Four major data breaches, which cost about £265m in damages in total, could have been prevented for as little as £9,600 collectively, it’s claimed by a bug bounty and penetration testing platform. This estimate is based on the average rewards paid to hackers that have found the same vulnerabilities as part of a bug bounty scheme, whereby hackers hunt for cyber vulnerabilities and report them to an organisation before they are exploited by cyber-criminals; and get paid.
The UK data privacy regulator the ICO recently announced that it may fine British Airways up to £183m for a data breach that saw the personal data of over half a million of customers stolen. It’s thought that attackers gained access to British Airways’ systems via a third-party JavaScript vulnerability, which, on the bug bounty market, carries of value of anything between £4,000 to £8,000, according to HackerOne.
The company studied the costs, lawsuits and fines associated with the data breaches that affected British Airways (2018), TicketMaster (2018), Carphone Warehouse (2018) and TalkTalk (2015), and compared them to the bounty prices associated with the vulnerabilities exploited in those breaches. Overall, the breaches cost the four organisations £265.4m, however, had the vulnerabilities been identified and responsibly disclosed by hackers as part of a bug bounty program, the organisations would have collectively only had to pay out between £9,600 to £32,000 based on average bug bounty prices, the pen-testing firm says.
Prash Somaiya, security engineer at HackerOne says: “Attack surfaces are growing all the time, and it’s a significant challenge just trying to stay ahead of cybercriminals. The most secure organisations realise there are many ways to identify where they are most vulnerable. By running bug bounty programs and asking hackers to find their weak spots, our customers have safely resolved over 120,000 vulnerabilities before a breach could occur. This research is a rough estimate on bounty prices, based on our existing programs across the same industries, but it does highlight that companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities,”
Visit: https://www.hackerone.com/blog/hackerone-top-10-most-impactful-and-rewarded-vulnerability-types. Users of San Francisco-based HackerOne services include the United States federal Department of Defense, General Motors, Google, Goldman Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox and Intel.
