top of page
Search
tafemyring1980

Dropbox Paid More Than $1 Million Via Its Bug Bounty Program



HackerOne has put together more than 1,300 such programmes since it was founded in 2012, paying out more than US$49 million to its hackers. There currently are more than 390,000 registered hackers on its network. In Singapore, it has worked with clients such as the Ministry of Defence, GovTech, and Grab.




Dropbox paid more than $1 Million via its bug bounty program




HackerOne CEO Marten Mickos expressed hopes of hitting US$100 million in paid bounties by end-2020, which would coincide with his aspirations to also have a community of 1 million ethical hackers on its platform. By then, the company expects to have helped its clientele identify and fix more than 200,000 vulnerabilities, including 16,000 bugs of critical severity.


At 19, Cable has been a HackerOne member for the past three years and participated in more than 100 bug bounty programmes, including for Google, Facebook, and the US Department of Defence. To date, he has identified more than 250 vulnerabilities, including more than 30 involving the US Airforce. The bounties he earns have gone towards funding his college education, but he declined to reveal how much he has raked in so far.


Kaung, who is from flew in from Myanmar, has participated in more than 40 programmes, including another live event in New York, since joining HackerOne just under two years ago. His current tally clocks at some 100 vulnerabilities and he, too, found five vulnerabilities before the start of the Dropbox live hacking event.


He also declined to reveal how many hacking attempts Dropbox detected and blocked a day, but said its global user base of more than 500 million meant the challenges it faced were experienced by few other companies globally. He also declined to detail how many hacking attempts originated from Asia or how many of its users were from Asia.


Litchfield is the site's top-ranked vulnerability researcher and a fitting poster boy for a fast-evolving profession. With a close-cropped, military style haircut, he favors torn jeans and rock-n-roll T-shirts. He keeps himself well stocked with Marlboro Reds, an anathema in Silicon Valley where smoking is an express ticket to social Siberia. But Litchfield can afford to buck convention, having collected more than $300,000 in bounties through that firm since the company launched its bounty platform in 2013.


The website Bugsheet lists 369 bug bounty programs hosted by companies ranging from Adobe to Zynga. Less than half (153) offer paid bounties, with most (Including Adobe) simply rewarding researchers with public acknowledgment or swag. But that list is almost certainly too short, as it doesn't include the many, lucrative private bounty programs that sites like HackerOne host.


HackerOne has 350 customers in total and hosts "hundreds of programs in invitation-only mode," according to Katie Moussouris, the chief policy officer at HackerOne. To date, the company's platform has reported more than 10,000 vulnerabilities to sponsor companies, she said.


Despite flaws, vulnerability markets will tend to benefit society, rather than harm it, argue many experts and practitioners in the space. "The proliferation of bug bounty programs is good for security," said Moussouris of HackerOne. "This is about the globalization and democratization of security talent."


He started reporting security weaknesses to companies through HackerOne bug bounty programmes in 2015, and has since reported more than 1,600 security flaws to organisations, including Twitter and Verizon Media Company, as well as private corporate and government initiatives.


While offering bug bounties may be more cost effective than hiring in-house security researchers, it involves trust, ethics and corporate responsibility among all parties involved. Some companies (like Apple) make participation in their programs accessible via invite only. Programs that are opened publicly benefit from more eyes, but may suffer from slow response process due to excessively high submission rates.


HackerOne, the platform for running and managing security bug bounty programs, today announced that it has closed a $25 million round led by New Enterprise Associates. This figure brings the total amount raised to $34 million, more than tripling the $9 million series A round led by Benchmark in May 2014.


Major tech companies that use HackerOne include Yahoo, Twitter, Adobe, Dropbox, LinkedIn, Square, Airbnb, Slack, Snapchat, Mail.ru, Qiwi, and Vimeo. Across all its clients to date, HackerOne says it has helped find nearly 10,000 security holes, paying over $3.12 million in bounties to more than 1,500 independent security researchers.


In May 2017, DoD extended the program to "Hack the Air Force". This program led to the discovery of 207 vulnerabilities, netting more than $130,000 (USD) in paid bounties. As of the end of 2017, DoD has learned of and fixed thousands of vulnerabilities through their vulnerability disclosure initiatives.[24]


Google reported recently that it paid $3.4 million in 2018 to hackers through its Vulnerability Reward Program. The details: 1,319 reported bugs by 317 researchers from 78 countries. The largest single reward was $41,000. Not exactly megabucks, although the biggest bounty paid in 2017 was close to three times that, at $112,000.


Dish Network is a little more than a year away from completing its narrowband IoT network, a project estimated to cost $500 million to $1 billion. The company is also planning to build a stand-alone 5G network, which may cost around $10 billion.


Google reports it has paid out more than $15 million since launching its bug bounty program in November of 2010. In 2018 alone, it distributed $3.4 million to 317 security researchers, compared with $2.9 million paid to 274 researchers in 2017. Last year, $1.7 million went to reward the discovery of vulnerabilities in the Android and Chrome operating systems.


Automotive/MobilityAmazon led an investment of $700 million in Rivian Automotive of Plymouth, Mich., in a deal that would possibly value the electric pickup truck manufacturer at up to $2 billion. Reuters earlier reported that Amazon and General Motors would be investors in the startup, citing people familiar with the matter. Amazon also participated in the $530 million funding round received by Aurora Innovation, another startup working on advanced automotive technology. Rivian previously raised more than $200 million in debt financing by Standard Chartered Bank and Sumitomo Corporation of America.


On crowdsourcing platforms, network infiltration testing uses a worldwide group of ethical hacking experts to reveal a bigger number of vulnerabilities than what regular penetration testing can convey. Using a bug bounty model and combining it with automation, the platforms are helping spread all conceivable attack situations including business logic flaws and filling the hole left by software-led security testing for web, mobile, desktop applications, APIs, network systems and more.


While numerous organisations disregarded their findings, the COO of Facebook, Sheryl Sandberg, forwarded the findings to her head of product security, Alex Rice. Rice, Abma and Prins associated, and together with Merijn Terheggen established HackerOne in 2012. Today, more Fortune 500 and Forbes Global 1000 organisations trust HackerOne than any other hacker-enable ethical hacking network. It has more than 1,600 client programs running, including The U.S. Division of Defense, General Motors, Google, Goldman Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, Qualcomm, Starbucks, Dropbox and many others. HackerOne has found more than 140,000 vulnerabilities and grant over US$71 million in bug bounties to a developing network of more than 550,000 programmers. For companies that discovered vulnerabilities before they were misused utilising HackerOne, Forrester discovered advantages of up to $1.6 million and an ROI of up to 646%.


Finally, any time saved by bug bounty hunters finding issues rather than your team having to trawl through your program to find the route of the problem can be spent on other tasks. More effort can be put towards fixing and improving your service instead of just digging to the cause of an error or weakness.


The US Internet Crime Complaint Center (IC3) breaks down complaints and costs according to age group, state, and type of crime. It received over 2 million complaints in the past five years, totalling losses of more than $13 billion. (IC3 Internet Crime Report 2020)


HackerOne is the #1 hacker-powered pentest & bug bounty platform, helping organisations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. With more than 1,760 customer programs, including The U.S. Department of Defense, General Motors, Google, Goldman Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, HackerOne has helped to find over 150,000 vulnerabilities and award more than $80M in bug bounties to a growing community of over 600,000 hackers. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, France and Singapore.


"Our bug bounty program is set up specifically to encourage this type of reporting, as well as more in-depth research from the security community. In this case, the customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels," Tesla said in a statement to El Reg.


Following a ransomware attack on the Universityof California San Francisco (UCSF) lastmonth, officials have decided to pay a ransom of $1.14 million to decrypt severalvital systems. The ransom amount was decided upon after negotiations betweenthe university and the attackers. The original ask was around $3 million butwas cut to less than half and was paid the following day. UCSF is one of three universitiestargeted with ransomware by the Netwalker hacker group in June that decided topay a ransom to restore normal network function. 2ff7e9595c


1 view0 comments

Recent Posts

See All

Comments


bottom of page