Reducing Risk With a Bug Bounty Program
Data breaches can cost millions in damages and fines and have a devastating impact on customer trust, reputation, and finances. The Information Commissioner Office (ICO) in the United Kingdom (UK) recently announced its plans to fine British Airways approximately $230 million for a data breach that saw the personal data of over half a million customers stolen last year. Attackers are believed to have gained access via a third-party JavaScript vulnerability, which, on the bug bounty market, carries a value between $5,000 -$10,000.
We recently analyzed the costs of four major data breaches and compared them to the bounty prices associated with the vulnerabilities exploited in those breaches. The research studied the costs, lawsuits and fines associated with the data breaches that affected British Airways (2018), TicketMaster (2018), Carphone Warehouse (2018) and TalkTalk (2015). Overall, the breaches cost the four organisations more than $341 million. However, had the vulnerabilities been identified and responsibly disclosed by hackers as part of a bug bounty program, the organisations would have collectively only had to pay out between $12,340 - $42,000 based on average bug bounty prices.
Although this research is a rough estimate on bounty prices based on our existing programs across the same industries, it does highlight that organizations today that are working with hackers to identify and resolve vulnerabilities may be saving millions by identifying and resolving vulnerabilities.
We included the following table to show the costs associated with individual breaches and the average bug bounty price for the type of vulnerability exploited in those breaches.
Table 1. Cost of a Data Breach versus the Cost of a Vulnerability
Data Breach | Cost / Fine | Vulnerability Exploited | Bug Bounty Market Value |
British Airways | Third-party JavaScript vulnerability | $3,000 —$10,000 | |
Carphone Warehouse | Out-of-date WordPress interface | $104 — $10,000 | |
TicketMaster | Third-party JavaScript vulnerability | $3,000 —$10,000 | |
TalkTalk | SQL Injection | $5,000 —$10,000 |
By running bug bounty programs and asking hackers to find their weak spots, our customers have safely resolved over 140,000 vulnerabilities before a breach could occur. This year, HackerOne’s Hacker-Powered Security Report revealed that when a new bug bounty program is launched, hackers report the first valid vulnerability within 24 hours in 77 per cent of the cases, while 25 percent of valid vulnerabilities are classified as high or critical severity. As a result, organisations around the world are seeing significant value in running bug bounty programs with hackers.
For more information on the most impactful and rewarded vulnerabilities, please visit: https://www.hackerone.com/blog/hackerone-top-10-most-impactful-and-rewarded-vulnerability-types
The 7th Annual Hacker-Powered Security Report