More FIs Paying More for Bug Bounties, Report Says

It’s no secret financial services and insurance companies hold some of the most sensitive personal and financial data that hackers desire and target regularly.

Although the entire industry has paid just $1.4 million in bug bounties to date, more than half that amount was paid out in just the past year, according to a recent report from HackerOne.

The Hacker-Powered Security Report for 2018 includes analysis of 78,275 security vulnerability reports filed over the past year by ethical hackers through more than 1,000 HackerOne programs.

Financial services and insurance ranked fourth among all industries, accounting for 8% of all new programs launched, far behind technology but well ahead of government, retail, and transportation.

“While adoption of hacker-powered security is growing faster than ever, there is significant room for improvement,” the report said. “This is especially true in this industry, considering the potentially devastating impact—to individuals, organizations, and entire economies—any security breach could have.”

The industry pays low bounty amounts for critical bugs. An average reward this year of $1,118 may be double what it was the previous year, at $646, but it’s still lower than what one-third of the top industries are paying out. For comparison, the government pays an average of $3,892 and the tech industry pays an average of $3,635.

However, the industry posted the second-fastest average time to resolve bugs.

“This reflects a desire to fix bugs as soon as possible, quickly mitigating any potential risk,” the report said. “It also reflects a significant increase from the previous year, nearly cutting the average in half.”

Payment to hackers is also pretty fast, at an average of 19 days, which is within days of the fastest industries. Rewards typically come less than 3 weeks after a bug is first reported.

“This speed attracts more and better hackers, and is literally weeks faster than some other industries,” the report said. “It’s also more than a week faster than the previous year’s average.”

The top bounty awarded the past year by a financial services or insurance organization is near the middle of the pack. The industry’s top award was neither high nor low, at $18,000, but well below the $75,000 top bounty paid by the tech industry.

“It did, however, nearly double year over year,” the report continued.

According to the 2017 Cost of Cyber Crime Study by Accenture and Ponemon Institute, financial services had the highest average annualized cost of cybercrime, at nearly $18.3 million, out of 15 major industries.

The study also found companies deploying security intelligence systems, on average, can experience a cost savings of $2.8 million. Investment in other security technologies and measures can save companies lesser amounts, the study said.

The HackerOne report says more financial companies are prioritizing hacker-powered security against cyber risk, including Goldman Sachs, American Express, Lending Club, Coinbase, and Augur.

According to the report, Goldman Sachs is one of the few financial services and insurance organizations with a public vulnerability disclosure policy (VDP), commonly called the “see something, say something” of the internet.

“Their security team is extremely fast at following up with discoverers, with an average response time of just 5 hours,” the report said of Goldman Sachs. “And a full resolution of bugs is typically completed in just 29 days. In the first 3 months of their public VDP being listed on HackerOne, Goldman Sachs resolved 20 vulnerabilities and thanked 9 hackers.”

The report said the industry overall has just 7% public VDP coverage, compared to the 47% of technology companies that have public VDPs.

A VDP essentially tells hackers how to submit vulnerability reports and how those reports will be handled by an organization.

Nearly 1 in 4 hackers have not reported vulnerabilities they found because the company didn’t have a channel for disclosure, according to the report.

“Having a VDP in place reduces the risk of a security incident and places the organization in control of what would otherwise be a chaotic or nonexistent workflow,” the report said.

  Like This Post