Connect with us

Expert Speak

Defend Your Organisation’s Security with a Bug Bounty Program

Published

1 year ago

on

Big Tech is all in for bug bounty programs while global cyberattacks are increasing. While we can’t control the number of hackers or their intent to breach our systems, we can identify vulnerabilities in our systems and implement strategies that secure them. To start, it’s best to get into the minds of the hackers.

Bug Bounty Programs
A bug bounty program offers a monetary incentive to ethical hackers, who are IT security experts who test computer networks and systems with the permission of their owners. Ethical hackers are tasked with successfully identifying and reporting vulnerabilities and bugs. These programs enable organisations to leverage the hacker community to enhance the organisation’s security posture.

A Romanian ethical hacker, Cosmin Lordache, also known as @inhibitor181, has earned over $2 million through HackerOne, the global cybersecurity organisation that pioneered the first bug bounty program through its ethical hacker community. Top hackers who are part of bug bounty programs can even earn a full-time salary. But these hackers aren’t in it just for the money. They often receive industry commendations, which solidifies their reputation as skilled, reliable, and trustworthy for organisations to work with.

One major advantage that sets bug bounty programs apart from other forms of testing is that it’s a continuous process. From an organisation’s perspective, bug bounty programs, alongside penetration testing, form strong security assessments to fortify the organisation.

Who’s Running These Programs?
Let’s review bug bounty programs sponsored by three leading high-tech organisations. Each organisation receives valuable information for defending its IT infrastructures against cyberattacks in exchange for rewards they provide to white hat hackers.

Google
Google runs one of the most popular bug bounty programs. The Google Vulnerability Reward Program compensates white hat hackers for reporting vulnerabilities on Google-owned or Alphabet subsidiary web services that handle sensitive user data. Rewards are based on the impact of the reported issue. Vulnerabilities that qualify are cross-site scripting, cross-site request forgery, mixed-content scripts, authentication or authorisation flaws, and server-side code execution bugs. Prize money ranges from $100 to $31,337 based on the reported vulnerability.

Apple 
Apple’s bug bounty program offers rewards for reporting issues on Apple devices, software, or services. Its compensation is based on reported vulnerabilities and can range from $5,000 to $1 million.

Issues unique to newly added features or code in developer and public beta releases, including regressions, are rewarded with an additional 50% bonus, up to $1.5 million, and vulnerabilities reported during Lockdown Mode are given a 100% additional bonus, up to $2 million.

ManageEngine
ManageEngine runs a Vulnerability Reward Program (VRP) to continuously improve the security of its products. To join ManageEngine’s VRP, you must be 14 years or older and cannot be a resident of US-sanctioned countries. You cannot be an employee of Zoho Corporation or have been employed by Zoho Corporation within six months of your participation in the bug bounty program, and you cannot be related to a Zoho Corporation employee. ManageEngine’s bug bounty rewards are based on the severity of the issues reported and compensation ranges from $50 to $3,000.

How Do You Run a Successful Bug Bounty Program?
You can run an effective bug bounty program if you follow these steps:

  • Start with determining the scope and budget of the program.
  • Decide on competitive payouts that demonstrate to the hacker community (and to your customers) that you value your organisation’s security.
  • Categorise vulnerabilities based on their impact and assign a base reward value accordingly.
  • Ensure that this testing doesn’t hinder your organisation’s day-to-day business operations by keeping certain domains off-limits. Implement this step at your sole discretion.
  • Develop detailed terms and conditions regarding what the hacker can test.
  • Create a webpage with details on how the test will be conducted as well as the terms and conditions regarding the rewards program.

Key Takeaways
Many organisations regularly test their security systems to identify vulnerabilities. Placing this task in the hands of external teams of white hat hackers is one way to ensure your organisation stays informed and can successfully defend against the ever-evolving strategies of today’s cyberattacks. In the current tech landscape, these imperative security measures might save your organisation thousands if not millions of dollars in financial losses, and they may end up protecting your organisation’s business reputation.

Taking notes from Big Tech companies such as Google, Apple, and Meta, it’s time for you to run a bug bounty program and safeguard your company against critical vulnerabilities.

Related Topics:
Continue Reading

Artificial Intelligence

How AI is Reinventing Cybersecurity for the Automotive Industry

Published

3 weeks ago

on

April 23, 2025

By

Written by Alain Penel, VP of Middle East, CIS & Turkey at Fortinet (more…)

Continue Reading

Cyber Security

Positive Technologies Study Reveals Successful Cyberattacks Nett 5X Profits

Published

2 months ago

on

March 25, 2025

By

Positive Technologies has released a study on the dark web market, analysing prices for illegal cybersecurity services and products, as well as the costs incurred by cybercriminals to carry out attacks. The most expensive type of malware is ransomware, with a median cost of $7,500. Zero-day exploits are particularly valuable, often being sold for millions of dollars. However, the net profit from a successful cyberattack can be five times the cost of organizing it.

Experts estimate that performing a popular phishing attack involving ransomware costs novice cybercriminals at least $20,000. First, hackers rent dedicated servers, subscribe to VPN services, and acquire other tools to build a secure and anonymous IT infrastructure to manage the attack. Attackers also need to acquire the source code of malicious software or subscribe to ready-to-use malware, as well as tools for infiltrating the victim’s system and evading detection by security measures. Moreover, cybercriminals can consult with seasoned experts, purchase access to targeted infrastructures and company data, and escalate privileges within a compromised system. Products and tools are readily available for purchase on the dark web, catering to beginners. The darknet also offers leaked malware along with detailed instructions, making it easier for novice cybercriminals to carry out attacks.

Malware is one of the primary tools in a hacker’s arsenal, with 53% of malware-related ads focused on sales. In 19% of all posts, infostealers designed to steal data are offered. Crypters and code obfuscation tools, used to help attackers hide malware from security tools, are featured in 17% of cases. Additionally, loaders are mentioned in 16% of ads. The median cost of these types of malware stands at $400, $70, and $500, respectively. The most expensive malware is ransomware: its median cost is $7,500, with some offers reaching up to $320,000. Ransomware is primarily distributed through affiliate programs, known as Ransomware-as-a-Service (RaaS), where participants in an attack typically receive 70–90% of the ransom. To become a partner, a criminal must make a contribution of 0.05 Bitcoin (approximately $5,000) and have a solid reputation on the dark web.

Another popular attack tool is exploits: 69% of exploit-related ads focus on sales, with zero-day vulnerability posts accounting for 32% of them. In 31% of cases, the cost of exploits exceeds $20,000 and can reach several million dollars. Access to corporate networks is relatively inexpensive, with 72% of such ads focused on sales, and 62% of them priced at under a thousand dollars. Among cybercriminal services, hacks are the most popular option, accounting for 49% of reports. For example, the price for compromising a personal email account starts at $100, while the cost for a corporate account begins at $200.

Dmitry Streltsov, Threat Analyst at Positive Technologies, says, “On dark web marketplaces, prices are typically determined in one of two ways: either sellers set a fixed price, or auctions are held. Auctions are often used for exclusive items, such as zero-day exploits. The platforms facilitating these deals also generate revenue, often through their own escrow services, which hold the buyer’s funds temporarily until the product or service is confirmed as delivered. On many platforms, these escrow services are managed by either administrators or trusted users with strong reputations. In return, they earn at least 4% of the transaction amount, with the forums setting the rates.”

Considering the cost of tools and services on the dark web, along with the median ransom amount, cybercriminals can achieve a net profit of $100,000–$130,000 from a successful attack—five times the cost of their preparation. For a company, such an incident can result not only in ransom costs but also in massive financial losses due to disrupted business processes. For example, in 2024, due to a ransomware attack, servers of CDK Global were down for two weeks. The company paid cybercriminals $25 million, while the financial losses of dealers due to system downtime exceeded $600 million.

Continue Reading

Expert Speak

What the Bybit Hack Reveals About the Future of Crypto Security

Published

2 months ago

on

March 8, 2025

By

Written by Oded Vanunu, Chief Technologist & Head of Product Vulnerability Research at Check Point (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.