Data breaches not only cost companies millions, but they also inflict reputational damage, customer turnover and operational costs. The average cost of a data breach has risen 6.4% to a global average of $3.86 million this year, according to research from the Ponemon Institute.
Companies that fell victim to major security incidents lost information worth between $1 million and $50 million, but counting hidden expenses, enterprises ultimately spend between $40 million and $350 million. The number of large-scale breaches has gone up dramatically, to 16 in 2017, while in 2013 only nine were reported, following malicious and criminal attacks. But what if a business could work with the ethical hacker community to detect and resolve unknown security vulnerabilities?
To increase security in their infrastructures, a number of enterprises and government agencies worldwide have launched bug bounty programs, hoping that hacker-powered security will help reduce cyber risk by detecting vulnerabilities that could be easily exploited. The US Department of Homeland Security, the Singapore Ministry of Defense and the EU Commission are among the most prominent government agencies to adopt vulnerability disclose policies (VDPs).
As reported by HackerOne’s 2018 Hacker-Powered Security Report, as many as 72,000 security bugs were fixed in 2018 and $31 million in bounties were paid to hackers from more than 100 countries. In the past year alone, 116 critical vulnerabilities brought hackers more than $10,000 each.
“The world is embracing the highly skilled and creative hacker community to help reduce cyber risk,” said Marten Mickos, CEO of HackerOne. “A model once reserved for the largest, tech-advanced companies in the world, is now being implemented by organizations of any size, industry and connected corner of the globe. Hacker-powered security is reaching critical mass, and everyone is benefitting from a more secure internet.”
The highest bounty payout for critical vulnerabilities is offered by government agencies, at $3,892, closely followed by technology companies ($3,635), telecom ($2,976), professional services ($2,719), transportation ($1,892), retail and ecommerce ($1,720), media and entertainment ($1,522), healthcare ($1,429), financial services and insurance ($1,118), consumer goods ($880) and, lastly, travel and hospitality ($668). Top bug bounty programs have increased payments by 33 percent.
VDPs have grown in popularity in the business world, with a 54 percent year-over-year increase, the report found, with companies including Goldman Sachs, Toyota and American Express looking into launching VDP programs in 2018. However, 93 percent of enterprises in Forbes’ top 2,000 lack a public-facing VDP.