Search engine giant is a sample of the increasing number of organizations benefiting from bug bounty programs.
In spite of warnings about relying too heavily on crowd-sourced bug bounty programs, these susceptibility discovery initiatives are showing successful for few companies, judging from the payouts to security researchers in current years.
For More Google Product News Click Here
One example is Google. New data from the company this week displays that in 2016, Google waged some $3 million in rewards to 350 bug hunters from 50 countries who discovered more than 1,000 security susceptibilities in Android, Google products, and Chrome other.
The charge was about 50% higher than the $2 million that Google handed out in related rewards in 2015, and double the $1.5 million it paid out in 2014. Counting previous year’s awards, Google has so far awarded $9 million in bug bounties since it first introduced the Vulnerabilities Rewards Program (VRP) in 2010.
Google is sole will not in making payouts to researchers who find suspects in their products. As of last October, Facebook had paid upwards of $5 million in rewards to bug hunters, with a large number of them in India, the US, and Mexico. In the first half of 2016 alone, Facebook acknowledged over 9,000 bug disclosure reports and waged more than $610,000 to 149 researchers.
Bugcrowd, which synchronizes bug-hunting programs for creativities, previous year delivered over 9,000 validated susceptibilities to its clients, who include the likes of Fiat Chrysler Automobiles, Western Union, and Fitbit. The original number of bug submissions was much bigger: since January 2013, Bugcrowd has paid over $2.1 million in bounties for about seven thousand validated vulnerabilities on client networks and services.
At present, more than 500 companies have accomplished bug bounty programs under which they offer rewards and recognition to security researchers who discover security bugs in their websites and services. While some big companies like Google and Facebook manage the programs self-reliant, many others have selected the services of firms like Bugcrowd and HackerOne to do it for them.
A rising number of organizations have begun turning to crowd-sourced bug hunting because of their efficiency, states John Pescatore, director of emerging security threats at the SANS Institute.