As many as 93 percent of companies in the Forbes Global 2000 list don’t include a vulnerability disclosure policy among top business concerns, according to HackerOne’s The Hacker-Powered Security Report 2018, a deep dive into bug bounty and vulnerability disclosure in the financial services and insurance industries.
Organizations in the sector deal with tremendous amounts of personal data and a hack could put their customers at serious risk. Overall, VDPs and bug bounty programs have increased 14 percent from 2017. As expected, though, 47 percent of companies in the tech field are more aware of the risks posed by the threat landscape and have gradually invested in bug bounty programs to ensure the safety of their services and infrastructure.
According to the HackerOne report, companies in other, just as critical, industries are slowly tapping bug bounty programs. For example, businesses in the financial services and insurance sectors are in fourth position, with 8 percent of current bug bounty programs taking place in their industries. Telecommunications companies come second, with 24 percent introducing bug bounty or vulnerable disclosure policies.
According to the report, “the financial service and insurance industry’s coverage is nearly identical to that of the broader Global 2000, with approximately 93% of organizations in this industry lacking a public VDP. While leaders like American Express, Citigroup, JPMorgan Chase, ING, and TD Ameritrade have public VDPs, nearly every other financial service and insurance organization on the list does not.”
Last year, the US Department of Justice released a set of guidelines to help companies with vulnerability disclosure programs, as well as a bill that specifically demands it for IoT ecosystems. Software weaknesses are not to be taken lightly -- enterprises are strongly encouraged to set up vulnerability disclosure policies and collaborate with ethical hackers to reduce risks and patch vulnerabilities before their products and services are released in the wild.
Goldman Sachs and American Express are leading the way, by making vulnerability disclosure policies a top priority, but all companies should immediately prioritize this to fix critical software weaknesses. According to the report, “nearly 1 in 4 hackers have not reported a vulnerability they found because the company didn’t have a channel to disclose it.” The numbers won’t improve unless VDP adoption is taken more seriously to encourage ethical hackers to take part in bug bounty programs and submit reports.
True, tech companies are among the best paying when it comes to bug bounty programs, but financial services and insurance companies are slowly catching up, having also paid a top financial award of $18,000, with total spending on bounties of $1.4 million, found HackerOne.
Even though the financial services and insurance industry pays an average of $1,118 per critical bug, double the amount paid in 2017, some industries will end up paying more. Even so, they are highly committed to patching security bugs immediately, rushing to solve all risks and paying hackers in only a matter of days for their services.