denisismagilov - Fotolia
Mark Litchfield is the first ethical hacker from the UK, and among six in the world, to rack up $1m (£820,000) in earnings from hacking into government and top private sector organisations.
A bug bounty is a monetary award given to a hacker who finds and reports a valid security weakness to an organisation so it can be safely resolved.
“Hacking can open doors to anyone with a laptop and curiosity about how to break things,” said Litchfield. “I hope our achievements will encourage other hackers, young and old, to test their skills, become part of our supportive community, rake in some extra money along the way and make the internet a much safer place for people.”
Ethical hackers’ road to riches has been accelerated by the fact that bug bounty payments for vulnerablities have increased by 65% on average in the past year, driven by the fact that 25% of all resolved vulnerabilities in the past year have been classified as high to critical severity.
The most competitive bug bounty programmes, such as those run by Google, Microsoft, Apple and Intel, offer individual awards as high as $1.5m for critical issues.
All six millionaire hackers have been reporting vulnerabilities through bug bounty programmes run by HackerOne, a hacker-powered pentesting and bug bounty platform that is supported by six of the top 10 banks in North America and organisations such as Airbnb, the US Department of Defense, Goldman Sachs and Spotify.
In total, HackerOne members have earned $21m in the past year, an increase of $10m, or 90%, on the previous year.
The first millionaire ethical hacker was Santiago Lopez, a 19-year-old from Argentina. He is now joined by Briton Mark Litchfield, Nathaniel Wakelam from Australia, Frans Rosen from Sweden, Ron Chan from Hong Kong, and Tommy DeVoss from the US.
The news is underscored by findings published today in HackerOne’s 2019 Security report which demonstrates the momentum in the industry.
According to the report, more than 123,000 unique valid vulnerabilities have been resolved through the platform to date, with 25% of those – 30,541 – resolved in the past year alone, which equates to a hacker reporting a vulnerability every five minutes.
Read more about hacking
- Google Play bug bounty hunts RCE vulnerabilities.
- Bug bounties not a silver bullet, Katie Moussouris warns.
- There needs to be greater understanding between lawmakers and technologists to ensure regulations do not have unintended consequences, says a US computer security researcher and bug bounty pioneer.
- Most infosec professionals would trust hacker-tested products.
Every 60 seconds, a hacker partners with an organisation on HackerOne, resulting in more than 1,000 interactions a day with hackers and companies or governments.
According to the report, hacker-powered pen tests have helped one organisation eliminate $156,784 in total costs and save a further $384,793 over three years by reducing internal security and application development efforts.
But despite the success of the HackerOne programmes, Katie Moussouris, bug bounty pioneer and CEO of Luta Security, believes that although targeted bug bounties have a role to play in cyber security, they are not a “silver bullet”, and run the risk of wiping out talent pipelines if poorly implemented, by providing incentives for people with cyber security skills to work outside organisations in pursuit of bounties.
According to the report, the number of hacker-powered security programmes has grown by at least 30% in each region of the world, with Latin America leading the pack again with year-on-year growth of 41%, followed by North America with 34%, Europe, Middle East and Africa (EMEA) with 32%, and APAC 30%.
Organisations located in the US paid 83% of all bounties to hackers around the globe – the same share as last year. Canada-based organisations remain in second place, while those in the UK are third, both maintaining their positions from last year. Israel and Belgium entered the top 10 highest-paying countries for the first time.
In terms of the most impactful and rewarded vulnerabilty types, the report highlights that:
- The technology world’s mass migration to the cloud has resulted in increased risks from vulnerabilities such as server side request forgery (SSRF).
- Despite the ever-growing attention on protecting user privacy and data, information disclosure vulnerabilities are still common.
- Less than half of this year’s HackerOne Top 10 vulnerabilities overlap with the Owasp top 10 application vulnerabilities.
- Highly impactful vulnerabilities, such as SSRF, IDOR (insecure direct object reference) and privilege escalation, are harder to find but continue to be the most valuable vulnerabilities based on bounties awarded.