Why a bug bounty could be your best investment

Fines, lawsuits, downtime— security breaches can cost hundreds of millions. A bug bounty can cost just thousands.
24 October 2019

Bug hunters can save businesses, and everyone’s a winner. Source: Shutterstock

Numerous multinationals have been casualties to cyberattacks this year, as malicious hackers become ever more sophisticated in their means. 

These breaches can have a lasting impact on the privacy of sensitive data— particularly individuals’— and the impact on reputation tends to linger. That’s not to mention the cost of lawsuits, fines, and future company value.

The 2018 data breach of British Airways, for example, is still being talked about as a current case study in cybersecurity articles… 

The global airline was fined £183.39 million (US$228.14 million) by the ICO (Information Commissioner’s Office) after third-party JavaScript vulnerabilities were at the root of customers being diverted to a fraudulent site. Here, cybercriminals were able to steal payment card details and personal data from some 500,000 passengers.

But according to estimates by bug bounty and pen-testing platform HackerOne, all this could have potentially been avoided with a sum of just £4,000 (US$5,150).

The stat came as part of research by the firm into four major breaches— British Airways (2018), TicketMaster (2018), Carphone Warehouse (2018) and TalkTalk (2015)— which cost the organizations a combined £265.4 million (US$342 million). 

Studying the nature of each of the breaches, HackerOne estimated that, had the vulnerabilities been identified and responsibly disclosed by hackers as part of a bug bounty program, the organizations would have collectively only had to pay out between £9,600 – £32,000 based on average bug bounty prices (see table below).

Cost of a data breach versus the cost of vulnerability. Source: HackerOne 

Data Breach Cost / Fine Vulnerability Exploited Bug Bounty Market Value
British Airways £183 million Third-party JavaScript vulnerability £4000 – £8000
Carphone Warehouse £400,000 Out-of-date WordPress interface £81 – £8000
TicketMaster £5 million Third-party JavaScript vulnerability £4000 – £8000
TalkTalk £77 million SQL Injection £1600 – £8000

“Attack surfaces are growing all the time, and it’s a significant challenge just trying to stay ahead of cybercriminals. The most secure organizations realize there are many ways to identify where they are most vulnerable” said Prash Somaiya, Security Engineer at HackerOne. 

In running bug bounty programs, HackerOne claims it has resolved over 120,000 vulnerabilities for its customers, which could have paved the way for potentially damaging cyberattacks. 

Somaiya added that while the bug bounty rates were “rough estimates” based on its existing programs across the same industries, “it does highlight that companies can save millions and reduce risk by being proactive.”

The firm’s security report revealed just how effective bug bounties can be, hackers reporting the first valid vulnerabilities within 24 hours in 77 percent of cases, which 25 percent of those are classified as being of high or critical severity.

Not only can these programs highlight areas of an organization’s cyber defenses that need fortification, but they also incentivize hackers to practice and compete with their skills “for good” by making the internet more secure, and be rewarded for their work. 

HackerOne has paid out over US$70 million in bounties to whitehat hackers around the world— with its most well-paid hacker earning US$1 million, according to the firm’s CEO. The highest single bounty paid out to one hacker on the platform was US$100 thousand.