DISCLOSURE IMPROPER ACCESS CONTROL - GENERIC IMPROPER AUTHENTICATION - GENERIC CROSS-SITE REQUEST FORGERY (CSRF) BUSINESS LOGIC ERRORS OPEN REDIRECT INSECURE DIRECT OBJECT REFERENCE (IDOR) VIOLATION OF SECURE DESIGN PRINCIPLES BRUTE FORCE APAC TOP 10 VULNERABILITY TYPES Critical bug bounty average Critical bug bounty median $1,893 $2,000 Region Spotlight 55 XSS INFORMATION DISCLOSURE IMPROPER ACCESS CONTROL - GENERIC INSECURE DIRECT OBJECT REFERENCE (IDOR) VIOLATION OF SECURE DESIGN PRINCIPLES CROSS-SITE REQUEST FORGERY (CSRF) BUSINESS LOGIC ERRORS OPEN REDIRECT PRIVILEGE ESCALATION SERVER-SIDE REQUEST 20% 15% 15% 7% 7% 7% 6% 5% 2% 2% LATIN AMERICA TOP 10 VULNERABILITY TYPES Critical bug bounty average Critical bug bounty median $2,567 $1,800 56 The highest average bounty payments by industry for critical issues come from Computer Software ($5,754), Electronics & Semiconductor ($4,663), and Cryptocurrency & Blockchain ($4,481). Those are all significantly higher than the platform average of $3,650. For all vulnerabilities reported of any severity, the average bounty payout was $1,024, up 33% from $771 last year, and up 119% from $467 in 2017. AVERAGE BOUNTY PAYOUT PER INDUSTRY FOR CRITICAL VULNERABILITIES Bounty Trends // Payouts 0 $1000 $2000 $3000 $4000 $5000 $6000 PHARMACEUTICALS GOVERNMENT NA FEDERAL GOVERNMENT INTERNATIONAL OTHER CONSUMER GOODS AVIATION & AEROSPACE GOVERNMENT NA LOCAL EDUCATION COMPUTER HARDWARE & PERIPHERALS RETAIL & ECOMMERCE TRAVEL & HOSPITALITY HEALTHCARE FINANCIAL SERVICES & INSURANCE MEDIA & ENTERTAINMENT MEDICAL TECHNOLOGY PROFESSIONAL SERVICES TELECOMMUNICATIONS INTERNET & ONLINE SERVICES AUTOMOTIVE & GROUND TRANSPORTATION CRYPTOCURRENCY & BLOCKCHAIN ELECTRONICS & SEMICONDUCTOR COMPUTER SOFTWARE AVG $ BOUNTY Figure 13: Average bounty paid for critical vulnerabilities, by industry. 57 50TH PERCENTILE 60TH PERCENTILE 80TH PERCENTILE 90TH PERCENTILE 99TH PERCENTILE The average amount paid per vulnerability of any severity level is $979 / €831 / ¥6,834, which increased by 9% from last year’s average. That’s a small price to pay compared with the legal, brand, and engineering impact of a security breach, which the Ponemon Institute and IBM Security estimates at an average cost of nearly $4 million. AVERAGE BOUNTY PAYOUT BY SEVERITY Figure 14: Average bounty payout by severity. LOW$25,000 SEVERITY $20,000 $15,000 $10,000 $5,000 $0 MEDIUMHIGHCRITICAL 23% 18% 10% 7% 6% 6% 5% 5% 5% 4% 58 XSS INFORMATION DISCLOSURE IMPROPER ACCESS CONTROL - GENERIC IMPROPER AUTHENTICATION - GENERIC VIOLATION OF SECURE DESIGN PRINCIPLES OPEN REDIRECT BUSINESS LOGIC ERRORS INSECURE DIRECT OBJECT REFERENCE (IDOR) PRIVILEGE ESCALATION CROSS-SITE REQUEST FORGERY (CSRF) Bounty Trends // VUlnerabilities REPORTED VULNERABILITIES BY TYPE Figure 15: Top 10 reported vulnerability types. 59 Total reports from live hacking events Earned by hackers at events HackerOne live hacking events 23 6,800 $9 MILLION 60 Spotlight VIRTUAL LIVE HACKING EVENTSLive Hacking Events bring together hackers from across the globe to participate in a single- or multi-day hacking challenge targeting a specific set of customer assets. These events put hackers in the same room as the target program’s security team, offering an opportunity for unmatched focus, impact, and bounty earnings. As of this report, HackerOne hosted 23 events, with 15 customers, in 12 different cities around the world. Hackers have earned more than $9 million and submitted over 6,800 reports at these events. “The live hacking events are really great. They give us the opportunity to meet face to face with the hackers who are active on our platform, it gets them an opportunity to meet with each other as well, and it facilitates a fantastic ideas exchange. It’s a fun and competitive atmosphere and it pushes everyone together to be better hackers, to be better defenders, and to be smarter about how you approach these problems. Now, obviously under COVID we can’t do those virtual events right now, so we’ve pivoted to doing virtual events… In a way, we’re helping create a more diverse environment and we get the benefit of those diverse experiences that those researchers bring, and it might help us bring some new ideas into the program that we can all benefit from.” SEAN ZADIG VP & CISO, Verizon Media, during a HackerOne Fireside Chat Highest ever single- day bounty payout Reports over two weeks of #h1-2004 $1 MILLION 286 61 When the COVID-19 pandemic curtailed travel, HackerOne quickly moved to a virtual format, which has been lauded by both security teams and hackers. Verizon Media ran the first ever Virtual Live Hacking Event on March 25, 2020, dubbed #h1-2004. Hackers from all over the world submitted 286 reports over the course of two weeks, earning them over $673,000 in bounties. The event included a full schedule of hacking, plus hacker panels and interviews, which provided a great opportunity to both learn and earn. As the original event was intended to be in Singapore, The Paranoids (Verizon Media’s security team) wanted to ensure that the local hacker base was able to participate in a big way. We invited 50 hackers from across the globe, with over 30% from the APAC region, including Singapore, Hong Kong, India, and New Zealand. “If someone were to ask me about my favorite live hacking event, #h1-2004 would be at the top of my list,” said Sean Poris, Director of Product Security at Verizon Media. “It was amazing to see people come together during this pandemic to have deep conversations, to laugh a little bit, and bring the community together.” #H1-2004 Hackers participated in #h1-2006’s CTF Of vulnerability reports from live hacking events are high or critical severity 4,282 45% 62 In May 2020, PayPal and HackerOne joined forces for a “Capture the Flag” (CTF) event. The winners of the CTF earned invitations to #h1-2006, the world’s second Virtual Live Hacking Event. HackerOne got creative with this CTF, with the premise based on a fictitious tweet from HackerOne’s CEO claiming that he lost the login details required to make bounty payments. It called on hackers to help retrieve those account details and put bounty payments back on track. The top 3 hackers of the CTF, Nytr0gen, Zoczus, and bugra, were then invited to the PayPal live hacking event. Over the one week live event, 4,282 hackers participated and 55 successfully accomplished the task to process hacker payments. Judges then reviewed vulnerability report submissions on creativity, completeness, and story, and then announced the winners. As seen in the recap video, hackers thoroughly enjoy the collaboration, education, and competition of these events. #H1-2006 Spotlight 63 Virtual and in-person Live Hacking Events offer a fun, dynamic, and educational environment that encourages hackers to work in a focused and collaborative manner. These events, some reaching over 3,000 combined testing hours, target key assets and areas of concern to quickly discover critical vulnerabilities while offering security teams a clear ROI. Hackers submit more than 200 reports during the typical event, with 45% being high or critical severity, on average. HackerOne is preparing for more Live Hacking Events in 2020 and 2021, both virtual and in-person as soon as appropriate. Customer Spotlight // U.S. THE ROOTS OF AT&T STRETCH BACK NEARLY 150 YEARS TO THE ORIGIN OF THE TELEPHONE ITSELF and across its innovations in transistors, communication satellites, and machine learning. The company has also expanded far beyond telecommunications to become a modern media company, a fiber and wireless connectivity provider, and a software-based entertainment provider with brands like WarnerMedia, HBO, and TBS. The company continued their innovative ways in July 2019 by becoming the first communications company of its size to launch a bug bounty program on HackerOne. After having run a self-managed program since 2012, moving to HackerOne quickly increased the number of bugs received and the quality incoming reports. It also expanded the AT&T program by opening it to a global network of skilled hackers and adding all of the company’s public-facing online properties, including websites, exposed APIs, mobile applications, and devices. In the first year of the public program on HackerOne, AT&T resolved over 2,850 vulnerabilities and paid out $1,129,075 in bounties based on input from 850 hackers worldwide. The findings have helped AT&T understand holes in their security and use those insights to ensure they are patched across other essential products and services. Bug reports resolved Bounty awards 3,000+ $1,211,000+ AT&T 64 “Operating a bug bounty program is about getting one step ahead of the game by being hands-on and predictive,” explained Reynaldo Candelario, Principal Technology Security at AT&T. “It’s another approach to detect software and configuration errors that can slip past developers and later lead to big problems. Hacker-powered security has helped our technology teams learn and resolve vulnerabilities that would not have been revealed by any internal security discovery methods.” To date, AT&T has paid out more than $1,211,000 in bounty awards and resolved more than 3,000 bug reports. The company plans to continue expanding its bug bounty program into other segments of the business to increase the already tangible ROI and further improve the company’s digital security. “The program will always be in a constant evolution of change to ensure a balance is given to everyone that participates in the program,” concludes Reynaldo. “We look forward to continuing our collaboration with the hacker community to improve our program and partnership.” “HACKER-POWERED SECURITY HAS HELPED OUR TECHNOLOGY TEAMS LEARN AND RESOLVE VULNERABILITIES THAT WOULD NOT HAVE BEEN REVEALED BY ANY INTERNAL SECURITY DISCOVERY METHODS.” REYNALDO CANDELARIO Principal Technology Security at AT&T 65 66 GO BEYOND COMPLIANCE WITH HACKER- POWERED PENTESTS Bounty Trends Penetration tests are a staple of nearly every security program. They have been used for decades as a viable means for evaluating the security of a specific scope of technology. Pentesting remains a necessary exercise to identify weaknesses and for compliance, but traditional pentests are often delivered with limited transparency into the testing process and they provide only an occasional, point-in-time view of risk. They’re further limited by the traditional process, which devotes a small pool of researchers at a specific scope for just a few weeks. “THIS IS VALUE THAT WE NEVER GOT FROM A PENTEST. TRADITIONAL PENTESTS ARE NOT ENOUGH FOR MODERN DAY SECURITY.” GEORGE GERCHOW Chief Security Officer, Sumo Logic 67 Crowdsourced pentests are becoming a common and effective means for a continuous, proactive security testing and broad investigation of a technology’s security risks. Unlike traditional penetration tests, which are one-off exercises designed for a compliance checklist, hacker-powered pentests can be seamlessly incorporated into your security strategy. These hacker-powered pentests utilize the creative diversity, varying skills, and broad approaches of the hacker community, deployed continuously and on varied applications. What’s more, the cost is tied directly to validated results rather than effort. In fact, a Total Economic Impact (TEI) report from Forrester Consulting found that a HackerOne Challenge eliminated $156,784 in total costs and reduced internal security and application development efforts, saving an additional $384,793 over three years. HackerOne’s powerful platform allows security teams to redefine the way they respond to vendor security assessments and compliance needs. HackerOne Pentests bring a creative, community-led approach to pentests to offer more coverage, instant results, and seamless remediation workflows all in one platform. It provides the visibility to track progress and interact with researchers from the kickoff, discovery, and testing, through to the retesting and remediation phases of a pentest. Those real-time insights empower security teams to act on vulnerabilities as they are found instead of waiting for them to come weeks later. Many security leaders are drawing a false distinction between compliance and security. According to our research, more than two-thirds of security leaders believe pentests strengthen software—but they are making a grave error in believing that compliance is more important than reducing risk and finding vulnerabilities, or that the two are separable. Instead, an overall security strategy should include strategies that allow the compliance box to be checked at the same time as finding bugs before they can be exploited. HackerOne Pentests, however, fulfill both regulatory compliance and customer assessment needs with compliance-ready reports to satisfy SOC 2 Type II, ISO 27001, and more. The findings are also summarized in an actionable, methodology-based report to help security teams better understand how to reduce risk. To learn more, see how HackerOne Pentests improves upon traditional pentests. “WE TURNED TO HACKERONE FOR SCALABLE REAL-TIME TESTING THAT WOULD LOOK IN THE PLACES WE WEREN’T LOOKING—NOT A SIMULATION OR TEMPLATED TEST—FOR SOC 2 COMPLIANCE.” STEVE SHEAD Vice President InfoSec & IT, Grand Rounds 68 To find the gaps that can lead to security incidents, you need pentesters with the creativity to think beyond a standard checklist. Pentests are opportunities to discover weak spots in your defenses, bring a fresh set of eyes to engineering’s code, and add a virtual security team that can be spun up or down as needed and without requiring onsite access. Spotlight Benefits Costs ROI $541,577 $252,127 115% THE VALIDATED ROI OF HACKER-POWERED PENTESTS Hacker-powered pentesting adds a broad array of specialized skills, experience, and creativity to find security gaps unique to your business and technologies. Where traditional pentests fall short—limited team of testers and approaches, slow turnaround of results, and a lack of real-time visibility into findings—hacker- powered pentests rise above. They also save money. A Forrester Consulting Total Economic Impact™ (TEI) analysis used interviews with HackerOne customers to gauge the financial and qualitative impact of HackerOne Challenge over traditional security testing methods. Customers say they eliminated costs “orders of magnitude higher than the HackerOne cost,” received results faster, and consumed less effort from the internal security team. HackerOne Challenges also offer more robust testing methods, instant feedback, and detailed vulnerability reports as compared with traditional point-in-time testing such as pentests. This is a direct result of the creativity, expertise, and experience of the hacker community. The increased detail in vulnerability reports also helped inform upstream engineering and development teams, which reduced application development times. In total, Forrester’s interviews and financial analysis concluded that an organization using hacker-powered pentests experienced benefits of $541,577 over three years versus costs of $252,127, adding up to a net present value (NPV) of $289,450 and an ROI of 115%. To learn more, download your copy of the Forrester TEI report today. The key benefits found by Forrester include: A 50% REDUCTION IN SECURITY TESTING DURATION. A TOTAL COST OF OWNERSHIP (TCO) PER PENTEST OF JUST $41,350. A REDUCTION IN INTERNAL PENTESTING EFFORT OF 66%. “We tried pen testing before and found it very expensive and practically useless. We paid many thousands of dollars and they only found a few bugs. The first week we launched HackerOne they found several high priority bugs we fixed immediately. Huge value at a fraction of the costs.” AMOS ELLISTON CTO, Flexport 69 Bug reports resolved In bounties paid in the 3 months prior to the publishing of this report 1,000 $1 MILLION + 70 Customer Spotlight THE SECURITY TEAM AT PAYPAL, the popular digital payments platform, is tasked with protecting the personal and financial information of 325 million active accounts, in more than 200 markets around the world. The company has been running a bug bounty program since 2012, transitioning to the HackerOne platform in 2018. This move instantly opened the program to a massive community of hackers and, as expected, an increase in participation. In just the first six months of moving to HackerOne, PayPal received reports from 890 researchers across 56 countries, compared to just 365 researchers in the prior six months. “Security has always been a top priority for our business, ingrained into the fabric of everything we do,” says Ray Duran, Information Security Engineer at PayPal. “In addition to being able to work with a broader more diverse set of researchers, HackerOne has enabled us to process bounty awards for qualifying submissions faster and get direct feedback from researchers on how to further improve our program.” In the first 7 months of its program, the company reached $1,000,000 in bounties paid. Over the program’s first 2 years, PayPal has awarded nearly $4,000,000 in bounties, with over $1,000,000 paid in the 3 months prior to the publishing of this report. The company is also closing in on 1,000 total reports resolved. PAYPAL 71 “SECURITY HAS ALWAYS BEEN A TOP PRIORITY FOR OUR BUSINESS, INGRAINED INTO THE FABRIC OF EVERYTHING WE DO.” RAY DURAN Information Security Engineer at PayPal 72 H ackers are the soul of the cybersecurity community and the immune system of the internet. What started in the dark underbelly of the internet has turned into a global movement of talented and creative people who enjoy digging into the technology that makes the internet work. There are now more than 830,000 hackers registered on the HackerOne Platform. They’ve earned more than $100 million / €85 million / ¥696 million through reports on more than 181,000 vulnerabilities. CHAPTER 4 // HACKERS TODAY’S HACKER COMMUNITY 73 Total registered hackers Amount paid to hackers in the past year $44.75 MILLION 830,000+ 74 The 2020 Hacker Report, a benchmark study of the bug bounty and vulnerability disclosure ecosystem, details the efforts and motivations of hackers from across the globe who are working to protect the 2,000+ companies and government agencies on the HackerOne platform. These hackers are a force for good. They earn money, learn valuable skills, or build a career by hacking. In fact, the potential earnings power of a hacking career is well above today’s global average IT salary of $89,732. HAckers Countries represented in the hacker community Of the hacking community hails from India 226 19% 75 76 Costa Coffee shops in Europe 4,000 Customer Spotlight // EMEA Costa Coffee has been serving up coffees to Londoners since 1971. In the past 50 years, they’ve added 4,000 Costa Coffee shops and 10,000 Smart Cafe machines across Europe, Asia, and the Middle East. Now, as they expand to the U.S., the company has launched a bug bounty program to help protect its loyal customers’ data. “We see bug bounty as a key addition to our existing security testing capabilities, which also includes an established pentesting program” said Matt Adams, Global Security Architect at Costa Coffee, in an interview. “However, the ability to access a wide variety of hackers, each bringing their unique approach and tactics to our program, will enable us to efficiently scale our testing activities.” The company has been preparing for this continued global expansion, and the addition of a bounty program is part of its multi-year security transformation program. The hacker-powered security program also helps accelerate their security efforts to maintain pace with their agile software development lifecycles. “The opportunity for continuous testing that a bug bounty program provides also aligns with our increasing adoption of agile development practices and CI/CD pipelines,” said Matt. “Our vision for the program is that it will enable our security testing processes to move at the same rapid pace as our development teams.” COSTA COFFEE 77 It all combines to help Costa Coffee respond to the changing global threat landscape, especially as more personal data is collected via its customer loyalty program. Keeping those customers happy is critical to maintaining the company’s brand reputation, which is why its security team chose to work with HackerOne. “As this is a new initiative for Costa Coffee, it was important for us to engage a trusted provider in order to help to build confidence in the bug bounty concept, and one that we were confident would deliver a successful program,”Matt added . “As the leading bug bounty platform, HackerOne was the obvious choice.” “AS THE LEADING BUG BOUNTY PLATFORM, HACKERONE WAS THE OBVIOUS CHOICE.” MATT ADAMS Global Security Architect at Costa Coffee 78 WHO ARE THE HACKERS AND WHY DO THEY HACK? HOW MANY YEARS HAVE YOU BEEN HACKING? HAckers Figure 17: How long have you been hacking? Hackers are young, curious, and creative. Most (87%) hackers are under age 35 and 84% are self-taught. Just over half (53%) get at least half of their income from hacking, with 22% naming hacking as their only source of income. Just 53% do it for the money, with 68% saying their main motivation is that they enjoy the challenge of hacking. It’s also a good career booster; 44% say they hack to advance their career and 80% say they’ve used, or plan to use, skills and experience learned while hacking to land a job. There’s also an altruistic angle to hacking: 29% hack to protect and defend and 27% hack to do good in the world. 1-2 YEARS 3-5 YEARS UNDER 1 YEAR 6-10 YEARS 11-15 YEARS 15+ YEARS 29% 30% 17% 14% 5% 5% 71% hack websites 79 Hackers test your system in many more different ways than any one security contractor could afford to do. Every single model, every single tool, every single scanner has slightly different strengths, but also different blind spots. Every hacker brings a slightly different methodology and a slightly different toolset to the problem. Although automated tools for detection have gotten very good at flagging things that might be a problem, almost all of them are plagued with false positives that still require a human to go through and assess (if) it’s actually a vulnerability. While automation can handle the grunt work, we still need skilled human eyes to see problems and solutions that computers can’t. And, the earlier in the process you have hackers engaged, the better off you will be. FAVORITE PLATFORM TO HACK Figure 18: Favorite platforms to hack To learn more about the hacker community, why they hack, how they learn, and even what they do with their earnings, download The 2020 Hacker Report. WEBSITES APIS ANDROID MOBILE TECHNOLOGY THAT I’M A USER OF/THAT HAS MY DATA OPERATING SYSTEMS DOWNLOADABLE SOFTWARE INTERNET OF THINGS OTHER FIRMWARE 1% 2% 2% 2% 4% 4% 4% 7% 71% 80 I HACK AS A HOBBY 59% I AM A STUDENT 27% I HACK FULL-TIME FOR MY EMPLOYER 22% I HACK FULL-TIME 18% I HACK SOMETIMES FOR MY EMPLOYER 14% SELF-EMPLOYED 11% OTHER 2% RETIRED .6% WHAT BEST DESCRIBES YOU? Figure 19: What best describes you? HAckers 81 WHY DO YOU HACK? Figure 20: Why do you hack? TO BE CHALLENGED 68% TO MAKE MONEY 53% TO LEARN TIPS AND TECHNIQUES 51% TO HAVE FUN 49% TO ADVANCE MY CAREER 44% TO PROTECT AND DEFEND 29% TO DO GOOD IN THE WORLD 27% TO HELP OTHERS 25% TO SHOW OFF 8% OTHER 1% 82 Awarded in bug bounties Reports resolved $107,000 + 110 + Customer Spotlight // APAC LINE Corporation, based in Japan, develops and operates a wide range of mobile-first services and advertising, along with businesses in Fintech, Artificial Intelligence, and other domains. The company’s LINE messaging app is the fastest growing mobile messenger app in the world, and incorporates voice, video, games, payments, and more. LINE moved their self-run bug bounty program to the HackerOne platform in 2019 in a bid to enable greater transparency into their security efforts and incoming vulnerability reports. The company also wanted to increase participation by global hackers, so moving to a platform with a hacker community hundreds-of- thousands strong would quickly bring more awareness to its growing program. LINE started with a private bug bounty program on HackerOne, and within 2 weeks had already paid out $5,000 for its first validated vulnerability report. In the first four-and-a-half months of the private program, LINE received 101 reports, 37 of which were valid and resulted in bounty awards. “This means that we rewarded over 36% of the reports we received, which is quite impressive,” wrote Robin Lunde, Security Engineer at LINE, in a blog post. LINE CORPORATION 83 At that point, the LINE security team transitioned to a public bug bounty program, which immediately ramped up the program’s participation, as its team had hoped. In the first week of their public program, LINE received 103 reports—two more than in its entire 18-week private program! “It confirmed that our effort in spreading awareness and information had been a success,” Robin added. Adding to the program’s success was the growth in hacker participation and expanded coverage of the company’s diverse scope. “Moving to HackerOne allowed for an increase in participating reporters, as well as valid reports,” Robin concluded. “It also resulted in a wider array of our services being inspected and tested. This closely aligned with our goals for moving to HackerOne indicating that it was a success, as well as a step towards achieving our future goals.” Since LINE began its public bug bounty program on HackerOne, the company has awarded over $107,000 in bug bounties and resolved more than 110 reports. “MOVING TO HACKERONE ALLOWED FOR AN INCREASE IN PARTICIPATING REPORTERS, AS WELL AS VALID REPORTS.” ROBIN LUNDE Security Engineer at LINE 84 Hacker Spotlight EUGENE @spaceracoon “I am motivated by the thrill of finding a bug and learning something new. Every time I read an article on new exploitations or discovery techniques, I’m itching to try it out. I love thinking of clever ways to bypass a defense or apply a novel attack.” TOM @Tomnomnom “It’s a lifelong obsession with how things work. There’s this great Richard Feinman quote, which is: ‘What I cannot create, I do not understand.’ And I think, for software, you’ve got to apply an additional layer of ‘What I cannot break, I do not understand.’” KATIE @insider_PHD “The community is super encouraging. The community is super willing to help out. It’s, as far as I’m concerned, my home.” 85 BEN @nahamsec “The one skill hackers must inherently have is the ability to problem solve and a strong sense of curiosity around how technology works and how it could possibly fail us.” ALEX @ajxchapman “I like the challenge. I like the variety that hacking gives and the opportunity for continued learning. It’s a really good way of proving yourself and extending your knowledge every day.” ALYSSA @alyssa_herrera “What motivates me is wanting to help out security companies protect against breaches and improve their general security. Another motivation is being a role model for other women who also might want to get into this field of work.” C ybersecurity skills are in high demand. Since most hackers are self-taught, they need access to resources to help them build their skills. To train future cybersecurity leaders, the broader security community has to invest in education. HackerOne is committed to preparing students for success as ethical hackers through community programs such as Hacker101, a free, video-based web security training series for the next generation of ethical hackers. One of the greatest sources of education for new hackers is through Hacktivity, which showcases select activity on disclosed vulnerabilities, hackers, programs, and bounty awards. Anyone can access Hacktivity to review detailed reports, understand how hackers work, and learn the many different techniques, tools, and approaches used by hackers and security teams. HackerOne also offers Hacker101 CTF (Capture The Flag), a series of free hacking games based on real- world environments that challenge learners to hack and find the flags. Experienced and aspiring hackers can put their skills into practice with levels inspired by real- world security vulnerabilities. HackerOne also invests in university-based initiatives, such as those at Singapore Management University and the National University of Singapore, which introduce students to ethical hacking through training and competitions. 86 HOW TOMORROW’S HACKERS LEARN HAckers 87 Live Hacking Events provide a unique joint learning experience and bug bounty engagement. For in- person live hacking events, hackers from all over the globe fly in to participate in a dynamic, social event, with focused testing on a targeted set of assets. This traditionally includes two weeks leading up to the event culminating in 2-3 days in a particular city. During the event, the programs’ security teams and hackers mingle together for social activities, sightseeing, knowledge-sharing, and of course, plenty of hacking. Events also include hacking workshops for local student groups, structured hacking mentorship sessions, and job recruitment workshops. To expand the diversity and inclusion of the hacking community, HackerOne includes community days with Live Hacking Events. These bring local cybersecurity focused organizations (that prioritize diversity) like preparatory schools, groups like Cyber Patriots, Hack the Hood, Black Girls Code, and WiSP together with top hackers and educators. Community days give aspiring hackers a chance to learn Hacker101 content directly from seasoned hackers. Security@ is the largest hacker-powered security conference. It brings together hundreds of security leaders, influencers, and hackers from around the world to share lessons, learnings, and insights with those who are leading this modern era of cybersecurity. Past speakers include security leaders and experts from the U.S. Defense Digital Service, Verizon Media, the U.S. Department of Justice, Yelp, The New York Times, Sumo Logic, Goldman Sachs, Facebook, Paypal, Salesforce, Bloomberg, Slack, Shopify, and many more. Learn more about Security@ 2020 conference, which will be held virtually on October 20-22, 2020. 88 Spotlight THE LARGEST HACKER-POWERED SECURITY CONFERENCE 89 90 Spotlight MILLION DOLLAR HACKERS Nine individual hackers have reached $1 million / €850,000 / ¥7 million in bounty earnings on the HackerOne platform. That’s an incredible milestone for anyone in any profession, but these hackers have reached this pinnacle in well under a decade. It shows the earnings potential of hacking and also highlights the global diversity: these 9 hackers hail from 7 different countries. But it doesn’t take a million dollars to increase a hacker’s quality of life. It could be a full-time job, or it could add some extra money to cover rent, a car, a vacation, or anything. Only 53% of hackers do it for the money. Yet, over 200 hackers have earned more than $100,000. Many more hackers—just under 9,000—have earned at least something on HackerOne. Of all hackers who have found at least one vulnerability, 47% have earned $1000 or more. Hackers have earned more than $100,000. of Hackers have earned $1,000 or more. 200 47% Nine individual hackers have reached $1 million in bounty earnings on the HackerOne platform. 91 92 Spotlight I n early 2020, as the global pandemic took hold, the Internet Complaint Center at the U.S. Federal Bureau of Investigation reported seeing three- to four-times their typical number of reports. The spike in cybercrime also prompted the U.S. National Counterintelligence and Security Center to issue a warning about “threat actors” increasing their attacks on medical research organizations. A related study revealed that large-scale breaches increased 273% in early 2020, compared with 2019. In the summer of 2020, HackerOne surveyed 1,400 global security leaders at large companies across North America, Europe, and Asia- Pacific, to learn more about their challenges during the pandemic. Unfortunately, what many are dealing with in reality reflects the warnings offered earlier in the year. The impact of both challenges are forcing security teams to face more threats while dealing with diminished resources. Nearly two-thirds (64%) of global security leaders believe their organization is more likely to experience a data breach due to COVID-19, and 30% have seen more attacks since the start of the pandemic. Unfortunately, 30% have seen their security teams reduced and one-quarter have seen their budgets reduced since the pandemic began. But as the pandemic has increased threats and decreased resources, it has also increased distractions. More than a third (36%) of security leaders say that digital transformation initiatives have accelerated as a result of COVID-19, and 30% have had to switch priorities from application security to securing new work-from-home and collaboration tools. Many are now looking to hacker- powered security to augment their own resources and offer a pay- for-results approach that’s more justifiable under tightened budgets. As a result of the challenges posed by COVID-19, 30% of security leaders say they are more open to accepting vulnerability reports from third party researchers about information security issues. Learn how HackerOne can help you quickly add resources to your security efforts. SECURITY LEADERS SEEING OUTBREAK OF CYBERCRIME DURING PANDEMIC Seeing more attacks 30% Reduced security teams 30% Dealing with budget cuts 25% Security breach more likely 64% GLOBAL HEADLINE UKFRANCEGERMANYAUSTRALIASINGAPOREUSACANADA36% of security leaders say that digital transformation initiatives have accelerated as a result of COVID-19 39% 32% 34% 36% 37% 35% 37% 31% of security leaders say they have had to go through a digital transformation ahead of the planned roadmap as a result of COVID-19 34% 28% 29% 22% 39% 32% 33% 30% of security leaders have had to switch priorities during the pandemic from application security to securing the use of working from home and collaboration tools 34% 26% 41% 28% 29% 30% 27% 30% of security leaders have seen more attacks on their IT systems as a result of COVID-19 31% 36% 28% 33% 21% 34% 30% 30% of security leaders say their security teams have been reduced during the pandemic 37% 28% 28% 35% 30% 24% 30% 30% of security leaders say that as a result of the challenges posed by COVID-19, they are more open to accepting reports from third party researchers about information security issues 30% 33% 34% 32% 21% 34% 26% A quarter of security leaders say that information security budgets have been negatively impacted as a result of COVID-19 29% 30% 23% 26% 24% 27% 27% 64% of global security leaders believe their organisation is more likely to experience a data breach due to COVID-19 69% 70% 70% 55% 58% 57% 68% 66% of global security leaders feel under scrutiny to prove the business takes information security seriously 72% 62% 61% 53% 76% 61% 75% 93 Figure 21: Cybersecurity trends during COVID-19 94 CLOSING THOUGHTS HACKER-POWERED SECURITY IS THE FUTURE OF CYBERSECURITY — AND THAT FUTURE IS HERE. In an era of increasing uncertainty and unprecedented challenges, hackers are empowering organizations to keep their customers safe: in more areas of the world, on more attack surfaces, in new ways, using new tools and methods. Security leaders are partnering with hackers to supplement their security teams, reduce risk across the software development lifecycle, achieve compliance, and reinforce brand trust. And hackers — these creative individuals who enjoy overcoming limitations -- are using this partnership to support themselves and enrich their communities. Hackers have already received over $100 million / €85 million / ¥696 million in bounties. And we estimate that total to grow by 1,000% within the next 5 years. Many hackers are donating their bounties to charitable causes. The COVID-19 pandemic has shown us how small and interconnected our world is. Technology is fundamentally global, and yet the systems upon which we have built our digital lives can be upended in seconds. We rely on these systems for everything: to work, live, learn, travel, to buy and sell things, to experience art and entertainment. To threaten these systems is to threaten our way of life. But this interconnectedness is a positive thing, too. Keeping the internet safe is a global effort. Finding the hundreds of millions of vulnerabilities in our technology would be impossible without an international pool of talent. Hackers know that. Security leaders know that. Boards are starting to mandate it; government agencies are recommending it as a best practice. And HackerOne is here to lead the charge. // exit TOGETHER, WE HIT HARDER — AND AS A GLOBAL COMMUNITY, WE HACK FOR GOOD. 95 96 METHODOLOGY & SOURCES Findings in this report were collected from the HackerOne platform using HackerOne’s proprietary data based on over 2,000 collective bug bounty and vulnerability disclosure programs. The 2020 data in this report spans from May 2019 through April 2020. FORBES GLOBAL 2000 VULNERABILITY DISCLOSURE RESEARCH: Our research team searched the internet looking for ways a friendly hacker could contact these 2,000 companies to disclose a vulnerability. The team looked for web pages detailing vulnerability disclosure programs as well as email addresses or any direction that would help a researcher disclose a bug. If they could not find a way for researchers to contact the company to disclose a potential security vulnerability, they were classified as not having a known disclosure program. Any companies that do have programs but are not listed as having one in the Disclosure Directory are encouraged to update their profile in the Disclosure Directory on their company’s page. See ISO 29147 for additional guidance or contact us. COVID CONFESSIONS OF A CISO: Research conducted by Opinion Matters on behalf of HackerOne. The survey includes responses from 1,400 security professionals in companies employing 1,000 or more, and located in the U.K., France, Germany, Australia, Singapore, the U.S.A. and Canada. Research was conducted in July 2020. 97 THE 2020 HACKER REPORT: Data was collected from a proprietary HackerOne survey in December 2019 and January 2020, totaling over 3,150 respondents from over 120 countries and territories. The surveyed individuals have all successfully reported one or more valid security vulnerabilities on HackerOne, as indicated by the organization that received the vulnerability report. ABOUT HACKERONE HACKERONE EMPOWERS THE WORLD TO BUILD A SAFER INTERNET. As the world’s trusted hacker- powered security platform, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real- world security weaknesses for organizations across all industries and attack surfaces. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Qualcomm, Slack, Starbucks, Twitter, and Verizon Media. HackerOne was ranked fifth on the Fast Company World’s Most Innovative Companies list for 2020. Headquartered in San Francisco, HackerOne has a presence in London, New York, the Netherlands, France, Singapore, and over 70 other locations across the globe. 98 99 TRUSTED BY More Fortune 500 and Forbes Global 1000 companies than any other hacker-powered security alternative. the world’s most trusted hacker-powered security platformwww.HackerOne.com
