IoT security flaws attract biggest payouts in bug bounty programs

IoT security flaws attract biggest payouts in bug bounty programs

Vulnerabilities in IoT devices pushing up average price for payments

IoT security flaws attract largest bug bounty pay-outs

Identifying security flaws in IoT equipment and letting manufacturers know about them can be a nice little earner for participants in bug bounty programs, say recent reports. 

For computer-savvy individuals with time and skills to spare, bug bounty programmes offer a chance to make some money on side, by scouting out flaws and glitches in IT systems and flagging them up to those companies in return for a reward.

The thinking behind such programmes – run by General Motors, United Airlines, Starbucks, the Pentagon and many others – is that, rather than shoot the messenger, it’s better to give them a fair hearing and, in some cases, a tasty payout for their findings.

Now it turns out that pointing out vulnerabilities in hardware and IoT targets, compared to other targets, earns bug bounty participants an above-average payout.

A recent report, 2017 State of Bug Bounty, released by bug bounty platform BugCrowd, finds that the average payout for vulnerabilities in hardware and IoT targets is around $750 per bug, compared with $385 for mobile apps. Overall, the average amount paid out across all types of bug is $451.

The top five industries embracing bug bounty programs include automotive, leisure/travel, IoT/computer networking, healthcare, and financial services, according to Bugcrowd’s third annual report. Programs in the automotive industry increased four-fold last year and average payouts were around $1,500 for each bug discovered and disclosed.

“Bug bounties are challenging traditional ways of thinking about cybersecurity,” said Casey Ellis, founder and CEO of Bugcrowd. “The model addresses the growing complexity and severity of vulnerabilities in software, hardware, and IoT devices – all of which form the foundation for today’s always-on digital economy.”

Read more: Petya or NotPetya, the IoT needs to be secure

Bug bounty programs and prizes on the rise

In a separate report from rival bug bounty company HackerOne, The Hacker-Powered Security Report 2017, 41 percent of new bug bounty programs launched between January 2016 and January 2017 came from industries outside of the technology sector. Within technology, there was an increase in the number of IoT and smart home programs launched, as well as open-source projects.

Payouts for IoT flaws played a significant part in the growth in new bug bounty programs on HackerOne’s platform, up 59 percent from last year.

Customers’ security response efficiency is improving, too, with the average time-to-first-response for security issues down to six days in 2017, compared to seven days in 2016. The average bounty paid to hackers for a critical vulnerability is $1,923 in 2017, compared to $1,624 in 2015, an increase of 16 percent.

“Hacker-powered security programs are undeniably effective at finding vulnerabilities organizations never knew existed,” said Alex Rice, CTO and founder, HackerOne.

Read more: Industroyer takes spotlight in latest IT scare