Reducing risks with a bug bounty program


By: Prash Somaiya, Technical Program Manager at HackerOne

Data breaches can cost millions in damages and fines and have a devastating impact on customer trust, reputation, and finances. The Information Commissioner Office (ICO) in the United Kingdom (UK) recently announced its plans to fine British Airways approximately US$230 million for a data breach that saw the personal data of over half a million customers stolen last year. Attackers are believed to have gained access via a third-party JavaScript vulnerability, which, on the bug bounty market, carries a value between US$5,000 – US$10,000.

We recently analysed the costs of four major data breaches and compared them to the bounty prices associated with the vulnerabilities exploited in those breaches. The research studied the costs, lawsuits and fines associated with the data breaches that affected British Airways (2018), TicketMaster (2018), Carphone Warehouse (2018) and TalkTalk (2015). Overall, the breaches cost the four organisations more than US$341 million. However, had the vulnerabilities been identified and responsibly disclosed by hackers as part of a bug bounty program, the organisations would have collectively only had to pay out between US$12,340 – US$42,000 based on average bug bounty prices.

Although this research is a rough estimate on bounty prices based on our existing programs across the same industries, it does highlight that organisations today that are working with hackers to identify and resolve vulnerabilities may be saving millions by identifying and resolving vulnerabilities.

We included the following statistics to show the costs associated with individual breaches and the average bug bounty price for the type of vulnerability exploited in those breaches.

Cost of a Data Breach versus the Cost of a Vulnerability

  1. British Airways
  • Cost / Fine: US$230 million
  • Vulnerability Exploited: Third-party JavaScript vulnerability
  • Bug Bounty Market Value: US$3,000 – US$10,000
  1. Carphone Warehouse
  • Cost / Fine: US$515,000
  • Vulnerability Exploited: Out-of-date WordPress interface
  • Bug Bounty Market Value: US$104 – US$10,000
  1. TicketMaster
  • Cost / Fine: US$6.5 million
  • Vulnerability Exploited: Third-party JavaScript vulnerability
  • Bug Bounty Market Value: US$3,000 – US$10,000
  1. TalkTalk
  • Cost / Fine: US$99 million
  • Vulnerability Exploited: SQL Injection
  • Bug Bounty Market Value: US$5,000 – US$10,000

By running bug bounty programs and asking hackers to find their weak spots, our customers have safely resolved over 140,000 vulnerabilities before a breach could occur. This year, HackerOne’s Hacker-Powered Security Report revealed that when a new bug bounty program is launched, hackers report the first valid vulnerability within 24 hours in 77% of the cases, while 25% of valid vulnerabilities are classified as high or critical severity. As a result, organisations around the world are seeing significant value in running bug bounty programs with hackers.